AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption by Piotr Bania http://www.piotrbania.com Severity: Important - Potencial remote code execution. Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007 (on Windows XP SP1/SP2). Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Nullsoft is the most popular multimedia player in the world. in_mod.dll is a one of Winamp plugins. II. DESCRIPTION The problem takes place when Winamp is trying to play specially crafted .S3M file. S3M is the file format used by the popular ScreamTracker 3 PC music tracker. The S3M format is an advanced module format, and is the successor to the STM format used by the original ScreamTracker. Both formats are based on the original MOD format used on the Commodore Amiga computer. Take a look a this code snipet: ----// SNIP SNIP //------------------------------------------------- .text:00E9BB54 write_loop: ; CODE XREF: sub_E9B964+239j .text:00E9BB54 mov edx, [ebp+arg_0] .text:00E9BB57 mov ecx, [esi+18h] .text:00E9BB5A mov dx, [eax+edx*2] .text:00E9BB5E mov [eax+ecx*2], dx .text:00E9BB62 mov eax, [esi+370h] .text:00E9BB68 mov ecx, [esi+18h] .text:00E9BB6B mov cx, [eax+ecx*2] .text:00E9BB6F cmp cx, [ebx+24h] .text:00E9BB73 jnb short loc_E9BB93 ; *(0) .text:00E9BB75 mov al, [esi+18h] .text:00E9BB78 mov ecx, [ebp+arg_0] .text:00E9BB7B mov [ecx+ebx+0A8h], al : *(A) .text:00E9BB82 mov eax, [esi+370h] .text:00E9BB88 cmp word ptr [eax+ecx*2], 0FEh .text:00E9BB8E jnb short loc_E9BB93 .text:00E9BB90 inc dword ptr [esi+18h] .text:00E9BB93 .text:00E9BB93 loc_E9BB93: ; CODE XREF: sub_E9B964+20Fj .text:00E9BB93 ; sub_E9B964+22Aj .text:00E9BB93 movzx ecx, word ptr [ebx+20h] ; *(B) .text:00E9BB97 inc [ebp+arg_0] .text:00E9BB9A cmp [ebp+arg_0], ecx ; *(C) .text:00E9BB9D jb short write_loop ----// SNIP SNIP //------------------------------------------------- Where: EBX = the base of S3M header in the memory EBX+20h = offset 0x20 in the S3M file EBX+24h = offset 0x24 in the S3M file arg_0 = is a counter (increasing per one every loop, look at 0x00E9BB97) When jump at instruction *(0) is not taken (dword value from [eax+ecx*2] is below dword value from [ebx+24], which we control) we are landing at 0x00E9BB75. The al register is loaded with one byte from [esi+18h], which is also increased by one every loop (look at 0x00E9BB90). Then at 0x00E9BB78, ECX becomes loaded with the counter varible (also increased per one every loop). The instruction marked as *(A) stores the byte previously loaded in AL into the memory location computed with EBX=memory_base / ECX = linear counter and const imm data equal to 0xA8. As you can see at 0x00E9BB93 (marked as *(B)), the CX becomes equal to two bytes which we control in the file structure (offset 0x20). Rest of the ECX register is extended to zero. Then at instruction *(C) the arg_0 counter is comparised with our value from ECX, and if it's below (CF=1) the loop is continued. As you can see, for example by changing the [ebx+20h] value we can own the number of cycles of this write_loop. This leads to memory corruption. Although exploitation is hard, due to the fact the AL register value at point *(A) is not initalized by attacker, which like i have previously mentioned, it is not const (it is increased at 0x00E9BB90). III. IMPACT Successful exploitation may allow the attacker to run arbitrary code in context of user running AOL Nullsoft Winamp. IV. VENDOR RESPONSE Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with no effect, i got finally bored and i haven't notified them at all.