From eeec67ddf95f010ae3088d6b5639549643d17d11 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 21 May 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-05-21 3 changes to exploits/shellcodes ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path --- exploits/windows/local/49888.txt | 35 +++++++++++++++++++++++++++++ exploits/windows/local/49889.txt | 38 ++++++++++++++++++++++++++++++++ exploits/windows/local/49890.txt | 37 +++++++++++++++++++++++++++++++ files_exploits.csv | 3 +++ 4 files changed, 113 insertions(+) create mode 100644 exploits/windows/local/49888.txt create mode 100644 exploits/windows/local/49889.txt create mode 100644 exploits/windows/local/49890.txt diff --git a/exploits/windows/local/49888.txt b/exploits/windows/local/49888.txt new file mode 100644 index 000000000..632e6a501 --- /dev/null +++ b/exploits/windows/local/49888.txt @@ -0,0 +1,35 @@ +# Exploit Title: ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path +# Date: 2020-05-19 +# Exploit Author: Alejandra Sánchez +# Vendor Homepage: www.asus.com +# Version: 1.0.94.0 +# Tested on: Windows 10 Pro x64 es + +# Description: +ATK Hotkey 1.0.94.0 suffers from an unquoted search path issue impacting the service 'AsHidService'. This could potentially allow an +authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require +the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could +potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges +of the application. + +# Prerequisites +Local, Non-privileged Local User with restart capabilities + +# Details + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ +ASUS HID Access Service AsHidService C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe Auto + +C:\>sc qc "AsHidService" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: AsHidService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : ASUS HID Access Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49889.txt b/exploits/windows/local/49889.txt new file mode 100644 index 000000000..5d0bbd5eb --- /dev/null +++ b/exploits/windows/local/49889.txt @@ -0,0 +1,38 @@ +# Exploit Title: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path +# Discovery by: Emmanuel Lujan +# Discovery Date: 2021-05-19 +# Vendor Homepage: https://www.acer.com/ac/en/US/content/home +# Tested Version: 3.0.0.99 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 7 Home Premium x64 + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ + +NTI IScheduleSvc NTI ISch +eduleSvc C:\Program Files (x86)\NTI\Acer Backup Man +ager\IScheduleSvc.exe Auto + + +# Service info: + +C:\>sc qc "NTI IScheduleSvc" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: NTI IScheduleSvc + TYPE : 110 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Acer Backup Manager\IScheduleSvc.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NTI IScheduleSvc + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other + security applications where it could potentially be executed during application startup or reboot. If successful, the local user's +code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49890.txt b/exploits/windows/local/49890.txt new file mode 100644 index 000000000..17d798dfd --- /dev/null +++ b/exploits/windows/local/49890.txt @@ -0,0 +1,37 @@ +# Exploit Title: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path +# Discovery by: Emmanuel Lujan +# Discovery Date: 2020-11-26 +# Vendor Homepage: https://www.acer.com/ac/en/US/content/home +# Tested Version: 1.2.3500.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 7 Home Premium x64 + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ + +Live Updater Service Live Upd +ater Service C:\Program Files\Acer\Acer Updater\Updater +Service.exe Auto + +# Service info: + +C:\>sc qc "Live Updater Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Live updater Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Acer\Acer Updater\UpdaterService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Live Updater Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other + security applications where it could potentially be executed during application startup or reboot. If successful, the local user's +code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c30d88e23..8ce328f34 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11330,6 +11330,9 @@ id,file,description,date,author,type,platform,port 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",2021-05-13,"Forrest Orr",local,windows_x86-64, 49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",2021-05-17,SlidingWindow,local,windows, 49882,exploits/windows/local/49882.ps1,"Visual Studio Code 1.47.1 - Denial of Service (PoC)",2021-05-19,"H.H.A.Ravindu Priyankara",local,windows, +49888,exploits/windows/local/49888.txt,"ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path",2021-05-20,"Alejandra Sánchez",local,windows, +49889,exploits/windows/local/49889.txt,"Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path",2021-05-20,"Emmanuel Lujan",local,windows, +49890,exploits/windows/local/49890.txt,"Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path",2021-05-20,"Emmanuel Lujan",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139