Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control Multiple Remote Commands Execution and Code Execution Vulnerabilities - exploit.company
header-logo
Suggest Exploit
vendor:
RealGames StubbyUtil.ShellCtl.1 ActiveX Control
by:
7.5
CVSS
HIGH
Remote Command Execution and Code Execution
CWE
Product Name: RealGames StubbyUtil.ShellCtl.1 ActiveX Control
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Internet Explorer 9, Vista sp2

RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control Multiple Remote Commands Execution and Code Execution Vulnerabilities

This control has four methods implemented insecurely: ShellExec() allows launching arbitrary commands, ShellExecRunAs() allows launching arbitrary commands, CreateShortcut() allows creating arbitrary executable files inside automatic startup folders, CopyDocument() allows copying arbitrary executable files from a remote network share to local folders. Other attacks are possible including information disclosure and file deletion.

Mitigation:

Update to a patched version or uninstall the vulnerable ActiveX control.
Source

Exploit-DB raw data:

RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control 
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution 
and Code Execution Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

ShellExec()      -> allows to launch arbitrary commands
ShellExecRunAs() -> allows to launch arbitrary commands
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
                    startup folders
CopyDocument()   -> allows to copy arbitrary executable files from a remote
                    network share to local folders, ex. automatic startup folders

other attacks are possible including information disclosure and file deletion, 
see typelib:

