Winamp 5.6 – ‘MIDI Parser’ Arbitrary Code Execution

• Exploit Database
• 37 阅读

• 作者： Kryptos Logic
  日期： 2010-12-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15706/

• http://www.kryptoslogic.com/advisories/2010/kryptoslogic-winamp-midi.txt
  
  PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15706.c
  
  ==-===-=====-=======-===========-=============-=================
  
   Winamp 5.6 Arbitrary Code Execution in MIDI Parser
  
  Kryptos Logic, December 2010
  
  ==-===-=====-=======-===========-=============-=================
  
  =====[ Timeline
  
  Vendor Contacted...........: 2010-12-03
  Proposed Fix from Vendor...: 2010-12-04
  Advisory Published.........: 2010-12-07
  
  
  =====[ Affected Versions
  
  Vulnerable:
  - Winamp 5.6
  - Winamp 5.581
  - Possibly older versions of Winamp
  
  Not vulnerable:
  - Winamp 5.601
  - Winamp 5.601 Beta build 3087
  
  
  =====[ Vulnerability
  
  When Winamp plays MUS files and other MIDI variants, it begins
  by converting them to a canonical format. Timestamps in MIDI
  files are encoded by serializing 32 bit integers into 1, 2, 3, 4
  or 5 bytes, storing 7 data bits in each byte. The last bit is
  used to indicate whether or not a given byte is the last. The
  serialization is done into an 8 byte buffer, which should be
  large enough, but there is a logic bug in the code which allows
  an attacker to write one byte outside of the buffer.
  
  The serialization is done by shifting the input value multiples
  of seven bits, until there is no more bits set. This is done
  using the x86 instruction SAR. Unfortunately this instruction
  does not clear the register when shifting more than the register
  width, but instead shifts the requested amount modulo the
  register width. By crafting an input file so that Winamp tries
  to serialize a value which has the most significant bit cleared
  and one of the following three bits set, an attacker can force
  the program to write the value shifted 0, 7, 14, 21, 28, 3, 10,
  17 and 24 bits; a total of nine output bytes. The least
  significant value overflows into the saved base pointer.
  
  
  =====[ Exploitation
  
  The stack alignment of Winamp is predictable. An attacker can
  choose the value to write into the saved base pointer, so that
  when the base pointer is restored, the stack frame of the
  calling function is moved to a location where the attacker
  controls the return address.
  
  The value must be chosen so that the calling function will not
  access invalid memory addresses by using local variables in the
  modified stack frame. Carefully chosen values have proved to
  lead to code execution without causing any faults.
  
  
  =====[ Credits
  
  The bug was discovered by Peter Wilhelmsen, Kryptos Logic, and
  an exploit was developed by Morten Shearman Kirkegaard, Kryptos
  Logic.
  
  
  =====[ About Kryptos Logic
  
  Kryptos Logic is a group of talented computer security experts
  from around the globe that has coalesced into a highly effective
  team. New ideas and derivatives of existing products are
  constantly created. We provide a wide range of security products
  ranging from binary analysis tools and security research kits to
  anti-piracy and digital rights management software. We also
  perform state-of-the-art research on emergent attack vectors and
  threats to current digital infrastructure.
  
  http://www.kryptoslogic.com/