POC详情: aee73a67dd9374cd297e58a8352ab6253aecb437

来源
https://github.com/nam3lum/msi-central_privesc
关联漏洞
标题: Micro-Star International MSI Center 安全漏洞 (CVE-2022-38532)
描述:Micro-Star International MSI Center是中国微星科技(Micro-Star International)公司的一个监控管理平台。可以在功能集页面中找到所有您喜欢的功能,例如游戏模式或智能优先。 Micro-Star International MSI Center 1.0.50.0版本存在安全漏洞,该漏洞源于其MSI.CentralServer.exe的C_Features组件允许攻击者通过运行精心制作的可执行文件来升级权限。
描述
CVE-2022-38532 - Local Privilege Escalation vulnerability in MSI Center Application
介绍
# CVE-2022-38532

### Local privilege escalation in MSI Center desktop application.

![CVE-2022-38532](https://github.com/nam3lum/msi-central_privesc/raw/main/media/MSI%20Center.png)

The vulnerability exist in "C_Features" of MSI.CentralServer.exe. MSI.CentralServer.exe is an application that gathers information about your system, it collaborates with MSI.TerminalServer.exe. The ExecuteTask function which we can call it in "CMD_AutoUpdateSDK" gives us a chance to run an exectable with custom parameters under Administrative privileges. You can see the related port only from localhost. 

![Vulnerable process & port](https://github.com/nam3lum/msi-central_privesc/raw/main/media/MSI.CS-ps.jpg)

#### The vulnerability
You can easily disassemble the MSI.CentralServer.exe using any .NET disassembler. Central Server itself listens on 32682 port from localhost, we can find the source code of the handler in "C_Features". Just look at the CMD_AutoUpdateSDK feature to see the vulnerability. We abuse this feature (it is automatic updater of MSI Center). It receives the user-given payload, splits it into multiple parts to execute the command with custom parameters.
![Vulnerable feature](https://github.com/nam3lum/msi-central_privesc/raw/main/media/Vulnerable%20function.png)

This is main function which our feature uses it to execute given PE with custom arguments:
![Main function](https://github.com/nam3lum/msi-central_privesc/raw/main/media/Main%20function.png)

### The port which MSI Central Server listens is updated in 1.0.59.0 version. It is 32683.

#### POC
You can generate your own payload, hex it and run the script in the local computer. The POC creates hacker user with "hacker123" password and adds it to the Administrators group.

**Proof-of-Concept video:**
https://user-images.githubusercontent.com/64528432/188067866-f30fe089-db76-4cc0-81ce-f74871769b33.mp4
文件快照

 [4.0K]  /data/pocs/aee73a67dd9374cd297e58a8352ab6253aecb437
├── [1015]  exploit.py
├── [4.0K]  media
│   ├── [ 25K]  Main function.png
│   ├── [239K]  MSI Center.png
│   ├── [ 24K]  MSI.CS-ps.jpg
│   ├── [ 21M]  PoC-video.mp4
│   └── [230K]  Vulnerable function.png
├── [6.3M]  msic_privesc.exe
└── [1.8K]  README.md

1 directory, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。