{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Original Hyland/PACSgear PACS Scan 5.2.1 PGImageExchQueue.exe .NET Remoting TCP endpoint tcp://127.0.0.1:22222/PGImageExchange; vendor_binary_used=true",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "original PACS Scan 5.2.1 installer",
    "PGImageExchQueue.exe",
    "PGImageExchangeQueueSvc.exe path",
    "Windows .NET Framework 4 under Wine",
    "System.Runtime.Remoting TcpChannel",
    "MBRO Lazy WebClient exploit"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/product_availability.log",
    "logs/product_static_identity.log",
    "logs/product_attempt_1_server.log",
    "logs/product_attempt_1_exploit.log",
    "logs/product_attempt_1_service.log",
    "logs/product_attempt_1_negative_service.log",
    "logs/product_attempt_2_server.log",
    "logs/product_attempt_2_exploit.log",
    "logs/product_attempt_2_service.log",
    "logs/product_attempt_2_negative_service.log",
    "logs/wine_dotnet_setup.log",
    "repro/artifacts/product_identity.json",
    "repro/artifacts/product_attempt_1/remote_read_win_ini.txt",
    "repro/artifacts/product_attempt_1/remote_write_proof.txt",
    "repro/artifacts/product_attempt_1/rce_marker.txt",
    "repro/artifacts/product_attempt_1/cryptsp_upload.txt",
    "repro/artifacts/product_attempt_1/service_overwrite_upload.txt",
    "repro/artifacts/product_attempt_2/remote_read_win_ini.txt",
    "repro/artifacts/product_attempt_2/remote_write_proof.txt",
    "repro/artifacts/product_attempt_2/rce_marker.txt",
    "repro/artifacts/product_attempt_2/cryptsp_upload.txt",
    "repro/artifacts/product_attempt_2/service_overwrite_upload.txt"
  ],
  "notes": "Original PACS Scan 5.2.1 PGImageExchQueue.exe was exploited twice over unauthenticated .NET Remoting. The server-side WebClient MBRO primitive read C:\\Windows\\win.ini, wrote proof files, planted CRYPTSP.DLL in the product directory, overwrote PGImageExchangeQueueSvc.exe via the remote file-write primitive, and code executed when the product service path was started. Negative controls with the clean service binary created no marker."
}