This Metasploit module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This Metasploit module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX.
9ea26d2b6cb47fda41b9580e28eab68d2c736833da3e4ee9317fb28219b79c3fiDefense Security Advisory 05.03.11 - Remote exploitation of a memory corruption vulnerability in Tom Sawyer Software's GET Extension Factory could allow an attacker to execute arbitrary code with the privileges of the affected user. The vulnerability exists within the way that Internet Explorer instantiates GET Extension Factory COM objects, which is not intended to be created inside of the browser. The object does not initialize properly, and this leads to a memory corruption vulnerability that an attacker can exploit to execute arbitrary code. iDefense has confirmed Tom Sawyer's Default GET Extension Factory 5.5.2.237, tsgetxu71ex552.dll and tsgetx71ex552.dll to be vulnerable. VMWare VirtualCenter 2.5 Update 6, VirtualCenter 2.5 Update 6a is vulnerable.
89e761d3006064aa0cb7047c51e258a8fb835fa7074ae8fa3a7bc2617ae3788aSapGUI BI version 7100.1.400.8 heap corruption exploit that launches calc.exe.
0a2aec950e56fddda7c1b46af3772494756689d2d2fb0233a1faf4ab06f90173The SAPGui BI component version 7100.1.400.8 suffers from a heap corruption vulnerability that can result in the execution of arbitrary code.
48281966e185d95a67bcf3b10926975fea33c0f7622999f0956eade3661b272bThis Metasploit module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers.
e43768f68be7b3013f27418eda7f1bf2522747aecec1b523657fd01ec1c70da7iDefense Security Advisory 03.02.10 - Remote exploitation of a stack-based buffer overflow vulnerability in IBM Corp.'s Lotus Domino Web Access ActiveX control could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerable function takes an attacker-controlled URL, and copies it into a fixed-size stack buffer. No validation checks are performed on the length of the URL. By passing in a long URL string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code.
d7bb11918744f40858388713a6cadb9a010141307cf776efd3f5a90a2856dc85HP StorageWorks 1/8 G2 Tape Autoloader suffers from denial of service and privilege escalation vulnerabilities.
1796e1effd5dcca9f3b5760999cef870ea8e8cc8bf86fbd5442cd59e0b319642This Metasploit module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.
ed9e481ead1489a1daf2b9cee8648d7e139f01c0d32d6ba6537f09d38141d0c1This Metasploit module exploits a stack overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the "General_ServerName()" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code.
db688071a11a57ace62f20772c549782d9dff2fc8a961055995a997b12f772dfThis Metasploit module exploits a stack overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the "_DOWText0" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code.
35830d0832948d41cb04a73d18bd6db9f598b503253e0032efcd4dafeaae3fbeiDefense Security Advisory 10.13.09 - Remote exploitation of a use after free vulnerability in Adobe Systems Inc.'s Acrobat and Reader Firefox plugin could allow an attacker to execute arbitrary code with the privileges of the current user. When Adobe Acrobat/Reader is installed, it also installs various browser plugins that allow PDF documents to be viewed in the browser. This vulnerability occurs within the Firefox browser plugin. The Internet Explorer version is not affected. The vulnerability occurs when Firefox attempts to navigate away from a page and unload the PDF viewing plugin. When Firefox calls the plugin's destroy method, the plugin does not properly free its resources. Specifically, a function pointer for the window update routine is not properly freed. This results in uninitialized memory being used when the window is redrawn, which leads to attacker supplied data being executed when the function pointer is dereferenced. iDefense has confirmed the existence of this vulnerability in Acrobat and Reader versions 8.1.3, 8.1.4, 8.1.5, and 8.1.6. Previous versions are also likely affected. Version 9.1.3 and previous 9.x versions are not affected.
26d2526e5fa4a158dc90e307c84a2c19f9b708a1d9689add295e4f768fab5f65The VSFLEXGrid component of the SAP GUI is susceptible to a buffer overflow vulnerability.
04d60f014b9f2a3d08a47e1adb8e4bb8844b3ade41a517d5445b1dd291408bc4Autodesk IDrop remote code execution Active-X related exploit.
7c9c190ffc784d425b6ced4e31666ab13e643782cb0241ab22e64961271029edThe Src, Background, PackageXml properties in the Autodesk IDrop Active-X control, IDrop.ocx version 17.1.51.160, can be manipulated to trigger a heap use after free condition resulting in arbitrary remote code execution.
1fbcf13d54df0e114fd96ea3f5e09559387f9e25c424f2d139670a609329cc27Belkin BullDog Plus UPS-Service buffer overflow exploit that binds a shell to port 4444.
b618160c09e59803fe7c32c8d7abf7d6978e1c98bf9aa4e15cfffb8fc6be6a40The Imera ImeraIEPlugin.dll version 1.0.2.54 suffers from an arbitrary code execution vulnerability.
4fec98095b98c4e50689fb2b454b7ab1bde5684601a56db62c95836de5a60c9cThe Webex Meeting Manager utilizes several ActiveX controls, one of which is vulnerable to a stack based buffer overflow. The atucfobj Module contains a single method called NewObject() who's only parameter is vulnerable to this issue.
59ed4c8c159f8391f384540b98af79d0c0a34c51e5561014af355d1b1ad355adOfficeScan versions 7.3 build 1343 Patch 4 and below from Trend Micro suffer from an ActiveX related buffer overflow vulnerability.
0c2b50cf8236ae8bf547a71005cc9d2fd221cd85aa987b33776ee4ecb0137c00RealPlayer suffers from a vulnerability where the WindowName and Controls properties of rmoc3260.dll do not manage heap memory properly resulting in a use after free condition which can overwrite heap management structures resulting in code execution. RealPlayer 11, 10.5, 10, and Enterprise are all affected.
f4a867bf834fd12002bf185f61e63741d9d542b0daa5b3009f9be2f18b59f04cThis Metasploit module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.
fe18e54c7136e0f4ddd02005a5baa3b152573f829ae72ec39f0b69c9755ba6b6Exploit for the heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.
9c9470fc73ec08b731d851e037405e4cdd3056a7576b171fc5620b4f9224c9bbThe Real Networks RealPlayer ActiveX controller appears to suffer from a heap corruption vulnerability.
9919e8e59146b8fa84af60f145dcf038f509555dc92a70d72cf6abc85bb3d5b5Symantec BackupExec Calendar Control (PVCalendar.ocx) buffer overflow exploit. and spawns calc.exe or a shell on tcp/4444.
7cc83a1c05db405770519c88f6e3ec43de346367d2eeba3e528271a2e98f74c8Move Networks Quantum Streaming Player control buffer overflow exploit that makes use of UploadLogs() and spawns calc.exe or a shell on tcp/4444.
41972e252273ea4153b87f7b4e73c6695c69ac621662f7c3de0afdde0d621999Citrix Presentation Server Client WFICA.OCX ActiveX component heap buffer overflow exploit.
1d5f55c08aed2772a1687dc30b77a07987a65136e0be10cbf56ee59a69461f8d
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed