Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function Get-ServiceEXEPerms {
- <#
- .SYNOPSIS
- Returns the name and path for any service where the current
- user can write to the associated binary.
- .DESCRIPTION
- This function finds all services where the current user can
- write to the associated binary. If the associated binary is
- overwritten, privileges may be able to be escalated.
- .OUTPUTS
- System.Collections.Specialized.OrderedDictionary.
- A set of {name, binaryPath} for each vulnerable service.
- .EXAMPLE
- > $services = Get-ServiceEXEPerms
- Get a set of potentially exploitable services.
- #>
- # get all paths to service executables that aren't in C:\Windows\System32\*
- $services = gwmi win32_service | ?{$_} | where {($_.pathname -ne $null) -and ($_.pathname -notmatch ".*system32.*")}
- if ($services) {
- # try to open each for writing, print the name if successful
- foreach ($service in $services){
- try{
- # strip out any arguments and get just the executable
- $path = ($service.pathname.Substring(0, $service.pathname.IndexOf(".exe") + 4)).Replace('"',"")
- # exclude these two false-positive binaries
- if ($(Test-Path $path) -and $(-not $path.Contains("NisSrv.exe")) -and $(-not $path.Contains("MsMpEng.exe"))) {
- # try to open the file for writing, immediately closing it
- $file = Get-Item $path -Force
- $stream = $file.OpenWrite()
- $stream.Close() | Out-Null
- $out = New-Object System.Collections.Specialized.OrderedDictionary
- $out.add('ServiceName', $service.name)
- $out.add('Path', $service.pathname)
- $out
- }
- }
- catch{
- # if we have access but it's open by another process, return it
- if (($_.ToString()).contains("by another process")){
- $out = New-Object System.Collections.Specialized.OrderedDictionary
- $out.add('ServiceName', $service.name)
- $out.add('Path', $service.pathname)
- $out
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement