It might be a fun experiment to see what DLLs they're looking for :.)
-Travis On Sun, Sep 25, 2011 at 2:57 PM, <[email protected]> wrote: > To replace a service executable you usually need administrator access > anyway. > > > ------Original Message------ > From: Madhur Ahuja > Sender: [email protected] > To: [email protected] > To: [email protected] > Subject: [Full-disclosure] Privilege escalation on Windows using > BinaryPlanting > Sent: 25 Sep 2011 19:31 > > Imagine a situation where I have a Windows system with the restricted > user access and want to get the Administrator access. > > There are many services in Windows which run with SYSTEM account. > > If there exists even one such service whose executable is not > protected by Windows File Protection, isn't it possible to execute > malicious code (such as gaining Administrator access) simply by > replacing the service executable with malicious one and then > restarting the service. > > As a restricted user, what's stopping me to do this ? > > Is there any integrity check performed by services.msc or service > itself before executing with SYSTEM account ? > > Madhur > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > Sent from my POS BlackBerry wireless device, which may wipe itself at any > moment > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Twitter <https://twitter.com/tbiehn> | LinkedIn<http://www.linkedin.com/in/travisbiehn>| GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
