DB: 2019-06-14

2 changes to exploits/shellcodes Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation Sitecore 8.x - Deserialization Remote Code Execution
2019-06-14 05:01:54 +00:00 · 2019-06-14 05:01:54 +00:00 · 98346529ea
commit 98346529ea
parent 698fffff86
3 changed files with 76 additions and 0 deletions
--- a/exploits/aspx/webapps/46987.txt
+++ b/exploits/aspx/webapps/46987.txt
@ -0,0 +1,14 @@
+# Exploit Title: Sitecore v 8.x Deserialization RCE
+# Date: Reported to vendor October 2018, fix released April 2019.
+# Exploit Author: Jarad Kopf
+# Vendor Homepage: https://www.sitecore.com/
+# Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx
+# Version: Sitecore 8.0 Revision 150802
+# Tested on: Windows
+# CVE : CVE-2019-11080 
+
+Exploit: 
+
+Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. 
+When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. 
+By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.
--- a/exploits/windows/local/46988.txt
+++ b/exploits/windows/local/46988.txt
@ -0,0 +1,60 @@
+[Summary]
+The Pronestor service "PNHM" (aka Health Monitoring or HealthMonitor) 
+before 8.1.12.0 has "BUILTIN\Users:(I)(F)" permissions for 
+the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, 
+which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.
+
+During the installation of Pronestors Outlook-Add-In (version 8.1.11.0 
+and older) the installer creates a service named PNHM (Pronester 
+Health Monitoring) with weak file permission running as SYSTEM.
+The vulnerability allows all "Authenticated Users" to potentially 
+execute arbitrary code as SYSTEM on the local system.
+
+[Additional Information]
+Tested on Windows 7.
+Version: Outlook Add-In 8.1.11.0 and older
+Also tested on version 5.1.6.0 with same result.
+Discovered: 06-nov-2018
+Reported: 07-nov-2018
+
+Vendor: https://www.pronestor.com/
+Vendor confirmed: True
+Fixed: Version 8.1.12.0
+Attack Type: Local Privilege Escalation
+Vulnerability due to: Insecure Permissions
+Discoverer: PovlTekstTV
+CVE: 2018-19113
+Original link: https://gist.github.com/povlteksttv/8f990e11576e1e90e8fb61acf8646d28
+
+[Proof]
+C:\Users\povltekst>sc qc PNHM
+
+SERVICE_NAME: PNHM
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Pronestor HealthMonitor
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\povltekst>icacls 'C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe'
+C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe
+         BUILTIN\Users:(I)(F)
+         NT AUTHORITY\SYSTEM:(I)(F)
+         BUILTIN\Administrators:(I)(F)
+
+Notice: "BUILIN\Users:(I)(F)". (F) = Full access!
+This means that an authenticated user can change the file
+
+[Attack Vectors]
+Replace the file "PronestorHealthMonitor.exe" with a malicious file 
+also called "PronesterHealthMonitor.exe". Next time the service (PNHM) 
+starts, the malicious file will get executed as SYSTEM. The service 
+starts on every reboot.
+
+[Affected Component]
+PronestorHealthMonitor.exe
+This exe will be executed on every reboot by a service named PNHM running as SYSTEM.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10544,6 +10544,7 @@ id,file,description,date,author,type,platform,port
 46973,exploits/linux/local/46973.md,"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution",2019-06-04,Arminius,local,linux,
 46976,exploits/windows/local/46976.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)",2019-06-07,SandboxEscaper,local,windows,
 46978,exploits/linux/local/46978.sh,"Ubuntu 18.04 - 'lxd' Privilege Escalation",2019-06-10,s4vitar,local,linux,
+46988,exploits/windows/local/46988.txt,"Pronestor Health Monitoring < 8.1.11.0  - Privilege Escalation",2019-06-13,PovlTekstTV,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41392,3 +41393,4 @@ id,file,description,date,author,type,platform,port
 46982,exploits/php/webapps/46982.txt,"phpMyAdmin 4.8 - Cross-Site Request Forgery",2019-06-11,Riemann,webapps,php,
 46983,exploits/jsp/webapps/46983.txt,"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting",2019-06-11,"Valerio Brussani",webapps,jsp,
 46985,exploits/php/webapps/46985.py,"FusionPBX 4.4.3 - Remote Command Execution",2019-06-12,"Dustin Cobb",webapps,php,
+46987,exploits/aspx/webapps/46987.txt,"Sitecore 8.x - Deserialization Remote Code Execution",2019-06-13,"Jarad Kopf",webapps,aspx,