This Metasploit module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This Metasploit module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX.
3e7aa29056921982fd5564fee15bd5aaiDefense Security Advisory 05.03.11 - Remote exploitation of a memory corruption vulnerability in Tom Sawyer Software's GET Extension Factory could allow an attacker to execute arbitrary code with the privileges of the affected user. The vulnerability exists within the way that Internet Explorer instantiates GET Extension Factory COM objects, which is not intended to be created inside of the browser. The object does not initialize properly, and this leads to a memory corruption vulnerability that an attacker can exploit to execute arbitrary code. iDefense has confirmed Tom Sawyer's Default GET Extension Factory 5.5.2.237, tsgetxu71ex552.dll and tsgetx71ex552.dll to be vulnerable. VMWare VirtualCenter 2.5 Update 6, VirtualCenter 2.5 Update 6a is vulnerable.
2e6279ff1d843731dd05e2126d07501eSapGUI BI version 7100.1.400.8 heap corruption exploit that launches calc.exe.
f7794f3dd88f7fe4f8d12298cc2f152bThe SAPGui BI component version 7100.1.400.8 suffers from a heap corruption vulnerability that can result in the execution of arbitrary code.
1518bf3e5e2cbc644a76b75abd4f9cc5This Metasploit module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers.
f2d99a88beab4e4dd35711d91502b078iDefense Security Advisory 03.02.10 - Remote exploitation of a stack-based buffer overflow vulnerability in IBM Corp.'s Lotus Domino Web Access ActiveX control could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerable function takes an attacker-controlled URL, and copies it into a fixed-size stack buffer. No validation checks are performed on the length of the URL. By passing in a long URL string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code.
0f49ae12b79795b324cf97c77a4b8051HP StorageWorks 1/8 G2 Tape Autoloader suffers from denial of service and privilege escalation vulnerabilities.
80db7cbe0231e9be01d2ae9920041bfbThis Metasploit module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.
8ffa620ce9eba17109acaff64cef9690This Metasploit module exploits a stack overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the "General_ServerName()" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code.
50aa5ae090a1b2db0a274c256a751cbaThis Metasploit module exploits a stack overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the "_DOWText0" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code.
1df8f24fcdcece9e8eb4a56262167732iDefense Security Advisory 10.13.09 - Remote exploitation of a use after free vulnerability in Adobe Systems Inc.'s Acrobat and Reader Firefox plugin could allow an attacker to execute arbitrary code with the privileges of the current user. When Adobe Acrobat/Reader is installed, it also installs various browser plugins that allow PDF documents to be viewed in the browser. This vulnerability occurs within the Firefox browser plugin. The Internet Explorer version is not affected. The vulnerability occurs when Firefox attempts to navigate away from a page and unload the PDF viewing plugin. When Firefox calls the plugin's destroy method, the plugin does not properly free its resources. Specifically, a function pointer for the window update routine is not properly freed. This results in uninitialized memory being used when the window is redrawn, which leads to attacker supplied data being executed when the function pointer is dereferenced. iDefense has confirmed the existence of this vulnerability in Acrobat and Reader versions 8.1.3, 8.1.4, 8.1.5, and 8.1.6. Previous versions are also likely affected. Version 9.1.3 and previous 9.x versions are not affected.
86f5a7800b522ebb67486e8a4e3d1080The VSFLEXGrid component of the SAP GUI is susceptible to a buffer overflow vulnerability.
e099ceb6469ff2385a8770fa9e668cf2Autodesk IDrop remote code execution Active-X related exploit.
33738fc96994902b7d66e295f07b9917The Src, Background, PackageXml properties in the Autodesk IDrop Active-X control, IDrop.ocx version 17.1.51.160, can be manipulated to trigger a heap use after free condition resulting in arbitrary remote code execution.
9f55a5b229984db40abe2aaef85d4fc6Belkin BullDog Plus UPS-Service buffer overflow exploit that binds a shell to port 4444.
a90630d41c3c87c3432068943d852f2cThe Imera ImeraIEPlugin.dll version 1.0.2.54 suffers from an arbitrary code execution vulnerability.
551460c30d2207e3b9cb32147ab97096The Webex Meeting Manager utilizes several ActiveX controls, one of which is vulnerable to a stack based buffer overflow. The atucfobj Module contains a single method called NewObject() who's only parameter is vulnerable to this issue.
ffcef6e99156b9761932f07647471908OfficeScan versions 7.3 build 1343 Patch 4 and below from Trend Micro suffer from an ActiveX related buffer overflow vulnerability.
ab8f9d007a31acfffc8b3a3cb901bd90RealPlayer suffers from a vulnerability where the WindowName and Controls properties of rmoc3260.dll do not manage heap memory properly resulting in a use after free condition which can overwrite heap management structures resulting in code execution. RealPlayer 11, 10.5, 10, and Enterprise are all affected.
6770b3f1177517eb6841ebc11efa2528This Metasploit module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.
5fa5ecf492d50f4a9f558a950358e245Exploit for the heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.
d1d54d0143d6c7c32a767130e453bb34The Real Networks RealPlayer ActiveX controller appears to suffer from a heap corruption vulnerability.
e3deff0c9f224a77d42d8d83eb5fec3aSymantec BackupExec Calendar Control (PVCalendar.ocx) buffer overflow exploit. and spawns calc.exe or a shell on tcp/4444.
2c1cff8c354f4a88ca29b3119d31f0a3Move Networks Quantum Streaming Player control buffer overflow exploit that makes use of UploadLogs() and spawns calc.exe or a shell on tcp/4444.
494f4767652244ffb26389822b200a82Citrix Presentation Server Client WFICA.OCX ActiveX component heap buffer overflow exploit.
e07a67979914c000a1b48e6d667104f8
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed