exploit-db-mirror/exploits/windows/remote/17104.txt

RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
and Code Execution Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

ShellExec()      -> allows to launch arbitrary commands
ShellExecRunAs() -> allows to launch arbitrary commands
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
                    startup folders
CopyDocument()   -> allows to copy arbitrary executable files from a remote
                    network share to local folders, ex. automatic startup folders

other attacks are possible including information disclosure and file deletion,
see typelib:

class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
	/* DISPID=1610612736 */
	function QueryInterface(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$ppvObj
		)
	{
	}
	/* DISPID=1610612737 */
	/* VT_UI4 [19] */
	function AddRef(
		)
	{
	}
	/* DISPID=1610612738 */
	/* VT_UI4 [19] */
	function Release(
		)
	{
	}
	/* DISPID=1610678272 */
	function GetTypeInfoCount(
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$pctinfo
		)
	{
	}
	/* DISPID=1610678273 */
	function GetTypeInfo(
		/* VT_UINT [23] [in] */ $itinfo,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$pptinfo
		)
	{
	}
	/* DISPID=1610678274 */
	function GetIDsOfNames(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [in] --> VT_PTR [26]  */ &$rgszNames,
		/* VT_UINT [23] [in] */ $cNames,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_I4 [3]  */ &$rgdispid
		)
	{
	}
	/* DISPID=1610678275 */
	function Invoke(
		/* VT_I4 [3] [in] */ $dispidMember,
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_UI2 [18] [in] */ $wFlags,
		/* VT_PTR [26] [in] --> ? [29]  */ &$pdispparams,
		/* VT_PTR [26] [out] --> VT_VARIANT [12]  */ &$pvarResult,
		/* VT_PTR [26] [out] --> ? [29]  */ &$pexcepinfo,
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$puArgErr
		)
	{
	}
	/* DISPID=1 */
	function CreateShortcut(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$name,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$target,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$icon,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$workingDir,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$args
		)
	{
		/* method CreateShortcut */
	}
	/* DISPID=2 */
	function DeleteShortcut(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$name
		)
	{
		/* method DeleteShortcut */
	}
	/* DISPID=3 */
	/* VT_BSTR [8] */
	function ModuleFileName(
		)
	{
		/* method ModuleFileName */
	}
	/* DISPID=4 */
	/* VT_BSTR [8] */
	function GetSpecialFolder(
		/* VT_UI4 [19] [in] */ $__MIDL_0025
		)
	{
		/* method GetSpecialFolder */
	}
	/* DISPID=5 */
	/* VT_BOOL [11] */
	function CheckWnd(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0026
		)
	{
		/* method CheckWnd */
	}
	/* DISPID=6 */
	/* VT_BSTR [8] */
	function ExistingTPS(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0028
		)
	{
		/* method ExistingTPS */
	}
	/* DISPID=7 */
	function SetWorkingDir(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0030
		)
	{
		/* method SetWorkingDir */
	}
	/* DISPID=8 */
	/* VT_BSTR [8] */
	function GetWorkingDir(
		)
	{
		/* method GetWorkingDir */
	}
	/* DISPID=9 */
	/* VT_R8 [5] */
	function OSVersion(
		)
	{
		/* method OSVersion */
	}
	/* DISPID=10 */
	/* VT_BSTR [8] */
	function GetSystemID(