class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
	/* DISPID=1610612736 */
	function QueryInterface(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$ppvObj 
		)
	{
	}
	/* DISPID=1610612737 */
	/* VT_UI4 [19] */
	function AddRef(
		)
	{
	}
	/* DISPID=1610612738 */
	/* VT_UI4 [19] */
	function Release(
		)
	{
	}
	/* DISPID=1610678272 */
	function GetTypeInfoCount(
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$pctinfo 
		)
	{
	}
	/* DISPID=1610678273 */
	function GetTypeInfo(
		/* VT_UINT [23] [in] */ $itinfo,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$pptinfo 
		)
	{
	}
	/* DISPID=1610678274 */
	function GetIDsOfNames(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [in] --> VT_PTR [26]  */ &$rgszNames,
		/* VT_UINT [23] [in] */ $cNames,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_I4 [3]  */ &$rgdispid 
		)
	{
	}
	/* DISPID=1610678275 */
	function Invoke(
		/* VT_I4 [3] [in] */ $dispidMember,
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_UI2 [18] [in] */ $wFlags,
		/* VT_PTR [26] [in] --> ? [29]  */ &$pdispparams,
		/* VT_PTR [26] [out] --> VT_VARIANT [12]  */ &$pvarResult,
		/* VT_PTR [26] [out] --> ? [29]  */ &$pexcepinfo,
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$puArgErr 
		)
	{
	}
	/* DISPID=1 */
	function CreateShortcut(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$name,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$target,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$icon,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$workingDir,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$args 
		)
	{
		/* method CreateShortcut */
	}
	/* DISPID=2 */
	function DeleteShortcut(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$name 
		)
	{
		/* method DeleteShortcut */
	}
	/* DISPID=3 */
	/* VT_BSTR [8] */
	function ModuleFileName(
		)
	{
		/* method ModuleFileName */
	}
	/* DISPID=4 */
	/* VT_BSTR [8] */
	function GetSpecialFolder(
		/* VT_UI4 [19] [in] */ $__MIDL_0025 
		)
	{
		/* method GetSpecialFolder */
	}
	/* DISPID=5 */
	/* VT_BOOL [11] */
	function CheckWnd(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0026 
		)
	{
		/* method CheckWnd */
	}
	/* DISPID=6 */
	/* VT_BSTR [8] */
	function ExistingTPS(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0028 
		)
	{
		/* method ExistingTPS */
	}
	/* DISPID=7 */
	function SetWorkingDir(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0030 
		)
	{
		/* method SetWorkingDir */
	}
	/* DISPID=8 */
	/* VT_BSTR [8] */
	function GetWorkingDir(
		)
	{
		/* method GetWorkingDir */
	}
	/* DISPID=9 */
	/* VT_R8 [5] */
	function OSVersion(
		)
	{
		/* method OSVersion */
	}
	/* DISPID=10 */
	/* VT_BSTR [8] */
	function GetSystemID(
		)
	{
		/* method GetSystemID */
	}
	/* DISPID=11 */
	function InstallFromCD(
		/* VT_BSTR [8] [in] */ $GameID,
		/* VT_BSTR [8] [in] */ $GameName,
		/* VT_BSTR [8] [in] */ $Tps,
		/* VT_BSTR [8] [in] */ $GameLang,
		/* VT_BSTR [8] [in] */ $CDPath,
		/* VT_BSTR [8] [in] */ $StoreFront 
		)
	{
		/* method InstallFromCD */
	}
	/* DISPID=12 */
	/* VT_UI4 [19] */
	function KillProcess(
		/* VT_BSTR [8] [in] */ $__MIDL_0033 
		)
	{
		/* method KillProcess */
	}
	/* DISPID=13 */
	function RefreshAddRemovePrograms(
		)
	{
		/* method RefreshAddRemovePrograms */
	}
	/* DISPID=14 */
	function ShellExec(
		/* VT_BSTR [8] [in] */ $FilePath,
		/* VT_BSTR [8] [in] */ $Params 
		)
	{
		/* method ShellExec */
	}
	/* DISPID=15 */
	function ShellExecRunAs(
		/* VT_BSTR [8] [in] */ $FilePath,
		/* VT_BSTR [8] [in] */ $Params 
		)
	{
		/* method ShellExecRunAs */
	}
	/* DISPID=16 */
	/* VT_BSTR [8] */
	function PlatformInfo(
		)
	{
		/* method PlatformInfo */
	}
	/* DISPID=17 */
	/* VT_BSTR [8] */
	function GetAvailableDrive(
		/* VT_INT [22] [in] */ $reqSpace 
		)
	{
		/* method GetAvailableDrive */
	}
	/* DISPID=18 */
	/* VT_BOOL [11] */
	function InitializeStamp(
		/* VT_BSTR [8] [in] */ $exeName,
		/* VT_INT [22] [in] */ $offset 
		)
	{
		/* method InitializeStamp */
	}
	/* DISPID=19 */
	/* VT_BSTR [8] */
	function GetContentID(
		)
	{
		/* method GetContentID */
	}
	/* DISPID=20 */
	/* VT_BSTR [8] */
	function GetTrackingID(
		)
	{
		/* method GetTrackingID */
	}
	/* DISPID=21 */
	/* VT_BSTR [8] */
	function GetAffiliate(
		)
	{
		/* method GetAffiliate */
	}
	/* DISPID=22 */
	/* VT_BSTR [8] */
	function GetCurrency(
		)
	{
		/* method GetCurrency */
	}
	/* DISPID=23 */
	/* VT_BSTR [8] */
	function GetPrice(
		)
	{
		/* method GetPrice */
	}
	/* DISPID=24 */
	/* VT_BSTR [8] */
	function GetTimestamp(
		)
	{
		/* method GetTimestamp */
	}
	/* DISPID=25 */
	/* VT_BSTR [8] */
	function GetOTP(
		)
	{
		/* method GetOTP */
	}
	/* DISPID=26 */
	/* VT_BOOL [11] */
	function CopyDocument(
		/* VT_BSTR [8] [in] */ $src,
		/* VT_BSTR [8] [in] */ $dest 
		)
	{
		/* method CopyDocument */
	}
	/* DISPID=27 */
	function InstallerToForeground(
		)
	{
		/* method InstallerToForeground */
	}
	/* DISPID=28 */
	function MonitorLicenseFolder(
		)
	{
		/* method MonitorLicenseFolder */
	}
	/* DISPID=29 */
	function ShutdownLicenseFolderMonitor(
		)
	{
		/* method ShutdownLicenseFolderMonitor */
	}
	/* DISPID=30 */
	/* VT_BSTR [8] */
	function GetFolderPath(
		/* VT_UI4 [19] [in] */ $__MIDL_0037 
		)
	{
		/* method GetFolderPath */
	}
}

binary info:
>lm -vm
    Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
    Image name: InstallerDlg.dll
    Timestamp:        Mon Mar 14 14:22:44 2011 (4D7E6B04)
    CheckSum:         00000000
    ImageSize:        00064000
    File version:     2.6.0.445
    Product version:  2.6.0.445
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    ProductName:      InstallerDlg Module
    InternalName:     InstallerDlg
    OriginalFilename: InstallerDlg.dll
    ProductVersion:   2.6.0.445
    FileVersion:      2.6.0.445
    FileDescription:  InstallerDlg Module
    LegalCopyright:   Copyright 2010

POC:

pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html
                      https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-1.zip (9sg_StubbyUtil.ShellCtl.1.zip)

Navigation

Suggest Exploit

Services By CQR