Looking into it more atm - hopefully will be able to decode the provided PoC to give more detailed information on the exploit and where they went wrong - untill then their website gives alot of great information, more than a typical security advisory would

Credits for this vulnerability goes to Leon Juranic ljuranic@lss.hr.

hxxp://security.lss.hr/en/index.php?page=details&ID=LSS-2005-07-14

(its not a fake link though )

yea also wanted to look at it. but winamp didnt crash here. did it work for u?

i tried the poc mp3 file on windows xp sp2. winamp doesn't crash, it behaves more like a dos.

since it is a bof winamp should actually crash...

this exploit does work for me, i tested it yesterday but i can't
remember wich version i have. i think it is 5.08 or 5.09.
it first plays the song, then it crashes.

Ive only tried it in XMMS in linux, CPU 100% - the current song kept playing, then when the playlist couldnt see the PoC MP3, CPU returned to normal, moved the playlist so i could see the PoC MP3 - then CPU 100% again - until the song had finished...

Hey
I'm using 5.091 and the poc mp3 file crashes winamp.
AS the advisory says we seem to have control of the eax and edx



EAX=79797979 and EDX=70707070



we find an address (eax+9b4) which has the value 0x00000001 so when it compares the value in ecx with [ESP+8](which is 0x00000001) the jmp is taken. sounded simply in my head

(found that if you have 00 it is changed to 20 )

I found a 0x00000001 as ws2help's .data

now 71aa5008-9b4=71aa4654

So i placed this where 79797979 is on the picture( 5446aa71 has to be backwords)



sanity check is bypassed, strcpy follows, after strcpy it comes to this code



heres where i'm stuck

Looks like i need to use strcpy to overwrite 470E58 with a something. i'm using winxp sp0 but that shouldn't be a problem

need to tryout on winxp sp1 or win2000 sp0...to if it the same thing

I don't know asm much, but playing with it is great. If anyone finds a solution or can see something wrong tell me

so is there a remote port that we can scan to try and find vun hosts..

I don't think because user must interacte.

you realise this is winamp right? so the user must open a dodgy mp3 file for this to happen.

i predict p2p nets getting filled with crafted mp3 files with a webdownloader payload to a botnet binary.

horrible...

most people won't even know what happened since it plays the song before the BOF executes

hey nice work zombi3 (or should i say yamaraj?) ! i'll have a look as soon as it worx for me lol.
seems to be a nice bof to play with. maybe we manage to write an exploit =)

z0mbi3 is fine buzzdee

This bof looks great, never done stuff like this manipulating registers, so would be great to pull it off

on winxp sp0 \x00 is changing to \x20 so if i try to use an address like 0x00123445(e.g for .data section where the buffer is)

I'm going to install win2000 and see whether its the same thingor \x00 stays as \x00.

stuff like this keeps me busy specially in the boring summer holidays

i also installed win2k and i hope it works fine, so i could play a little bit with it

there is nothing to do next week in school or at home so i can waste my time with this poc

if you guys get anywhere with it holla back at us

on my box is no buffer overflow
tried it on 2 different systems with vulnerable winamp versions

did you check the version?

u need to add acouple of other songs as well with the vulnerble one

It's fun stuff eh? The tough ones are always the most rewarding. Let me know if you need any help or get stuck ;>

i am stuck

on the advisory,
the eax must be in the .data section of winamp to be able to strcpy the data we sent to overflow the address 0x00470E58

the .data section has a lot of 0x00000001 so we could make use of them but
winamp changes the \x00 to \x20
so i can't make eax have the address 0x00XXXXXX.

i was able to find a non \x00 one, on page1 which was some ws32 thingee and it worked as it bypassed the sanity check, but when it came to the strcpy, EAX is still the one in ws32 and won't copy my buffer to overflow the address 0x00470E58.

00438D59 |. 50 PUSH EAX ;
00438D5A |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |dest
00438D5D |. E8 60D20100 CALL <JMP.&MSVCRT.strcpy> ; \strcpy

i installed win2000 and checked what happens, the 0x00 is still changed to 0x20.

the advisory did say it was a not so easy exploit
but they go on to say "Beside, there are few possible exploitation vectors for this vulnerability"
Is that a clue or am i reading into much

later

try to find an address with no nulls that will do a relative jmp to you're code instead of a direct overwrite.... 0x00 is a commonly filtered character. sorry i don't have much time to go in-depth right now but i'm still supposed to be working :-p

z0mbi3 i'm sitting here since hm 6 hours and have the same problem.

bypassing the sanity check is very easy with a 0x00000001 of a module
but i haven't found a way until now to overflow the address 0x00470E58
with our characters.

perhaps it takes another day to find a solution.

EAx must be set so that EAX+9b4 is 0x00000001
and EAX must be in .data section of winamp and point to the data we put in
so when strcpy is run our buffer overwrites 0x00470E58

for this to happen EAX must be set to 0x0047XXXX and we can't use nulls.
tricky one wonder what the people who relased the advisory did here

someone tried this already?
perhaps it could open some new ways ...

hey hey, stop...

How you want make a mp3 file that goes in Winamp and modify there any Registers? sry I´m a newbie? Can you explain what you want do exactly with details? PLZ

THX

Winamp looks into the mp3 file to read the idv2 tag, if that tag is too long winamp copies it without a check into a buffer and the buffer is overflown. The rest is a 'normal' Buffer overflow.

Hope that helps you.

as the advisory ( http://security.lss.hr/en/index.php?page=d...=LSS-2005-07-14 ) tells, winamp is vulnerable to a buffer overflow vulnerability.

read the advisory and this thread and you shold understand where the vulnerability lies and what problems exist.



? or ! ... ?

It copies it into the Buffer. The Buffer Overflows and then? what can you do then what is written into the mp3 file that you can use it...?

... you can controle the eip. read some paperes about buffer overflows.
buffer overflows are always controlling the eip, writting shellcode into
the buffer and executing it.