private static extern IntPtr CreateService(
IntPtr hSCManager,
string lpServiceName,
string lpDisplayName,
ServiceAccessRights dwDesiredAccess,
int dwServiceType,
ServiceBootFlag dwStartType,
ServiceError dwErrorControl,
string lpBinaryPathName,
string lpLoadOrderGroup,
IntPtr lpdwTagId,
string lpDependencies,
string lp,
string lpPassword);
/// <summary>
/// Constructs a ServiceAccessEntry to represent a simplified ACE entry for a service
/// </summary>
public ServiceAccessEntry(WellKnownSidType sid, AceQualifier qualifier, ServiceAccessRights accessMask)
{
Sid = sid;
Qualifier = qualifier;
AccessMask = accessMask;
}
static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, ServiceAccessRights dwDesiredAccess);
internal static extern SafeServiceHandle OpenService(
SafeServiceHandle hSCManager,
string lpServiceName,
ServiceAccessRights dwDesiredAccess
);
private static extern IntPtr OpenService(IntPtr hScManager, string serviceNam, ServiceAccessRights desiredAccess);
public static extern IntPtr OpenService(
IntPtr hSCManager,
string serviceName,
ServiceAccessRights desiredAccess);
static void Main(string[] args)
{
bool show_help = false;
int pid = Process.GetCurrentProcess().Id;
bool show_write_only = false;
bool print_sddl = false;
bool dump_triggers = false;
bool dump_scm = false;
ServiceAccessRights service_rights = 0;
bool quiet = false;
bool map_to_generic = false;
try
{
OptionSet opts = new OptionSet()
{
{ "sddl", "Print full SDDL security descriptors", v => print_sddl = v != null },
{ "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
{ "w", "Show only write permissions granted", v => show_write_only = v != null },
{ "k=", String.Format("Filter on a specific right [{0}]",
String.Join(",", Enum.GetNames(typeof(ServiceAccessRights)))),
v => service_rights |= ParseRight <ServiceAccessRights>(v) },
{ "t", "Dump trigger information for services", v => dump_triggers = v != null },
{ "scm", "Dump SCM security information", v => dump_scm = v != null },
{ "g", "Map access mask to generic rights.", v => map_to_generic = v != null },
{ "q", "Don't print our errors", v => quiet = v != null },
{ "h|help", "show this message and exit", v => show_help = v != null },
};
List <string> service_names = opts.Parse(args);
if (show_help)
{
ShowHelp(opts);
}
else
{
if (service_names.Count == 0)
{
service_names.AddRange(ServiceController.GetServices().Select(s => s.ServiceName));
}
using (NtToken token = NtToken.OpenProcessToken(pid))
{
using (SafeServiceHandle scm = OpenSCManager(null, null,
ServiceControlManagerAccessRights.Connect | ServiceControlManagerAccessRights.ReadControl))
{
if (dump_scm)
{
SecurityDescriptor sd = GetServiceSecurityDescriptor(scm);
AccessMask granted_access = GetGrantedAccess(sd, token, AccessMask.Empty,
GetSCMGenericMapping());
Console.WriteLine("SCM Granted Access: {0:X08} {1}",
granted_access, GrantedAccessToString(granted_access, true, map_to_generic));
if (print_sddl)
{
Console.WriteLine("SCM SDDL: {0}", sd.ToSddl());
}
}
foreach (string name in service_names)
{
try
{
DumpService(scm, name, token, service_rights,
show_write_only, print_sddl, dump_triggers,
map_to_generic);
}
catch (Exception ex)
{
if (!quiet)
{
Console.Error.WriteLine("Error querying service: {0} - {1}", name, ex.Message);
}
}
}
}
}
}
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
}
}
public static extern SafeServiceHandle OpenService(
SafeServiceHandle hSCManager,
string lpServiceName,
ServiceAccessRights dwDesiredAccess);
public ServiceAccessRule(IdentityReference identity, ServiceAccessRights rights, AccessControlType type) :
base(identity, (int)rights, false, InheritanceFlags.None, PropagationFlags.None, type)
{
ServiceAccessRights = rights;
}
private static extern IntPtr OpenService(IntPtr hScManager, string serviceNam, ServiceAccessRights desiredAccess);
private static extern IntPtr CreateService(IntPtr hScManager, string serviceName, string displayName,
ServiceAccessRights desiredAccess, ServiceType serviceType,
ServiceStartMode startType, ServiceErrorControl errorControl,
string binaryPathName, string loadOrderGroup, IntPtr tagId,
string dependencies, string serviceStartName, string password);
private static extern IntPtr OpenService(IntPtr serviceControlManager, string serviceName, ServiceAccessRights desiredAccess);
private static extern IntPtr CreateService(IntPtr h_sc_manager, string lp_service_name, string lp_display_name, ServiceAccessRights dw_desired_access, int dw_service_type, ServiceBootFlag dw_start_type, ServiceError dw_error_control, string lp_binary_path_name, string lp_load_order_group, IntPtr lp_dw_tag_id, string lp_dependencies, string lp, string lp_password);
static extern IntPtr OpenService(IntPtr h_sc_manager, string lp_service_name, ServiceAccessRights dw_desired_access);
/// <summary>
/// Calls the Win32 OpenService function and performs error checking.
