bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/17105.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

229 lines
No EOL
5.6 KiB
Text
Raw Blame History

RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
Vulnerabilities
tested against Internet Explorer 9, Vista sp2
download url: http://www.gamehouse.com/
background:
When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe
This setup program installs an ActiveX with the following settings:
CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}
Progid: StubbyUtil.ProcessMgr.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True
This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.
vulnerability:
This control has four methods implemented insecurely:
CreateVistaTaskLow() -> allows to launch arbitrary commands
Exec() -> allows to launch arbitrary commands
ExecLow() -> allows to launch arbitrary commands
ShellExec() -> allows to launch arbitrary executables
other attacks are possible ,
see typelib:
class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj
)
{
}
/* DISPID=1610612737 */
/* VT_UI4 [19] */
function AddRef(
)
{
}
/* DISPID=1610612738 */
/* VT_UI4 [19] */
function Release(
)
{
}
/* DISPID=1610678272 */
function GetTypeInfoCount(
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$pctinfo
)
{
}
/* DISPID=1610678273 */
function GetTypeInfo(
/* VT_UINT [23] [in] */ $itinfo,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$pptinfo
)
{
}
/* DISPID=1610678274 */
function GetIDsOfNames(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [in] --> VT_PTR [26] */ &$rgszNames,
/* VT_UINT [23] [in] */ $cNames,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_I4 [3] */ &$rgdispid
)
{
}
/* DISPID=1610678275 */
function Invoke(
/* VT_I4 [3] [in] */ $dispidMember,
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_UI2 [18] [in] */ $wFlags,
/* VT_PTR [26] [in] --> ? [29] */ &$pdispparams,
/* VT_PTR [26] [out] --> VT_VARIANT [12] */ &$pvarResult,
/* VT_PTR [26] [out] --> ? [29] */ &$pexcepinfo,
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$puArgErr
)
{
}
/* DISPID=1 */
/* VT_BOOL [11] */
function Exec(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$mod,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$cmdline,
/* VT_BOOL [11] [in] */ $__MIDL_0097,
/* VT_BOOL [11] [in] */ $__MIDL_0098,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0099
)
{
/* method Exec */
}
/* DISPID=2 */
/* VT_BOOL [11] */
function IsFinished(
)
{
}
/* DISPID=3 */
/* VT_UI4 [19] */
function CreateNamedMutex(
/* VT_BSTR [8] [in] */ $__MIDL_0102
)
{
}
/* DISPID=4 */
function ReleaseMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0104
)
{
}
/* DISPID=5 */
function CloseMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0105
)
{
}
/* DISPID=6 */
/* VT_BOOL [11] */
function ObtainMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0106
)
{
}
/* DISPID=7 */
/* VT_BOOL [11] */
function WaitOnMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0108,
/* VT_INT [22] [in] */ $__MIDL_0109
)
{
}
/* DISPID=8 */
function CloseEvent(
/* VT_UI4 [19] [in] */ $__MIDL_0111
)
{
}
/* DISPID=9 */
function FireEvent(
/* VT_UI4 [19] [in] */ $__MIDL_0112
)
{
}
/* DISPID=10 */
/* VT_UI4 [19] */
function CreateNamedEvent(
/* VT_BSTR [8] [in] */ $__MIDL_0113
)
{
}
/* DISPID=11 */
/* VT_UI4 [19] */
function ExitCode(
)
{
}
/* DISPID=12 */
function CreateVistaTaskLow(
/* VT_BSTR [8] [in] */ $bstrExecutablePath,
/* VT_BSTR [8] [in] */ $bstrArguments,
/* VT_BSTR [8] [in] */ $workDir
)
{
}
/* DISPID=13 */
/* VT_BOOL [11] */
function ExecLow(
/* VT_BSTR [8] [in] */ $__MIDL_0116,
/* VT_BSTR [8] [in] */ $cmdline,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$workDir
)
{
}
/* DISPID=14 */
function ShellExec(
/* VT_BSTR [8] [in] */ $__MIDL_0117
)
{
}
/* DISPID=15 */
function Sleep(
/* VT_UI4 [19] [in] */ $__MIDL_0118
)
{
}
}
binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize: 00064000
File version: 2.6.0.445
Product version: 2.6.0.445
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
ProductName: InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion: 2.6.0.445
FileDescription: InstallerDlg Module
LegalCopyright: Copyright 2010
poc:
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_ii.html
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17105.zip (9sg_StubbyUtil.ProcessMgr.1.zip)
Reference in a new issue View git blame Copy permalink