Archived Blog
SOHU Digital Channel Web Site Compromised with Xunlei Thunder DapPlayer Exploit
01.28.2010 - 7:00 PMSOHU is one of the biggest portals in China, with Alexa rank 43. It offers mainly advertising, search engines, and online multi-player gaming. While Xunlei is one of most popular download managers and BitTorrent clients, it also offers free media for download. Its main site also has a relatively high Alexa rank of 126.
According to Secunia, the vulnerability is caused by a boundary error in the DPClient.Vod.1 ActiveX control (DapPlayer_Now.dll) when it is handling arguments passed to the "DownURL2()" method. This can be exploited to cause a buffer overflow by passing an overly long argument to the affected method. Successful exploitation allows execution of arbitrary code.
Here is a screenshot of the injected page:
Here is a screenshot of the payload:
When you visit the fake gif file again, a 404 Not Found returns:
Luckily, I have a copy in my hand, so let's see what it looks like:
It is not readable at first glance, and that's what the hacker is trying to do: escape analysis and detection. However, if you notice the string "US-ASCII" in the last line of the payload, then this exploit is no mystery at all. Following is the decoded payload:
Quickly checking the shellcode, we can see the URL of the final payload clearly, which is reportedly an online game password stealer.
Websense Messaging and Websense Web Security customers are protected against this attack.
Security Reseacher: Tim Xia