I am learning about privilege escalation and dangerous service configurations on Windows.
Here is the thing:
- A service has a world writeable executable myservice.exe (baaaad idea).
- The service is running with system privileges
- When you try to copy/replace myservice.exe while it is running, that will not work. (Permission Denied)
- However when you first move the executable and then copy a second (evil) myservice.exe into the folder, windows will not complain
- Next time the service is restarted, the evil service.exe is executed
My question: What process keeps a handle on the myservice.exe to prevent me from deleting it? How can that same process allow me to move the file and continue functioning?
I tried to answer those question myself using procmon.exe from the Sysinternals Suite, but so far I found nothing.
No comments:
Post a Comment