Metasploit mailing list archives

Winamp Playlist UNC Path Computer Name Overflow

From: mvalsmith at gmail.com (val smith)
Date: Tue, 31 Jan 2006 13:15:41 -0700

I tested it out on my winamp version 5 and it just crashed. I was using the
exec payload to just run notepad.exe. Ill test it on some more stuff too. I
really like the "beta" idea. That would probably get you more help on
fixing/finishing exploit too. (at least it would motivate me)

V.

DATA:

EDI: 0x7ffdc000       ESI: 0x00000000    EAX: 0x01290000
EBX: 0x0011e328    ECX: 0x00001000   EDX: 0x7c90eb94
EIP: 0x7c90eb94     EBP: 0x0011e39c  SegCS: 0x0000001b
ESP:0x0011e300

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="winamp.exe" FILTER="GRABMI_FILTER_PRIVACY">
    <MATCHING_FILE NAME="UninstWA.exe" SIZE="45084" CHECKSUM="0xE292C2F5"
BIN_FILE_VERSION="5.1.12.168" BIN_PRODUCT_VERSION="5.1.12.168"
FILE_DESCRIPTION="Winamp Installer" COMPANY_NAME="Nullsoft, Inc."
PRODUCT_NAME="Winamp Installer" FILE_VERSION="5.1.12.168"
LEGAL_COPYRIGHT="Copyright (c) 1997-2005, Nullsoft, Inc." VERFILEDATEHI="0x0"
VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32"
PE_CHECKSUM="0xF7867" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="5.1.12.168"
UPTO_BIN_PRODUCT_VERSION="5.1.12.168" LINK_DATE="10/04/2005 14:26:31"
UPTO_LINK_DATE="10/04/2005 14:26:31" VER_LANGUAGE="English (United States)
[0x409]" />
    <MATCHING_FILE NAME="winamp.exe" SIZE="1162240" CHECKSUM="0xCDB0AC8B"
BIN_FILE_VERSION="5.1.1.168" BIN_PRODUCT_VERSION="5.1.1.168"
PRODUCT_VERSION="5.1.1.168" FILE_DESCRIPTION="Winamp"
COMPANY_NAME="Nullsoft" PRODUCT_NAME="Winamp" FILE_VERSION="5,1,1,168"
ORIGINAL_FILENAME="Winamp.exe" INTERNAL_NAME="WINAMP"
LEGAL_COPYRIGHT="Copyright (c) 1997-2005, Nullsoft" VERFILEDATEHI="0x0"
VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2"
MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0"
UPTO_BIN_FILE_VERSION="5.1.1.168" UPTO_BIN_PRODUCT_VERSION="5.1.1.168"
LINK_DATE="11/15/2005 19:32:24" UPTO_LINK_DATE="11/15/2005 19:32:24"
VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="winampa.exe" SIZE="33792" CHECKSUM="0xA55EB069"
MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0"
LINK_DATE="11/15/2005 19:31:04" UPTO_LINK_DATE="11/15/2005 19:31:04" />
    <MATCHING_FILE NAME="Plugins\gen_hotkeys.dll" SIZE="18944"
CHECKSUM="0xA7881186" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:29:52"
UPTO_LINK_DATE="11/15/2005 19:29:52" />
    <MATCHING_FILE NAME="Plugins\gen_jumpex.dll" SIZE="81920"
CHECKSUM="0xF3978FE9" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1DEA3"
LINKER_VERSION="0x0" LINK_DATE="11/16/2004 23:22:06"
UPTO_LINK_DATE="11/16/2004 23:22:06" />
    <MATCHING_FILE NAME="Plugins\gen_tray.dll" SIZE="11264"
CHECKSUM="0xE2994514" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:28:25"
UPTO_LINK_DATE="11/15/2005 19:28:25" />
    <MATCHING_FILE NAME="Plugins\in_cdda.dll" SIZE="129536"
CHECKSUM="0xC482C5DC" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:28:23"
UPTO_LINK_DATE="11/15/2005 19:28:23" />
    <MATCHING_FILE NAME="Plugins\in_mp3.dll" SIZE="751616"
CHECKSUM="0x5FD6BFCD" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:27:07"
UPTO_LINK_DATE="11/15/2005 19:27:07" />
    <MATCHING_FILE NAME="Plugins\in_wave.dll" SIZE="31232"
CHECKSUM="0x6F359621" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="08/31/2002 21:10:38"
UPTO_LINK_DATE="08/31/2002 21:10:38" />
    <MATCHING_FILE NAME="Plugins\out_ds.dll" SIZE="119808"
CHECKSUM="0x48BF6FDF" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:25:17"
UPTO_LINK_DATE="11/15/2005 19:25:17" />
    <MATCHING_FILE NAME="Plugins\out_wave.dll" SIZE="98304"
CHECKSUM="0xE6A4271B" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:25:22"
UPTO_LINK_DATE="11/15/2005 19:25:22" />
    <MATCHING_FILE NAME="Plugins\vis_nsfs.dll" SIZE="28160"
CHECKSUM="0xE846F0CF" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0"
LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:25:27"
UPTO_LINK_DATE="11/15/2005 19:25:27" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
    <MATCHING_FILE NAME="kernel32.dll" SIZE="983552" CHECKSUM="0x4CE79457"
BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180"
PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Windows NT BASE API Client
DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft(r) Windows(r)
Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="(c)
Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0"
VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2"
MODULE_TYPE="WIN32" PE_CHECKSUM="0xFF848" LINKER_VERSION="0x50001"
UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="
5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004
07:56:36" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>


On 1/31/06, Simple Nomad <thegnome at nmrc.org> wrote:

I could use some help testing this module - it works with Winamp 5.12 on
both of my XP and 2000 systems, but seems to have some issues with older
versions of Winamp. If you have some free time and a copy of Winamp
installed, drop the attached file into your exploits directory, give it

shot, and send me an email off-list with the results.


Oh and forgot to mention earlier, a decent resource for older versions of
a
few pieces of software is oldversion.com, in case you guys really want to
test old versions.

No time to reinstall an older version, but 5.12 on XP worked fine and 5.13
seems to correct the problem (both with DEP disabled).

--
# Simple Nomad, C?ISSP  --  thegnome at nmrc.org        #
# C1B1 E749 25DF 867C 36D4  1E14 247A A4BD 6838 F11D #
# http://www.nmrc.org/~thegnome/                     #

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060131/0f1e359a/attachment.htm>

Current thread:

Winamp Playlist UNC Path Computer Name Overflow H D Moore (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Nicob (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Kurt Grutzmacher (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Simple Nomad (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Simple Nomad (Jan 31)
  - Winamp Playlist UNC Path Computer Name Overflow val smith (Jan 31)
    - Winamp Playlist UNC Path Computer Name Overflow val smith (Jan 31)