Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Ubisoft uplay Active X control Command Execution #653
This allows the user to run any windows commands.
Tested in WinXP and IE.
Did not appear to work in Win7.
Patched as of today, good turnaround Ubisoft.
Could use some hints as how to have a 'command line' payload and base64 encoding. Not tested the autopwn features (copied from template exploit). Areas I still need to work out!
As far as I know, this should also work with other browsers, not just IE. Mozilla blocks it
If you wish to test it I have the 2.03 installer. It updates pretty quickly so majority of people won't be vulnerable anymore unless they're in offline mode.
No idea why classid isn't picked up in browser autopwn, the plugin doesn't list in IEs installed programs, but is in the registry etc.
Module isn't working for me.
So issue #1, in this line:
That for me is missing a "" in the path, so I had to change that:
Issue #2: even though the path is right, webdav doesn't seem to launch by the open() function. It launches UPlay, but no WebDav requests are actually made according to my Wireshark log. However, if I manually launch webdav, and then double click on the exe, it works. So that indicates webdav is actually working, it's just not launched for some reason. Here's an example of the source for open():
By the way, here's a trick you can use to hide the executable (you can do a grep on "ishidden" in the exploits directory to find examples):
Hmm uplay_steam_mode missing a - in your paste.
What did you test under, Win7?, and did you have your credentials saved for autologin?
Hmm tested in Win7 again on a different host, and calc worked:
Was going to watch procmon to see if anything is different but handily this logfile is used:
C:\Program Files\Ubisoft\Ubisoft Game Launcher\logs\launcher_log.txt
2012-08-02 13:04:12 [ 4912] INFO HubUtils.cpp (162) -- Starting Ubisoft Game Launcher --