Today we’ll be studying the winam 6.12 playlist buffer overflow vuln. I found that vuln very interesting to study as it requieres an important amount of creativity to get it working.
We begin with this proof of concept, the perl file will generate an evil .pls file when we open that file with winamp the program gets crashed.
So we generate the evil playlist using the perl script with ActivePerl on windows Vista and we open the evil playlist file:
We we can see is that the EIP reigster has been overwritten with 41414141, and if we look closely we can see that ESP has been overwritten but we have only 11 bytes to work with
And just before this 11 bytes we have got a lot of available space but it seems that we can reach it as it is loaded before our 11 bytes..
Well, first of all let’s find a JMP ESP or a CALL ESP to get to the ESP register and start working
We simply copy the address to the bytes that will overwrite EIP
And if we test that we can see that in fact we reach ESP and our 11 bytes
With a litle bit of creativy, we can figure that if we substract the right bytes to the ESP register’s content, and then we run a JMP ESP we should do the moonwalk backwards and get to more space
Efectively we did it
At this time we could place our shellcode here or maybe run a larger moonwalk and run the shellcode there, but in this example we’ll implement an egghunter.
So what is an egghunter? It is a small piece of code that will search for an expression like w00tw00t hackhack pwndpwnd or something in the memory, our shellcode will be placed just after the string to search so when the egghunter finds it, it will run a jump just at the first instruction of our shellcode, nice huh? Imagine all the things we can do with that. I’ll use the following egghunter provided by Mike Miller.
We run the egghunter and we generate shellcode, I’ll use the string W00TW00T to perform the search
We add it to our exploit and we generate the evil playlist once again
And here it is, our egghunter in memory placed just after our moonwalk
But if we look closely we can see that we just found a bad character x2e seems to break the code.
We can binary copy the shellcode, fix the e2 byte and use hexdump to save it under kali linux
Then we can use metasploit framework to encode that with msfencode using alphanumeric shellcode, if all works fine xe2 will disapear (if you get any problem option -b”\x2e” will mark x2e as badchar)
Now we can add our new encoded egghunter to the exploit
And watch how it gets decoded in memory
At this time we got the egghunter working, now we can generate some piece of shellcode, encoded it with metasploit(just avoid future problems) and place it somewhere inside our buffer, the egghunter will find it and execute it
We edit the code like this, remember, always maintain the original buffer length or you can break the exploit
And et voilà