Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@brightio
brightio authored Jan 31, 2022
1 parent a282ade commit ff57542
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions Windows/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,13 +73,13 @@ __How to exploit__:
* Replace the legitimate service by our own, restart it or check how it's triggered (at reboot, when another process is started, etc.).

* The service is running and could not be stopped:
* Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics.
* Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous techniques.


Writable directory on %PATH%
----

This technic affects the following Windows version:
This technique affects the following Windows version:
```
6.0 => Windows Vista / Windows Server 2008
6.1 => Windows 7 / Windows Server 2008 R2
Expand All @@ -96,10 +96,10 @@ On a classic Windows installation, when DLLs are loaded by a binary, Windows wou
- Directory present in %PATH% environment variable
```

If a directory on the __%PATH%__ variable is writable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default "__IKEEXT__" service which loads the inexistant "__wlbsctrl.dll__".
If a directory on the __%PATH%__ variable is writable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default "__IKEEXT__" service which loads the non existent "__wlbsctrl.dll__".

__How to exploit__: Create a malicious DLL called "_wlbsctrl.dll_" (use the [DLL template](https://github.com/AlessandroZ/BeRoot/tree/master/templates/DLL_Hijacking)) and add it to the writable path listed on the %PATH% variable. Start the service "_IKEEXT_".
To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method:
To start the IKEEXT service without high privilege, a technique describe on the french magazine MISC 90 explains the following method:

Create a file as following:
```
Expand Down Expand Up @@ -206,7 +206,7 @@ Beroot lists all privileges we have and highlight if we have one of these tokens
__How to exploit__: Everything is well explained on __Andrea Pierini__'s [pdf](https://github.com/AlessandroZ/BeRoot/blob/master/Windows/templates/RomHack%202018%20-%20Andrea%20Pierini%20-%20whoami%20priv%20-%20show%20me%20your%20Windows%20privileges%20and%20I%20will%20lead%20you%20to%20SYSTEM.pdf).


Local account with's empty password
Local account with empty password
----

All local accounts are tested to detect empty password.
Expand Down

0 comments on commit ff57542

Please sign in to comment.