Search for hundreds of thousands of exploits

"Popcorn Time 6.2 - 'Update service' Unquoted Service Path"

Author

Exploit author

"Uriel Yochpaz"

Platform

Exploit platform

windows

Release date

Exploit published date

2020-04-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path
# Date: 2020-04-24
# Vendor Homepage: https://getpopcorntime.is
# Exploit Authors: Uriel Yochpaz & Jonatan Schor
# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
# Version: 6.2.1.14 and probably prior versions
# Tested on: Windows 10, 7
# CVE : N/A

[+] Description:
Popcorn Time For Windows installs as a service with an unquoted
service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

[+] POC:
C:\Users\User>sc qc "Update service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Update service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Popcorn Time\Updater.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Update service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

[+] Exploit:
A successful attempt would require the local user to be able to insert their
code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe)
folders undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.
Release DateTitleTypePlatformAuthor
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
Release DateTitleTypePlatformAuthor
2020-04-24"Popcorn Time 6.2 - 'Update service' Unquoted Service Path"localwindows"Uriel Yochpaz"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48378/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.