From cb27dd426ce2047ea41d2af2eb167e2db242701d Mon Sep 17 00:00:00 2001 From: B Date: Fri, 6 Jun 2014 16:29:04 +0200 Subject: [PATCH 1/2] Added Windows privesc tools and info about unquoted services --- privesc/windows/index.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/privesc/windows/index.md b/privesc/windows/index.md index 3186a55..06fa254 100644 --- a/privesc/windows/index.md +++ b/privesc/windows/index.md @@ -14,3 +14,33 @@ Command that can be executed from the context of a shell prompt that help escala * `net use \\[computername|IP] /user:DOMAIN\username password` * `net time \\[computername|IP]` * `at \\[computername|IP] 13:20 c:\temp\evil.bat` + +# Service security + +### Unquoted service names + +Services with unquoted binary paths may allow privilege escalation. + + * Assume ServiceA refers to the unquoted path C:\Program Files\Some Service\service.exe + * Service is started with desirable privileges (e.g. domain, SYSTEM) + * If attacker can create files as c:\Program.exe or ''c:\Program Files\Some.bat'' the next time the service starts the attacker controlled binary will execute + +# Tools + +* [Windows Privesc Check](https://code.google.com/p/windows-privesc-check/) + * Python + PyInstaller + * No unicode support ([attempt to fix this](https://github.com/silentsignal/wpc)) + * Awful code base +* [Windows Privesc Check 2.0](https://github.com/silentsignal/wpc/tree/wpc-2.0) + * Python + PyInstaller + * Code is still very hard to maintain + * Still painful to use on non-English systems +* [PowerUp](https://github.com/HarmJ0y/PowerUp) + * Smart PowerShell cmdlets (you can run these at remote hosts also!) + * Offensive approach + * Checks only the privileges of the executing user +* [WPC-PS](https://github.com/silentsignal/wpc-ps) + * PowerShell + * Tends to check privileges for all accounts (thus identifying potential targets for privesc) + * Still experimental + From 812d63a63fdd29a8b3a80804c51e96b4fbe84105 Mon Sep 17 00:00:00 2001 From: B Date: Sat, 7 Jun 2014 10:55:06 +0200 Subject: [PATCH 2/2] Added clarification for unquoted Windows service paths --- privesc/windows/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/privesc/windows/index.md b/privesc/windows/index.md index 06fa254..a0c111c 100644 --- a/privesc/windows/index.md +++ b/privesc/windows/index.md @@ -24,6 +24,8 @@ Services with unquoted binary paths may allow privilege escalation. * Assume ServiceA refers to the unquoted path C:\Program Files\Some Service\service.exe * Service is started with desirable privileges (e.g. domain, SYSTEM) * If attacker can create files as c:\Program.exe or ''c:\Program Files\Some.bat'' the next time the service starts the attacker controlled binary will execute + * This is because the system can not decide if a space in the command string indicates a space in the binary path or a separator between command line arguments. The system starts with the first substring before the first space and checks if there is a file with an executable extension there (in this case C:\Program.exe, C:\Program.bat, etc.). If there is not, it checks for the next substring (C:\Program Files\Some.exe, C:\Program Files\Some.bat, etc.) and so on. If you can create a file that is checked before the intended executable, you win. + * The scenario is typical when services are created from the command line with sc: `sc create PrivEsc binpath= "..."` # Tools