Metasploit mailing list archives
Winamp Playlist UNC Path Computer Name Overflow
From: mvalsmith at gmail.com (val smith)
Date: Tue, 31 Jan 2006 13:15:41 -0700
I tested it out on my winamp version 5 and it just crashed. I was using the exec payload to just run notepad.exe. Ill test it on some more stuff too. I really like the "beta" idea. That would probably get you more help on fixing/finishing exploit too. (at least it would motivate me) V. DATA: EDI: 0x7ffdc000 ESI: 0x00000000 EAX: 0x01290000 EBX: 0x0011e328 ECX: 0x00001000 EDX: 0x7c90eb94 EIP: 0x7c90eb94 EBP: 0x0011e39c SegCS: 0x0000001b ESP:0x0011e300 <?xml version="1.0" encoding="UTF-16"?> <DATABASE> <EXE NAME="winamp.exe" FILTER="GRABMI_FILTER_PRIVACY"> <MATCHING_FILE NAME="UninstWA.exe" SIZE="45084" CHECKSUM="0xE292C2F5" BIN_FILE_VERSION="5.1.12.168" BIN_PRODUCT_VERSION="5.1.12.168" FILE_DESCRIPTION="Winamp Installer" COMPANY_NAME="Nullsoft, Inc." PRODUCT_NAME="Winamp Installer" FILE_VERSION="5.1.12.168" LEGAL_COPYRIGHT="Copyright (c) 1997-2005, Nullsoft, Inc." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF7867" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="5.1.12.168" UPTO_BIN_PRODUCT_VERSION="5.1.12.168" LINK_DATE="10/04/2005 14:26:31" UPTO_LINK_DATE="10/04/2005 14:26:31" VER_LANGUAGE="English (United States) [0x409]" /> <MATCHING_FILE NAME="winamp.exe" SIZE="1162240" CHECKSUM="0xCDB0AC8B" BIN_FILE_VERSION="5.1.1.168" BIN_PRODUCT_VERSION="5.1.1.168" PRODUCT_VERSION="5.1.1.168" FILE_DESCRIPTION="Winamp" COMPANY_NAME="Nullsoft" PRODUCT_NAME="Winamp" FILE_VERSION="5,1,1,168" ORIGINAL_FILENAME="Winamp.exe" INTERNAL_NAME="WINAMP" LEGAL_COPYRIGHT="Copyright (c) 1997-2005, Nullsoft" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="5.1.1.168" UPTO_BIN_PRODUCT_VERSION="5.1.1.168" LINK_DATE="11/15/2005 19:32:24" UPTO_LINK_DATE="11/15/2005 19:32:24" VER_LANGUAGE="English (United States) [0x409]" /> <MATCHING_FILE NAME="winampa.exe" SIZE="33792" CHECKSUM="0xA55EB069" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:31:04" UPTO_LINK_DATE="11/15/2005 19:31:04" /> <MATCHING_FILE NAME="Plugins\gen_hotkeys.dll" SIZE="18944" CHECKSUM="0xA7881186" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:29:52" UPTO_LINK_DATE="11/15/2005 19:29:52" /> <MATCHING_FILE NAME="Plugins\gen_jumpex.dll" SIZE="81920" CHECKSUM="0xF3978FE9" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1DEA3" LINKER_VERSION="0x0" LINK_DATE="11/16/2004 23:22:06" UPTO_LINK_DATE="11/16/2004 23:22:06" /> <MATCHING_FILE NAME="Plugins\gen_tray.dll" SIZE="11264" CHECKSUM="0xE2994514" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:28:25" UPTO_LINK_DATE="11/15/2005 19:28:25" /> <MATCHING_FILE NAME="Plugins\in_cdda.dll" SIZE="129536" CHECKSUM="0xC482C5DC" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:28:23" UPTO_LINK_DATE="11/15/2005 19:28:23" /> <MATCHING_FILE NAME="Plugins\in_mp3.dll" SIZE="751616" CHECKSUM="0x5FD6BFCD" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:27:07" UPTO_LINK_DATE="11/15/2005 19:27:07" /> <MATCHING_FILE NAME="Plugins\in_wave.dll" SIZE="31232" CHECKSUM="0x6F359621" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="08/31/2002 21:10:38" UPTO_LINK_DATE="08/31/2002 21:10:38" /> <MATCHING_FILE NAME="Plugins\out_ds.dll" SIZE="119808" CHECKSUM="0x48BF6FDF" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:25:17" UPTO_LINK_DATE="11/15/2005 19:25:17" /> <MATCHING_FILE NAME="Plugins\out_wave.dll" SIZE="98304" CHECKSUM="0xE6A4271B" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:25:22" UPTO_LINK_DATE="11/15/2005 19:25:22" /> <MATCHING_FILE NAME="Plugins\vis_nsfs.dll" SIZE="28160" CHECKSUM="0xE846F0CF" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="11/15/2005 19:25:27" UPTO_LINK_DATE="11/15/2005 19:25:27" /> </EXE> <EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY"> <MATCHING_FILE NAME="kernel32.dll" SIZE="983552" CHECKSUM="0x4CE79457" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft(r) Windows(r) Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="(c) Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFF848" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION=" 5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) [0x409]" /> </EXE> </DATABASE> On 1/31/06, Simple Nomad <thegnome at nmrc.org> wrote:
I could use some help testing this module - it works with Winamp 5.12 on both of my XP and 2000 systems, but seems to have some issues with older versions of Winamp. If you have some free time and a copy of Winamp installed, drop the attached file into your exploits directory, give itashot, and send me an email off-list with the results.Oh and forgot to mention earlier, a decent resource for older versions of a few pieces of software is oldversion.com, in case you guys really want to test old versions. No time to reinstall an older version, but 5.12 on XP worked fine and 5.13 seems to correct the problem (both with DEP disabled). -- # Simple Nomad, C?ISSP -- thegnome at nmrc.org # # C1B1 E749 25DF 867C 36D4 1E14 247A A4BD 6838 F11D # # http://www.nmrc.org/~thegnome/ #
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060131/0f1e359a/attachment.htm>
Current thread:
- Winamp Playlist UNC Path Computer Name Overflow H D Moore (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Nicob (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Kurt Grutzmacher (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Simple Nomad (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow Simple Nomad (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow val smith (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow val smith (Jan 31)
- Winamp Playlist UNC Path Computer Name Overflow val smith (Jan 31)