module
Tom Sawyer Software GET Extension Factory Remote Code Execution
| Disclosed | Created |
|---|---|
| May 3, 2011 | May 30, 2018 |
Disclosed
May 3, 2011
Created
May 30, 2018
Description
This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll
ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect
initialization under Internet Explorer.
While the Tom Sawyer GET Extension Factory is installed with some versions of VMware
Infrastructure Client, this module has been tested only with the versions installed
with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX
control tested is tsgetx71ex553.dll, version 5.5.3.238.
This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The
dll is installed by default with the Embarcadero software, and loaded by the targeted
ActiveX.
ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect
initialization under Internet Explorer.
While the Tom Sawyer GET Extension Factory is installed with some versions of VMware
Infrastructure Client, this module has been tested only with the versions installed
with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX
control tested is tsgetx71ex553.dll, version 5.5.3.238.
This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The
dll is installed by default with the Embarcadero software, and loaded by the targeted
ActiveX.
Authors
Elazar Broad
rgod
juan vazquez juan.vazquez@metasploit.com
rgod
juan vazquez juan.vazquez@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.