function Get-ServiceEXEPerms { <# .SYNOPSIS Returns the name and

1. function Get-ServiceEXEPerms {
2. <#
3. .SYNOPSIS
4. Returns the name and path for any service where the current
5. user can write to the associated binary.
6.  
7. .DESCRIPTION
8. This function finds all services where the current user can
9. write to the associated binary. If the associated binary is
10. overwritten, privileges may be able to be escalated.
11.  
12. .OUTPUTS
13. System.Collections.Specialized.OrderedDictionary.
14. A set of {name, binaryPath} for each vulnerable service.
15.  
16. .EXAMPLE
17. > $services = Get-ServiceEXEPerms
18. Get a set of potentially exploitable services.
19. #>
20.  
21. # get all paths to service executables that aren't in C:\Windows\System32\*
22. $services = gwmi win32_service | ?{$_} | where {($_.pathname -ne $null) -and ($_.pathname -notmatch ".*system32.*")}
23.  
24. if ($services) {
25. # try to open each for writing, print the name if successful
26. foreach ($service in $services){
27. try{
28. # strip out any arguments and get just the executable
29. $path = ($service.pathname.Substring(0, $service.pathname.IndexOf(".exe") + 4)).Replace('"',"")
30.  
31. # exclude these two false-positive binaries
32. if ($(Test-Path $path) -and $(-not $path.Contains("NisSrv.exe")) -and $(-not $path.Contains("MsMpEng.exe"))) {
33. # try to open the file for writing, immediately closing it
34. $file = Get-Item $path -Force
35. $stream = $file.OpenWrite()
36. $stream.Close() | Out-Null
37.  
38. $out = New-Object System.Collections.Specialized.OrderedDictionary
39. $out.add('ServiceName', $service.name)
40. $out.add('Path', $service.pathname)
41. $out
42. }
43. }
44. catch{
45. # if we have access but it's open by another process, return it
46. if (($_.ToString()).contains("by another process")){
47. $out = New-Object System.Collections.Specialized.OrderedDictionary
48. $out.add('ServiceName', $service.name)
49. $out.add('Path', $service.pathname)
50. $out
51. }
52. }
53. }
54. }
55. }