|
|
@@ -0,0 +1,82 @@
|
|
|
+---
|
|
|
+title: Exploiting Vulnerable Windows Services
|
|
|
+categories: [cheatsheets]
|
|
|
+tags: [topic, windows, security]
|
|
|
+---
|
|
|
+
|
|
|
+# Exploiting Vulnerable Windows Services
|
|
|
+
|
|
|
+## Resources on Windows Service Exploitation
|
|
|
+
|
|
|
+* [Steam Client 0day](https://amonitoring.ru/article/onemore_steam_eop_0day/)
|
|
|
+* [Task Scheduler RPC Vulnerability](https://www.exploit-db.com/exploits/45280)
|
|
|
+
|
|
|
+
|
|
|
+## Inter Process Communication (IPC)
|
|
|
+
|
|
|
+1) Named Pipes
|
|
|
+2) Advanced Procedure Calls (APC)
|
|
|
+3) ...
|
|
|
+
|
|
|
+### Named Pipes
|
|
|
+
|
|
|
+* Named Pipes communicate via SMB
|
|
|
+* For every Named Pipe, the process maintains a handle which can be seen in ProcessExplorer (Sysinternals).
|
|
|
+ * Can be recognized by the name: `\Device\NamedPipe\<name>`
|
|
|
+
|
|
|
+* Creating a basic Named Pipe:
|
|
|
+
|
|
|
+```
|
|
|
+#include "pch.h"
|
|
|
+#include <Windows.h>
|
|
|
+#include <iostream>
|
|
|
+
|
|
|
+int main() {
|
|
|
+ LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";
|
|
|
+ BOOL isPipeOpen;
|
|
|
+
|
|
|
+ HANDLE serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);
|
|
|
+
|
|
|
+ BOOL isPipeConnected = ConnectNamedPipe(serverPipe, NULL);
|
|
|
+ if (isPipeConnected) {
|
|
|
+ std::wcout << "Incoming connection to " << pipeName << std::endl;
|
|
|
+ }
|
|
|
+}
|
|
|
+```
|
|
|
+* -> Check the inputs for CreateNamedPipe() or ConnectNamePipe() while reversing.
|
|
|
+
|
|
|
+* For tasks without elevated privileges, the server can impersonate the clients token when communicating using `ImpersonateNamedPipeClient()`.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+### (Advanced/Local/Remote-) Procedure Calls
|
|
|
+
|
|
|
+* ALPC's are not directly available via the Windows API
|
|
|
+ * But used by Remote Procedure Calls and Local Procedure Calls internally (available via Windows API)
|
|
|
+* Used for fast inter-process communication
|
|
|
+
|
|
|
+#### Possible Vulnerabilities:
|
|
|
+
|
|
|
+1) Enumerate LPC/RPC calls from elevated services
|
|
|
+2) Reverse the LPC interfaces/endpoints
|
|
|
+3) Issue: Service should impersonate before executing something sensitive
|
|
|
+4) Check for changed ACL rules, executed files, read/write operations etc.
|
|
|
+
|
|
|
+
|
|
|
+## DLL Load Ordner Hijacking
|
|
|
+
|
|
|
+* Can be detected by using ProcMon.exe (Sysinternals)
|
|
|
+* Set Filters to:
|
|
|
+ * Path endswith ".dll"
|
|
|
+ * Path endswith ".DLL"
|
|
|
+ * Result contains "NOT FOUND"
|
|
|
+ * Operation is "CreateFile"
|
|
|
+ * Operation is "OpenFile"
|
|
|
+* **Required:** Writable directory in the %PATH% variable.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
Hans Martin