DB: 2020-03-12

2 changes to exploits/shellcodes ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path Wordpress Plugin Search Meter 2.13.2 - CSV injection
2020-03-12 05:01:49 +00:00 · 2020-03-12 05:01:49 +00:00 · 3c74040d79
commit 3c74040d79
parent 0a0ad49d15
3 changed files with 63 additions and 0 deletions
--- a/exploits/php/webapps/48197.txt
+++ b/exploits/php/webapps/48197.txt
@ -0,0 +1,27 @@
+# Exploit Title: Wordpress Plugin Search Meter 2.13.2 - CSV Injection
+# Google Dork: N/A
+# Date: 2020-03-10
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://thunderguy.com/semicolon/
+# Software Link: https://downloads.wordpress.org/plugin/search-meter.2.13.2.zip
+# Version: 2.13.2
+# Tested on: Windows 7 x86 SP1
+# CVE : N/A
+
+There is a CSV injection vulnerability in the Export function of the Search Meter plugin version 
+
+1) First we introduce the payload in the search bar in Wordpress
+
+=cmd|' /C notepad'!'A1'
+
+
+2) Then we go to http://127.0.0.1/wordpress/wp-admin/index.php?page=search-meter%2Fadmin.php and export the CSV file
+
+
+3) After that we open the file in Excel, and import data from an external file, using comma as separator
+
+
+4) Payload gets executed
+
+
+Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
--- a/exploits/windows/local/48193.txt
+++ b/exploits/windows/local/48193.txt
@ -0,0 +1,34 @@
+# Exploit Title: ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-03-10
+# Vendor Homepage: https://www.asus.com/
+# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
+# Tested Version: 1.02.00
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 en
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asComSvc" | findstr /i /v """
+ASUS Com Service                                                                    asComSvc                                  C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe                                                                       Auto
+
+C:\>sc qc asComSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: asComSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ASUS Com Service
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10987,6 +10987,7 @@ id,file,description,date,author,type,platform,port
 48180,exploits/windows/local/48180.cpp,"Microsoft Windows - 'WizardOpium' Local Privilege Escalation",2020-03-03,piotrflorczyk,local,windows,
 48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
+48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42455,3 +42456,4 @@ id,file,description,date,author,type,platform,port
 48188,exploits/java/webapps/48188.txt,"Sysaid 20.1.11 b26 - Remote Command Execution",2020-03-10,"Ahmed Sherif",webapps,java,
 48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
 48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
+48197,exploits/php/webapps/48197.txt,"Wordpress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php,