AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption
	by Piotr Bania <bania.piotr@gmail.com>
	http://www.piotrbania.com


	Severity: 		Important - Potencial remote code execution.

	Software affected: 	Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007
				(on Windows XP SP1/SP2).


	Orginal url:		http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt



	0.   DISCLAIMER

	Author takes no responsibility for any actions with provided informations or 
	codes. The copyright for any material created by the author is reserved. Any 
	duplication of codes or texts provided here in electronic or printed 
	publications is not permitted without the author's agreement. 
		

	I.  BACKGROUND


	Nullsoft is the most popular multimedia player in the world.
	in_mod.dll is a one of Winamp plugins.


	II. DESCRIPTION


	The problem takes place when Winamp is trying to play specially
	crafted .S3M file.

	S3M is the file format used by the popular ScreamTracker 3 PC music 
	tracker. The S3M format is an advanced module format, and is the successor 
	to the STM format used by the original ScreamTracker. Both formats are based 
	on the original MOD format used on the Commodore Amiga computer.


	Take a look a this code snipet:

	----// SNIP SNIP //-------------------------------------------------	
	.text:00E9BB54 write_loop:                             ; CODE XREF: sub_E9B964+239j
	.text:00E9BB54                 mov     edx, [ebp+arg_0]
	.text:00E9BB57                 mov     ecx, [esi+18h]
	.text:00E9BB5A                 mov     dx, [eax+edx*2]
	.text:00E9BB5E                 mov     [eax+ecx*2], dx
	.text:00E9BB62                 mov     eax, [esi+370h]
	.text:00E9BB68                 mov     ecx, [esi+18h]
	.text:00E9BB6B                 mov     cx, [eax+ecx*2]
	.text:00E9BB6F                 cmp     cx, [ebx+24h]
	.text:00E9BB73                 jnb     short loc_E9BB93			; *(0)
	.text:00E9BB75                 mov     al, [esi+18h]
	.text:00E9BB78                 mov     ecx, [ebp+arg_0]
	.text:00E9BB7B                 mov     [ecx+ebx+0A8h], al		: *(A)
	.text:00E9BB82                 mov     eax, [esi+370h]
	.text:00E9BB88                 cmp     word ptr [eax+ecx*2], 0FEh
	.text:00E9BB8E                 jnb     short loc_E9BB93
	.text:00E9BB90                 inc     dword ptr [esi+18h]
	.text:00E9BB93
	.text:00E9BB93 loc_E9BB93:                             ; CODE XREF: sub_E9B964+20Fj
	.text:00E9BB93                                         ; sub_E9B964+22Aj

	.text:00E9BB93                 movzx   ecx, word ptr [ebx+20h]		; *(B)
	.text:00E9BB97                 inc     [ebp+arg_0]
	.text:00E9BB9A                 cmp     [ebp+arg_0], ecx			; *(C)
	.text:00E9BB9D                 jb      short write_loop
	----// SNIP SNIP //-------------------------------------------------	
	
	Where:
	EBX 		= the base of S3M header in the memory
	EBX+20h		= offset 0x20 in the S3M file
	EBX+24h		= offset 0x24 in the S3M file
	arg_0		= is a counter (increasing per one every loop, look at 0x00E9BB97)

	
	When jump at instruction *(0) is not taken (dword value from [eax+ecx*2]  is below 
	dword value from [ebx+24], which we control) we are landing at 0x00E9BB75.
	The al register is loaded with one byte from [esi+18h], which is also increased
	by one every loop (look at 0x00E9BB90). Then at 0x00E9BB78, ECX becomes loaded
	with the counter varible (also increased per one every loop). The instruction marked
	as *(A) stores the byte previously loaded in AL into the memory location computed 
	with EBX=memory_base / ECX = linear counter and const imm data equal to 0xA8. 
	

	As you can see at 0x00E9BB93 (marked as *(B)), the CX becomes equal to two bytes
	which we control in the file structure (offset 0x20). Rest of the ECX register
	is extended to zero. Then at instruction *(C) the arg_0 counter is comparised with
	our value from ECX, and if it's below (CF=1) the loop is continued. 

	As you can see, for example by changing the [ebx+20h] value we can own the number
	of cycles of this write_loop. This leads to memory corruption.

	Although exploitation is hard, due to the fact the AL register value at point *(A)
	is not initalized by attacker, which like i have previously mentioned, it is not const
	(it is increased at 0x00E9BB90).
	
	
	III. IMPACT

	Successful exploitation may allow the attacker to run arbitrary code in 
	context of user running AOL Nullsoft Winamp.


	IV. VENDOR RESPONSE

	Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with
	no effect, i got finally bored and i haven't notified them at all.