		)
	{
		/* method GetSystemID */
	}
	/* DISPID=11 */
	function InstallFromCD(
		/* VT_BSTR [8] [in] */ $GameID,
		/* VT_BSTR [8] [in] */ $GameName,
		/* VT_BSTR [8] [in] */ $Tps,
		/* VT_BSTR [8] [in] */ $GameLang,
		/* VT_BSTR [8] [in] */ $CDPath,
		/* VT_BSTR [8] [in] */ $StoreFront
		)
	{
		/* method InstallFromCD */
	}
	/* DISPID=12 */
	/* VT_UI4 [19] */
	function KillProcess(
		/* VT_BSTR [8] [in] */ $__MIDL_0033
		)
	{
		/* method KillProcess */
	}
	/* DISPID=13 */
	function RefreshAddRemovePrograms(
		)
	{
		/* method RefreshAddRemovePrograms */
	}
	/* DISPID=14 */
	function ShellExec(
		/* VT_BSTR [8] [in] */ $FilePath,
		/* VT_BSTR [8] [in] */ $Params
		)
	{
		/* method ShellExec */
	}
	/* DISPID=15 */
	function ShellExecRunAs(
		/* VT_BSTR [8] [in] */ $FilePath,
		/* VT_BSTR [8] [in] */ $Params
		)
	{
		/* method ShellExecRunAs */
	}
	/* DISPID=16 */
	/* VT_BSTR [8] */
	function PlatformInfo(
		)
	{
		/* method PlatformInfo */
	}
	/* DISPID=17 */
	/* VT_BSTR [8] */
	function GetAvailableDrive(
		/* VT_INT [22] [in] */ $reqSpace
		)
	{
		/* method GetAvailableDrive */
	}
	/* DISPID=18 */
	/* VT_BOOL [11] */
	function InitializeStamp(
		/* VT_BSTR [8] [in] */ $exeName,
		/* VT_INT [22] [in] */ $offset
		)
	{
		/* method InitializeStamp */
	}
	/* DISPID=19 */
	/* VT_BSTR [8] */
	function GetContentID(
		)
	{
		/* method GetContentID */
	}
	/* DISPID=20 */
	/* VT_BSTR [8] */
	function GetTrackingID(
		)
	{
		/* method GetTrackingID */
	}
	/* DISPID=21 */
	/* VT_BSTR [8] */
	function GetAffiliate(
		)
	{
		/* method GetAffiliate */
	}
	/* DISPID=22 */
	/* VT_BSTR [8] */
	function GetCurrency(
		)
	{
		/* method GetCurrency */
	}
	/* DISPID=23 */
	/* VT_BSTR [8] */
	function GetPrice(
		)
	{
		/* method GetPrice */
	}
	/* DISPID=24 */
	/* VT_BSTR [8] */
	function GetTimestamp(
		)
	{
		/* method GetTimestamp */
	}
	/* DISPID=25 */
	/* VT_BSTR [8] */
	function GetOTP(
		)
	{
		/* method GetOTP */
	}
	/* DISPID=26 */
	/* VT_BOOL [11] */
	function CopyDocument(
		/* VT_BSTR [8] [in] */ $src,
		/* VT_BSTR [8] [in] */ $dest
		)
	{
		/* method CopyDocument */
	}
	/* DISPID=27 */
	function InstallerToForeground(
		)
	{
		/* method InstallerToForeground */
	}
	/* DISPID=28 */
	function MonitorLicenseFolder(
		)
	{
		/* method MonitorLicenseFolder */
	}
	/* DISPID=29 */
	function ShutdownLicenseFolderMonitor(
		)
	{
		/* method ShutdownLicenseFolderMonitor */
	}
	/* DISPID=30 */
	/* VT_BSTR [8] */
	function GetFolderPath(
		/* VT_UI4 [19] [in] */ $__MIDL_0037
		)
	{
		/* method GetFolderPath */
	}
}

binary info:
>lm -vm
    Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
    Image name: InstallerDlg.dll
    Timestamp:        Mon Mar 14 14:22:44 2011 (4D7E6B04)
    CheckSum:         00000000
    ImageSize:        00064000
    File version:     2.6.0.445
    Product version:  2.6.0.445
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    ProductName:      InstallerDlg Module
    InternalName:     InstallerDlg
    OriginalFilename: InstallerDlg.dll
    ProductVersion:   2.6.0.445
    FileVersion:      2.6.0.445
    FileDescription:  InstallerDlg Module
    LegalCopyright:   Copyright 2010

POC:

pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html
                      https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-1.zip (9sg_StubbyUtil.ShellCtl.1.zip)