exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nullsoft-winamp-s3m_module-in_mod-adv.txt

nullsoft-winamp-s3m_module-in_mod-adv.txt
Posted Apr 8, 2007
Authored by Piotr Bania | Site piotrbania.com

AOL Nullsoft Winamp S3M module IN_MOD.DLL suffers from a remote heap memory corruption vulnerability.

tags | advisory, remote
SHA-256 | 62c7089a210a961924687feeaecb2d8f45d356c6618343979cdf2e6263bc2408

nullsoft-winamp-s3m_module-in_mod-adv.txt

Change Mirror Download



AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com


Severity: Important - Potencial remote code execution.

Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007
(on Windows XP SP1/SP2).


Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt



0. DISCLAIMER

Author takes no responsibility for any actions with provided informations or
codes. The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.


I. BACKGROUND


Nullsoft is the most popular multimedia player in the world.
in_mod.dll is a one of Winamp plugins.


II. DESCRIPTION


The problem takes place when Winamp is trying to play specially
crafted .S3M file.

S3M is the file format used by the popular ScreamTracker 3 PC music
tracker. The S3M format is an advanced module format, and is the successor
to the STM format used by the original ScreamTracker. Both formats are based
on the original MOD format used on the Commodore Amiga computer.


Take a look a this code snipet:

----// SNIP SNIP //-------------------------------------------------
.text:00E9BB54 write_loop: ; CODE XREF: sub_E9B964+239j
.text:00E9BB54 mov edx, [ebp+arg_0]
.text:00E9BB57 mov ecx, [esi+18h]
.text:00E9BB5A mov dx, [eax+edx*2]
.text:00E9BB5E mov [eax+ecx*2], dx
.text:00E9BB62 mov eax, [esi+370h]
.text:00E9BB68 mov ecx, [esi+18h]
.text:00E9BB6B mov cx, [eax+ecx*2]
.text:00E9BB6F cmp cx, [ebx+24h]
.text:00E9BB73 jnb short loc_E9BB93 ; *(0)
.text:00E9BB75 mov al, [esi+18h]
.text:00E9BB78 mov ecx, [ebp+arg_0]
.text:00E9BB7B mov [ecx+ebx+0A8h], al : *(A)
.text:00E9BB82 mov eax, [esi+370h]
.text:00E9BB88 cmp word ptr [eax+ecx*2], 0FEh
.text:00E9BB8E jnb short loc_E9BB93
.text:00E9BB90 inc dword ptr [esi+18h]
.text:00E9BB93
.text:00E9BB93 loc_E9BB93: ; CODE XREF: sub_E9B964+20Fj
.text:00E9BB93 ; sub_E9B964+22Aj

.text:00E9BB93 movzx ecx, word ptr [ebx+20h] ; *(B)
.text:00E9BB97 inc [ebp+arg_0]
.text:00E9BB9A cmp [ebp+arg_0], ecx ; *(C)
.text:00E9BB9D jb short write_loop
----// SNIP SNIP //-------------------------------------------------

Where:
EBX = the base of S3M header in the memory
EBX+20h = offset 0x20 in the S3M file
EBX+24h = offset 0x24 in the S3M file
arg_0 = is a counter (increasing per one every loop, look at 0x00E9BB97)


When jump at instruction *(0) is not taken (dword value from [eax+ecx*2] is below
dword value from [ebx+24], which we control) we are landing at 0x00E9BB75.
The al register is loaded with one byte from [esi+18h], which is also increased
by one every loop (look at 0x00E9BB90). Then at 0x00E9BB78, ECX becomes loaded
with the counter varible (also increased per one every loop). The instruction marked
as *(A) stores the byte previously loaded in AL into the memory location computed
with EBX=memory_base / ECX = linear counter and const imm data equal to 0xA8.


As you can see at 0x00E9BB93 (marked as *(B)), the CX becomes equal to two bytes
which we control in the file structure (offset 0x20). Rest of the ECX register
is extended to zero. Then at instruction *(C) the arg_0 counter is comparised with
our value from ECX, and if it's below (CF=1) the loop is continued.

As you can see, for example by changing the [ebx+20h] value we can own the number
of cycles of this write_loop. This leads to memory corruption.

Although exploitation is hard, due to the fact the AL register value at point *(A)
is not initalized by attacker, which like i have previously mentioned, it is not const
(it is increased at 0x00E9BB90).


III. IMPACT

Successful exploitation may allow the attacker to run arbitrary code in
context of user running AOL Nullsoft Winamp.


IV. VENDOR RESPONSE

Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with
no effect, i got finally bored and i haven't notified them at all.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close