Eagle Speed USB MODEM SOFTWARE Privilege Escalation

[Rio Sherri <rio.sherri () fshnstudent info>]

# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is
installed.
# The service itself has the right permissions which do not allow to
reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
#        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
#        START_TYPE         : 2   AUTO_START
#        ERROR_CONTROL      : 1   NORMAL
#        BINARY_PATH_NAME   : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
#        LOAD_ORDER_GROUP   :
#        TAG                : 0
#        DISPLAY_NAME       : ZDServ
#        DEPENDENCIES       :
#        SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <-----------
Everyone has full permissions.
#                                           NT AUTHORITY\SYSTEM:(I)(F)
#                                           BUILTIN\Administrators:(I)(F)
#                                          Victim-PC\lowpriv:(I)(F)
#                                           BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the
ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#
Exploit is attached.

Attachment: exploit.py
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/