Exploit the possiblities

nullsoft-winamp-s3m_module-in_mod-adv.txt

nullsoft-winamp-s3m_module-in_mod-adv.txt
Posted Apr 8, 2007
Authored by Piotr Bania | Site piotrbania.com

AOL Nullsoft Winamp S3M module IN_MOD.DLL suffers from a remote heap memory corruption vulnerability.

tags | advisory, remote
MD5 | 255bbdd6a6b0b0cafa2967cec1011802

nullsoft-winamp-s3m_module-in_mod-adv.txt

Change Mirror Download



AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com


Severity: Important - Potencial remote code execution.

Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007
(on Windows XP SP1/SP2).


Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt



0. DISCLAIMER

Author takes no responsibility for any actions with provided informations or
codes. The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.


I. BACKGROUND


Nullsoft is the most popular multimedia player in the world.
in_mod.dll is a one of Winamp plugins.


II. DESCRIPTION


The problem takes place when Winamp is trying to play specially
crafted .S3M file.

S3M is the file format used by the popular ScreamTracker 3 PC music
tracker. The S3M format is an advanced module format, and is the successor
to the STM format used by the original ScreamTracker. Both formats are based
on the original MOD format used on the Commodore Amiga computer.


Take a look a this code snipet:

----// SNIP SNIP //-------------------------------------------------
.text:00E9BB54 write_loop: ; CODE XREF: sub_E9B964+239j
.text:00E9BB54 mov edx, [ebp+arg_0]
.text:00E9BB57 mov ecx, [esi+18h]
.text:00E9BB5A mov dx, [eax+edx*2]
.text:00E9BB5E mov [eax+ecx*2], dx
.text:00E9BB62 mov eax, [esi+370h]
.text:00E9BB68 mov ecx, [esi+18h]
.text:00E9BB6B mov cx, [eax+ecx*2]
.text:00E9BB6F cmp cx, [ebx+24h]
.text:00E9BB73 jnb short loc_E9BB93 ; *(0)
.text:00E9BB75 mov al, [esi+18h]
.text:00E9BB78 mov ecx, [ebp+arg_0]
.text:00E9BB7B mov [ecx+ebx+0A8h], al : *(A)
.text:00E9BB82 mov eax, [esi+370h]
.text:00E9BB88 cmp word ptr [eax+ecx*2], 0FEh
.text:00E9BB8E jnb short loc_E9BB93
.text:00E9BB90 inc dword ptr [esi+18h]
.text:00E9BB93
.text:00E9BB93 loc_E9BB93: ; CODE XREF: sub_E9B964+20Fj
.text:00E9BB93 ; sub_E9B964+22Aj

.text:00E9BB93 movzx ecx, word ptr [ebx+20h] ; *(B)
.text:00E9BB97 inc [ebp+arg_0]
.text:00E9BB9A cmp [ebp+arg_0], ecx ; *(C)
.text:00E9BB9D jb short write_loop
----// SNIP SNIP //-------------------------------------------------

Where:
EBX = the base of S3M header in the memory
EBX+20h = offset 0x20 in the S3M file
EBX+24h = offset 0x24 in the S3M file
arg_0 = is a counter (increasing per one every loop, look at 0x00E9BB97)


When jump at instruction *(0) is not taken (dword value from [eax+ecx*2] is below
dword value from [ebx+24], which we control) we are landing at 0x00E9BB75.
The al register is loaded with one byte from [esi+18h], which is also increased
by one every loop (look at 0x00E9BB90). Then at 0x00E9BB78, ECX becomes loaded
with the counter varible (also increased per one every loop). The instruction marked
as *(A) stores the byte previously loaded in AL into the memory location computed
with EBX=memory_base / ECX = linear counter and const imm data equal to 0xA8.


As you can see at 0x00E9BB93 (marked as *(B)), the CX becomes equal to two bytes
which we control in the file structure (offset 0x20). Rest of the ECX register
is extended to zero. Then at instruction *(C) the arg_0 counter is comparised with
our value from ECX, and if it's below (CF=1) the loop is continued.

As you can see, for example by changing the [ebx+20h] value we can own the number
of cycles of this write_loop. This leads to memory corruption.

Although exploitation is hard, due to the fact the AL register value at point *(A)
is not initalized by attacker, which like i have previously mentioned, it is not const
(it is increased at 0x00E9BB90).


III. IMPACT

Successful exploitation may allow the attacker to run arbitrary code in
context of user running AOL Nullsoft Winamp.


IV. VENDOR RESPONSE

Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with
no effect, i got finally bored and i haven't notified them at all.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    12 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close