Twenty Year Anniversary


Posted Apr 8, 2007
Authored by Piotr Bania | Site

AOL Nullsoft Winamp S3M module IN_MOD.DLL suffers from a remote heap memory corruption vulnerability.

tags | advisory, remote
MD5 | 255bbdd6a6b0b0cafa2967cec1011802


Change Mirror Download

AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption
by Piotr Bania <>

Severity: Important - Potencial remote code execution.

Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007
(on Windows XP SP1/SP2).

Orginal url:


Author takes no responsibility for any actions with provided informations or
codes. The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.


Nullsoft is the most popular multimedia player in the world.
in_mod.dll is a one of Winamp plugins.


The problem takes place when Winamp is trying to play specially
crafted .S3M file.

S3M is the file format used by the popular ScreamTracker 3 PC music
tracker. The S3M format is an advanced module format, and is the successor
to the STM format used by the original ScreamTracker. Both formats are based
on the original MOD format used on the Commodore Amiga computer.

Take a look a this code snipet:

----// SNIP SNIP //-------------------------------------------------
.text:00E9BB54 write_loop: ; CODE XREF: sub_E9B964+239j
.text:00E9BB54 mov edx, [ebp+arg_0]
.text:00E9BB57 mov ecx, [esi+18h]
.text:00E9BB5A mov dx, [eax+edx*2]
.text:00E9BB5E mov [eax+ecx*2], dx
.text:00E9BB62 mov eax, [esi+370h]
.text:00E9BB68 mov ecx, [esi+18h]
.text:00E9BB6B mov cx, [eax+ecx*2]
.text:00E9BB6F cmp cx, [ebx+24h]
.text:00E9BB73 jnb short loc_E9BB93 ; *(0)
.text:00E9BB75 mov al, [esi+18h]
.text:00E9BB78 mov ecx, [ebp+arg_0]
.text:00E9BB7B mov [ecx+ebx+0A8h], al : *(A)
.text:00E9BB82 mov eax, [esi+370h]
.text:00E9BB88 cmp word ptr [eax+ecx*2], 0FEh
.text:00E9BB8E jnb short loc_E9BB93
.text:00E9BB90 inc dword ptr [esi+18h]
.text:00E9BB93 loc_E9BB93: ; CODE XREF: sub_E9B964+20Fj
.text:00E9BB93 ; sub_E9B964+22Aj

.text:00E9BB93 movzx ecx, word ptr [ebx+20h] ; *(B)
.text:00E9BB97 inc [ebp+arg_0]
.text:00E9BB9A cmp [ebp+arg_0], ecx ; *(C)
.text:00E9BB9D jb short write_loop
----// SNIP SNIP //-------------------------------------------------

EBX = the base of S3M header in the memory
EBX+20h = offset 0x20 in the S3M file
EBX+24h = offset 0x24 in the S3M file
arg_0 = is a counter (increasing per one every loop, look at 0x00E9BB97)

When jump at instruction *(0) is not taken (dword value from [eax+ecx*2] is below
dword value from [ebx+24], which we control) we are landing at 0x00E9BB75.
The al register is loaded with one byte from [esi+18h], which is also increased
by one every loop (look at 0x00E9BB90). Then at 0x00E9BB78, ECX becomes loaded
with the counter varible (also increased per one every loop). The instruction marked
as *(A) stores the byte previously loaded in AL into the memory location computed
with EBX=memory_base / ECX = linear counter and const imm data equal to 0xA8.

As you can see at 0x00E9BB93 (marked as *(B)), the CX becomes equal to two bytes
which we control in the file structure (offset 0x20). Rest of the ECX register
is extended to zero. Then at instruction *(C) the arg_0 counter is comparised with
our value from ECX, and if it's below (CF=1) the loop is continued.

As you can see, for example by changing the [ebx+20h] value we can own the number
of cycles of this write_loop. This leads to memory corruption.

Although exploitation is hard, due to the fact the AL register value at point *(A)
is not initalized by attacker, which like i have previously mentioned, it is not const
(it is increased at 0x00E9BB90).


Successful exploitation may allow the attacker to run arbitrary code in
context of user running AOL Nullsoft Winamp.


Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with
no effect, i got finally bored and i haven't notified them at all.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    5 Files
  • 22
    Sep 22nd
    2 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By