Full Disclosure mailing list archives
Eagle Speed USB MODEM SOFTWARE Privilege Escalation
From: Rio Sherri <rio.sherri () fshnstudent info>
Date: Mon, 28 Nov 2016 23:42:19 +0100
# Vulnerability Description: # When the Eagle Speed software is installed a service with name ZDServ is installed. # The service itself has the right permissions which do not allow to reconfigure the binary # but the path the binary is writable by any authenticated user. # # C:\Users\lowpriv>sc qc zdserv # [SC] QueryServiceConfig SUCCESS # # SERVICE_NAME: zdserv # TYPE : 110 WIN32_OWN_PROCESS (interactive) # START_TYPE : 2 AUTO_START # ERROR_CONTROL : 1 NORMAL # BINARY_PATH_NAME : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" # LOAD_ORDER_GROUP : # TAG : 0 # DISPLAY_NAME : ZDServ # DEPENDENCIES : # SERVICE_START_NAME : LocalSystem # # # # C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" # C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions. # NT AUTHORITY\SYSTEM:(I)(F) # BUILTIN\Administrators:(I)(F) # Victim-PC\lowpriv:(I)(F) # BUILTIN\Users:(I)(RX) # # Successfully processed 1 files; Failed processing 0 files # # This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run # with full privileges when the service/computer is restarted. # # Video : https://youtu.be/o59SD8gXzlU # Exploit is attached.
Attachment:
exploit.py
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Eagle Speed USB MODEM SOFTWARE Privilege Escalation Rio Sherri (Dec 01)