Download to read offline
![Introduction
Are all unquoted service path are vulnerable ?
• A: No. If there are no spaces in the name of the directory i.e.
ProgramFiles [non vulnerable] || Program Files [vulnerable]
Service Path: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe
In order to run SomeExecutable.exe, the system will interpret this path in the following order from
1 to 5.
Step 1: C:Program.exe
Step 2: C:Program FilesA.exe
Step 3: C:Program FilesA SubfolderB.exe
Step 4: C:Program FilesA SubfolderB SubfolderC.exe
Step 5: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe
If C:Program.exe is not found, then C:Program FilesA.exe would be executed. If C:Program
FilesA.exe is not found, then C:Program FilesA SubfolderB.exe would be executed and so on.](https://image.slidesharecdn.com/unquotedservicepathexploitation-200210122619/75/Unquoted-service-path-exploitation-3-2048.jpg)
![Create your own vulnerable Service
• Create your own service for dhruv.exe
• Provide write access to Dhruv Sharma directory
icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":(F) /t [full access]
icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":W [write access]](https://image.slidesharecdn.com/unquotedservicepathexploitation-200210122619/75/Unquoted-service-path-exploitation-11-2048.jpg)
![Introduction
Are all unquoted service path are vulnerable ?
• A: No. If there are no spaces in the name of the directory i.e.
ProgramFiles [non vulnerable] || Program Files [vulnerable]
Service Path: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe
In order to run SomeExecutable.exe, the system will interpret this path in the following order from
1 to 5.
Step 1: C:Program.exe
Step 2: C:Program FilesA.exe
Step 3: C:Program FilesA SubfolderB.exe
Step 4: C:Program FilesA SubfolderB SubfolderC.exe
Step 5: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe
If C:Program.exe is not found, then C:Program FilesA.exe would be executed. If C:Program
FilesA.exe is not found, then C:Program FilesA SubfolderB.exe would be executed and so on.](https://crownmelresort.com/image.slidesharecdn.com/unquotedservicepathexploitation-200210122619/75/Unquoted-service-path-exploitation-3-2048.jpg)
![Create your own vulnerable Service
• Create your own service for dhruv.exe
• Provide write access to Dhruv Sharma directory
icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":(F) /t [full access]
icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":W [write access]](https://crownmelresort.com/image.slidesharecdn.com/unquotedservicepathexploitation-200210122619/75/Unquoted-service-path-exploitation-11-2048.jpg)
Uploaded byDhruv Sharma
Unquoted service path exploitation
The document discusses unquoted service path exploitation as a privilege escalation technique in Windows operating systems, allowing non-admin users to gain administrative access by exploiting the way Windows handles service paths. It explains the conditions under which a service path is vulnerable, provides a method for identifying such vulnerabilities, and outlines steps for exploiting them in a lab setup. Additionally, it offers guidance for creating a vulnerable service for demonstration purposes.
More Related Content
Similar to Unquoted service path exploitation
Unquoted service path exploitation
- 1. Unquoted Service Pathexploitation By Dhruv Sharma
- 2. Introduction • This exploitationtechnique is used to perform Privilege Escalation from non admin / non Root user to System / Admin user. We will exploit unquoted service path for the services. • Used with Windows Operating System. • Services running on the server can be: • Unquoted • Quoted
- 3. Introduction Are all unquotedservice path are vulnerable ? • A: No. If there are no spaces in the name of the directory i.e. ProgramFiles [non vulnerable] || Program Files [vulnerable] Service Path: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5. Step 1: C:Program.exe Step 2: C:Program FilesA.exe Step 3: C:Program FilesA SubfolderB.exe Step 4: C:Program FilesA SubfolderB SubfolderC.exe Step 5: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe If C:Program.exe is not found, then C:Program FilesA.exe would be executed. If C:Program FilesA.exe is not found, then C:Program FilesA SubfolderB.exe would be executed and so on.
- 4. Tips • Use belowscript to search for vulnerable services: wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:Windows" | findstr /i /v ""“ • Service name = Some Vulnerable Service. • Path name = C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe • Display name = Some Vulnerable Service • Start mode = Auto
- 5. Lab Demo • Step1: We ran our command to find out any possible vulnerable services. Only last 3 services are not quoted – Some Vulnerable services, Babi Service & myBabi Service.
- 6. Lab Demo • Checkthe services. This service is configured for Auto Start, which means it will try to automatically started after reboot.
- 7.
- 8. Lab Demo • Step2: In this case we will try to exploit it. Let’s check if our user has privileges. The folder has Write privileges, which is inherited from the parent folder.
- 9. Lab Demo • Step3: We analyzed the directory and placed babi.exe (reverse shell payload) as shown below.
- 10. Lab Demo • Finallywe start to run the application. It is not important for us to run the service, but going through the path is important.
- 11. Create your ownvulnerable Service • Create your own service for dhruv.exe • Provide write access to Dhruv Sharma directory icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":(F) /t [full access] icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":W [write access]
- 12.