bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/50954.txt
Offensive Security 29e275db94 DB: 2022-06-15 
16 changes to exploits/shellcodes

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
Virtua Software Cobranca 12S - SQLi
Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)
Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)
ChurchCRM 4.4.5 - SQLi
Old Age Home Management System 1.0 - SQLi Authentication Bypass
SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)
SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
2022-06-15 05:01:57 +00:00

29 lines
No EOL
1.9 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
# Google Dork: n/a
# Date: May 31, 2022
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://real.com/
# Software Link: http://real.com/
# Version: ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309
# Tested on: Windows 7, 8.1, 10
# CVE : N/A
PoC: https://github.com/Edubr2020/RP_Import_RCE/raw/main/RP_Import_RCE.zip
vídeo: https://youtu.be/CONlijEgDLc
Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific:
The 'external' object and it exposes several custom methods and properties.
The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading
which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths
allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user
closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait
until reboot (true when file is planted in 'startup' folder).
The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share.
The directory 'appdata' must be placed in the share's root.
The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11)
tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309
Reference in a new issue View git blame Copy permalink