/// </summary>
/// <exception cref="ComponentModel.Win32Exception">"Unable to open the requested Service."</exception>
private IntPtr OpenService(string serviceName, ServiceAccessRights desiredAccess)
{
// Open the service
IntPtr service = NativeMethods.OpenService(
SCManager,
serviceName,
desiredAccess);
// Verify if the service is opened
if (service == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(), "Unable to open the requested Service.");
}
return service;
}
public static extern SafeServiceHandle CreateService(
SafeServiceHandle hSCManager,
string lpServiceName,
string lpDisplayName,
ServiceAccessRights dwDesiredAccess,
ServiceType dwServiceType,
ServiceStart dwStartType,
ServiceError dwErrorControl,
string lpBinaryPathName,
string lpLoadOrderGroup,
string lpdwTagId,
string lpDependencies,
string lpServiceStartName,
string lpPassword);
public ServiceAccessRule(IdentityReference identity, ServiceAccessRights accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type)
: base(identity, (int)accessMask, isInherited, inheritanceFlags, propagationFlags, type)
{
}
private static ServiceObject GetServiceObject(string serviceName, ScmAccessRights scmRights, ServiceAccessRights serviceRights, bool throwException = true)
{
var scm = GetScManagerPtr(scmRights);
var service = OpenService(scm, serviceName, serviceRights);
if (service == IntPtr.Zero)
{
if (throwException)
{
throw new ApplicationException("Service not installed.");
}
}
return(new ServiceObject(scm, service));
}
public static extern IntPtr OpenService(SCMHandle hSCManager, string lpServiceName, ServiceAccessRights dwDesiredAccess);
public static void GetModifiableServices()
{
// finds any services that the current can modify (or modify the parent folder)
// modified from https://stackoverflow.com/questions/15771998/how-to-give-a-user-permission-to-start-and-stop-a-particular-service-using-c-sha/15796352#15796352
ServiceController[] scServices;
scServices = ServiceController.GetServices();
var GetServiceHandle = typeof(System.ServiceProcess.ServiceController).GetMethod("GetServiceHandle", BindingFlags.Instance | BindingFlags.NonPublic);
object[] readRights = { 0x00020000 };
ServiceAccessRights[] ModifyRights =
{
ServiceAccessRights.ChangeConfig,
ServiceAccessRights.WriteDac,
ServiceAccessRights.WriteOwner,
ServiceAccessRights.GenericAll,
ServiceAccessRights.GenericWrite,
ServiceAccessRights.AllAccess
};
Console.WriteLine("\r\n\r\n=== Modifiable Services ===\r\n");
foreach (ServiceController sc in scServices)
{
try
{
IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights);
ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0];
uint bufSizeNeeded;
bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122 || err == 0)
{ // ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + _name + ": error code=" + err);
continue;
}
}
if (!ok)
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + _name + ": error code=" + Marshal.GetLastWin32Error());
continue;
}
// get security descriptor via raw into DACL form so ACE ordering checks are done for us.
RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
WindowsIdentity identity = WindowsIdentity.GetCurrent();
foreach (System.Security.AccessControl.CommonAce ace in dacl)
{
if (identity.Groups.Contains(ace.SecurityIdentifier))
{
ServiceAccessRights serviceRights = (ServiceAccessRights)ace.AccessMask;
foreach (ServiceAccessRights ModifyRight in ModifyRights)
{
if ((ModifyRight & serviceRights) == ModifyRight)
{
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", String.Format("SELECT * FROM win32_service WHERE Name LIKE '{0}'", sc.ServiceName));
ManagementObjectCollection data = wmiData.Get();
foreach (ManagementObject result in data)
{
Console.WriteLine(" Name : {0}", result["Name"]);
Console.WriteLine(" DisplayName : {0}", result["DisplayName"]);
Console.WriteLine(" Description : {0}", result["Description"]);
Console.WriteLine(" State : {0}", result["State"]);
Console.WriteLine(" StartMode : {0}", result["StartMode"]);
Console.WriteLine(" PathName : {0}", result["PathName"]);
}
break;
}
}
}
}
}
catch (Exception ex)
{
// Console.WriteLine("Exception: " + ex);
}
}
}
public static extern ServiceHandle OpenService
(
ServiceControlManager serviceControlManager,
string serviceName,
ServiceAccessRights desiredAccess
);
private static extern IntPtr CreateService(IntPtr hScManager, string serviceName, string displayName,
ServiceAccessRights desiredAccess, ServiceType serviceType,
ServiceStartMode startType, ServiceErrorControl errorControl,
string binaryPathName, string loadOrderGroup, IntPtr tagId,
string dependencies, string serviceStartName, string password);
static extern System.IntPtr OpenService(
System.IntPtr hSCManager,
string serviceName,
ServiceAccessRights desiredAccess);
public static extern IntPtr CreateService(IntPtr hSCManager,
string lpServiceName, string lpDisplayName,
ServiceAccessRights dwDesiredAccess, ServiceType dwServiceType,
StartType dwStartType, ErrorControl dwErrorControl,
string lpBinaryPathName, string lpLoadOrderGroup, string lpdwTagId,
string lpDependencies, string lpServiceStartName, string lpPassword);
public ModifiableServices()
{
_name = "Modifiable Services";
ServiceController[] scServices;
scServices = ServiceController.GetServices();
var GetServiceHandle = typeof(System.ServiceProcess.ServiceController).GetMethod("GetServiceHandle", BindingFlags.Instance | BindingFlags.NonPublic);
object[] readRights = { 0x00020000 };
ServiceAccessRights[] ModifyRights =
{
ServiceAccessRights.ChangeConfig,
ServiceAccessRights.WriteDac,
ServiceAccessRights.WriteOwner,
ServiceAccessRights.GenericAll,
ServiceAccessRights.GenericWrite,
ServiceAccessRights.AllAccess
};
foreach (ServiceController sc in scServices)
{
try
{
IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights);
ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0];
uint bufSizeNeeded;
bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122 || err == 0)
{ // ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + _name + ": error code=" + err);
continue;
}
}
if (!ok)
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + _name + ": error code=" + Marshal.GetLastWin32Error());
continue;
}
// get security descriptor via raw into DACL form so ACE ordering checks are done for us.
RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
WindowsIdentity identity = WindowsIdentity.GetCurrent();
foreach (System.Security.AccessControl.CommonAce ace in dacl)
{
if ((identity.Groups.Contains(ace.SecurityIdentifier) || ace.SecurityIdentifier == identity.User) &&
ace.AceType == AceType.AccessAllowed)
{
ServiceAccessRights serviceRights = (ServiceAccessRights)ace.AccessMask;
foreach (ServiceAccessRights ModifyRight in ModifyRights)
{
if ((ModifyRight & serviceRights) == ModifyRight)
{
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", String.Format("SELECT * FROM win32_service WHERE Name LIKE '{0}'", sc.ServiceName));
ManagementObjectCollection data = wmiData.Get();
foreach (ManagementObject result in data)
{
_isVulnerable = true;
_details.Add($"Service '{result["Name"]}' (State: {result["State"]}, StartMode: {result["StartMode"]})");
}
break;
}
}
}
}
}
catch (Exception ex)
{
_details.Add($"[X] Exception: {ex.Message}");
}
}
}
static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, ServiceAccessRights dwDesiredAccess);
public static extern IntPtr OpenService(
IntPtr hSCManager,
string serviceName,
ServiceAccessRights desiredAccess);
private static extern IntPtr CreateService(IntPtr hSCManager, string lpServiceName, string lpDisplayName, ServiceAccessRights dwDesiredAccess, int dwServiceType, ServiceBootFlag dwStartType, ServiceError dwErrorControl, string lpBinaryPathName, string lpLoadOrderGroup, IntPtr lpdwTagId, string lpDependencies, string lp, string lpPassword);
/// <summary>
/// Constructs a ServiceAccessEntry to represent a simplified ACE entry for a service
/// </summary>
public ServiceAccessEntry(WellKnownSidType sid, AceQualifier qualifier, ServiceAccessRights accessMask)
{
Sid = sid;
Qualifier = qualifier;
AccessMask = accessMask;
}
