From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- docs/Privesc/Write-ServiceBinary.md | 191 ++++++++++++++++++++++++++++++++++++ 1 file changed, 191 insertions(+) create mode 100755 docs/Privesc/Write-ServiceBinary.md (limited to 'docs/Privesc/Write-ServiceBinary.md') diff --git a/docs/Privesc/Write-ServiceBinary.md b/docs/Privesc/Write-ServiceBinary.md new file mode 100755 index 0000000..7d588a5 --- /dev/null +++ b/docs/Privesc/Write-ServiceBinary.md @@ -0,0 +1,191 @@ +# Write-ServiceBinary + +## SYNOPSIS +Patches in the specified command to a pre-compiled C# service executable and +writes the binary out to the specified ServicePath location. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Path ] +``` + +## DESCRIPTION +Takes a pre-compiled C# service binary and patches in the appropriate commands needed +for service abuse. +If a -UserName/-Password or -Credential is specified, the command +patched in creates a local user and adds them to the specified -LocalGroup, otherwise +the specified -Command is patched in. +The binary is then written out to the specified +-ServicePath. +Either -Name must be specified for the service, or a proper object from +Get-Service must be passed on the pipeline in order to patch in the appropriate service +name the binary will be running under. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Write-ServiceBinary +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that adds +TESTLAB\john to the Administrators local group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (backdoor/Password123!). + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -Command "net ..." +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +executes a custom command. + +## PARAMETERS + +### -Name +The service name the EXE will be running under. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Path to write the binary out to, defaults to 'service.exe' in the local directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$(Convert-Path .)\service.exe" +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary + +## NOTES + +## RELATED LINKS + -- cgit v1.2.3