This article in published in the 2 0 0 7 0 9 X-files Please forward Ming fromhttp://www.52cmd.cn
QQ also to play 0day vulnerabilities Carved cards/du huajun(52cmd. cn)
Again: when you see this article, TX has been seal up this vulnerability, but we do not lose heart, because there can be a breakthrough, this article just put the specific implementation of the write clearly. Figure slightly
One, the causes of Initially researching this vulnerability is not I initiated last wrote that baidu hung it to the article I believe we already saw, the other day, the leader suddenly find me, said that the QQ scene is relatively fragile place, might be able to load the swf file. Later failed. Guru almost gave up, I idle is idle. Continue to study the scene......
Second, the test+use 1, transfer any file Test the swf hung it, is to put the mp3 directly into the swf, let scene player directly loaded. Didn't think the TX is to use your own player. As for how to pass the swf(or transfer any files). This believe everyone would like to know, first to go to the next QQ scene editor(CD-ROM). After the installation you have to transfer the file into mp3 format. Because the QQ scene editor is not recognize the other file. QQ scene background Figure, the best set, otherwise the white background dialogue is all black. A look feel wrong. Then add an action in properties is set inside to add the music--Figure 1. Then put the changed suffix to the music added to it. Then use the 1 6 hexadecimal editor-in Figure 2, 把里面的EOOOOO1.mp3编辑成E000001.exe the. Then install the file Config. qqs inside <Normal> <SOUND Loop="true" SourcePath="E000001.exe"/> </Normal> <Action name="action 0 1" type="1"> <ActionData> <SOUND UseNormalSound="false" Loop="false" SourcePath="E000001.exe"/> The corresponding change what you can(When you see this message when the estimate of the TX is already closed.)
2, run the VBS script Do it yourself through the QQ scene friends about this a few documents should be more familiar with the Config. qqs, Setup. ini, VBScript. qqs is. Several files of a specific role, interested in online search, related information. Here only talk about VBScript. qqs this file, take a look at some of the code, The code: 'Animation parameters Dim g_bLoop(1) Dim g_nMaxTime(1) Dim g_nImageFrameCount(1, 0) Dim g_bFrameImageAnimate(1, 0, 0) Dim g_nFrameImageTime(1, 0, 0) Dim g_nFrameImageLeft(1, 0, 0) Dim g_nFrameImageTop(1, 0, 0) ............ Sub Scene_OnInit(cx, cy)
'Initialize frame animation parameters InitData
g_nCurAction = -1 g_nCurTime = 0 ............ 'Initialize background image position Scene_OnSize cx,cy End Sub
Here a lot of friends should know this stuff how to use, here is a write QQ scene of the animation parameters and start at the beginning of the parameters. VBS script the role of everyone's clearly better than VBS download. Here is a simple demonstration of it. Function msgbox, playing a warning box, don't underestimate this stuff, the guy can soak MM, send some sweet nothings to. Dish dish can be made with this scare prawn. In the code-Figure 3. The following sentence was added “msgbox "QQ 0day by:www. 52cmd. cn"”, and then someone on the chat when sending the scene--Figure 4. The scene is the default accept, but in the other displays being transmitted scene can be cancelled. The average person is not suspected of that thing, the TX stuff. The transfer is completed after the will in each other. And the local-Figure 5.
3, The implementation file Execute the file, if the direct execution of VBS download will error prompts could not find the object wscript is. The reason is because the VBS script is not used in winds under vbscript. dll analysis, but with QQ its own directory under a vbscript. dll files analysis. jiajia this guy the test is successful, Oh, programmed badly, I was speechless. The following simple talk about the method, jiajia and I said TX filter some dangerous characters, the output, when filtered, like this code: set objshell = wscript. createOBject("wscript. shell"), the Loaded in the QQ scene inside prompt an error that read: set objshell = createOBject("wscript. shell"), it does not error but does not execute. After the test was found to be written in such a"CreateObject("Wscript. Shell"). Run "C:\1.exe",0", in order to be successful. With the above transmission of any file will be able to achieve good results. But the file transfer can sometimes greatly extend the transmission scene of the time. Sometimes also will put the other QQ engage in a crash. jiajia think of a better method, bothfree killand convenient. exe2bat we all know it. First use the CreateObject("Scripting. FileSystemObject")to go after the code by the fso. opentextfile, and echo to write to a file, then use the wscript. shell execution. Specifically, the first BAT go EXE a small tool to put the Trojans turn into a bat, Figure 6. At the turn of the code by the fso to write files. The specific file I Packed, and everyone to see to understand. If you to this vulnerability there is interest, can go to test, but it is estimated that everyone see this message when the vulnerability has been TX. Here package a few VBS scripts, leaving anyone interested in research. What else don't understand go to my blog to see. (www.52cmd.cn)finally, thanks for the test help me Brother, guru, thirteen, jiajia