ae2adf08f1
5 changes to exploits/shellcodes NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC) NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC) Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
36 lines
No EOL
1.2 KiB
Text
36 lines
No EOL
1.2 KiB
Text
# Exploit Title: Macro Expert 4.7 - Unquoted Service Path
|
|
# Exploit Author: Mert DAŞ
|
|
# Version: 4.7
|
|
# Date: 20.10.2021
|
|
# Vendor Homepage: http://www.macro-expert.com/
|
|
# Tested on: Windows 10
|
|
|
|
C:\Users\Mert>sc qc "Macro Expert"
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: Macro Expert
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : c:\program files (x86)\grasssoft\macro
|
|
expert\MacroService.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : Macro Expert
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
---------------------------------------------
|
|
|
|
Or:
|
|
-------------------------
|
|
C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr
|
|
/i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
|
|
|
|
|
|
#Exploit:
|
|
|
|
A successful attempt would require the local user to be able to insert
|
|
their code in the system root path undetected by the OS or other security
|
|
applications where it could potentially be executed during application
|
|
startup or reboot. If successful, the local user's code would execute with
|
|
the elevated privileges of the application. |