bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/50953.txt
Offensive Security 29e275db94 DB: 2022-06-15 
16 changes to exploits/shellcodes

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
Virtua Software Cobranca 12S - SQLi
Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)
Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)
ChurchCRM 4.4.5 - SQLi
Old Age Home Management System 1.0 - SQLi Authentication Bypass
SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)
SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
2022-06-15 05:01:57 +00:00

38 lines
No EOL
3.4 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
# Google Dork: n/a
# Date: May 31, 2022
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://real.com/
# Software Link: http://real.com/
# Version: v.20.0.8.310
# Tested on: Windows 7, 8.1, 10
# CVE : N/A
Full PoC: https://github.com/Edubr2020/RealPlayer_G2_RCE
Real Player G2 Control component contains a remote code execution vulnerability because it allows 'javascript:' URIs to be passed as the argument, which
is usually not safe because in some scenarios could allow injection of script code in arbitrary domains (Universal Cross Site Scripting - uXSS) which can potentially be used to eg. steal cookies among other things.
By setting the 'URL' parameter to 'javascript:' URI and the 'target' parameter to an 'iframe' html element, it´s possible to cause javascript code to run in the context of a local error page displayed after using the very same
Control to navigate to an invalid URI such as 'mhtml:http://%SERVER%/frame.htm': when an 'mhtml:' URI is invoked by MS IE rendering engine, it expects an MHTML file with an extension whose MIME type is set to "message/rfc822", which is the
case for '.mht' files; '.htm' files have its MIME set to 'text/html' and thus IE will cancel loading the document and display a local error page (navigation cancelled). The local error page address is 'res://ieframe.dll/navcancl.htm' which belongs to the
'My computer' security zone of IE / Windows which allows reading of arbitrary local files and also arbitrary code execution by design.
Prohibiting the 'javascript:' URI in the control mitigates the issue.
The PoC uses the 'SYSMON' ActiveX control to plant an HTA file to the user´s startup folder, which will be executed on next logon or boot. an HTA file can contain code to eg. download or extract an embedded EXE file and run it.
The PoC assumes Real Player has its current working directory set to a subdirectory of the user´s home directory. Upon downloading files using eg. web browsers, they will be downloaded to the user´s 'Downloads' folder by default, so we don´t need to retrieve the Windows user name
to be able to plant the HTA file in the startup folder. This is just for convenience purposes as it´s possible to retrieve this info through a variety of ways, including the MS Web Browser ActiveX.
Vulnerability can be exploited by opening a Real Player playlist file such as RAM files.
To reproduce the issue, do the following:
a) Setup a web server
b) on the web server root directory, extract the "RP_G2" folder to it.
c) open the just extracted "RP_G2" folder and then open the following files in a text editor:
"poc.htm", "sm_rpx.js", "start.ram". Just replace every occurance of the string %SERVER% with the actual web server´s IP address (on each of the files)
d) make sure the web server is accessible and all involved files too. on MS IIS web server you may need to add a new extension and associate it with a MIME type, so do it to associate the .RAM extension with the MIME "audio/x-pn-realaudio".
e) on the client side (victim), open the web browser and download the "start.ram" file (or can be accessed eg. using a URL protocol such as 'rtsp:') and open it. You should see an HTA file being planted in the user´s startup folder after a few seconds.
Note: to open startup folder do this: open the "Run" menu and then type:
shell:Startup
Reference in a new issue View git blame Copy permalink