Write-ServiceBinary
SYNOPSIS
Patches in the specified command to a pre-compiled C# service executable and writes the binary out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
SYNTAX
Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
[-Credential <PSCredential>] [-Command <String>] [-Path <String>]
DESCRIPTION
Takes a pre-compiled C# service binary and patches in the appropriate commands needed for service abuse. If a -UserName/-Password or -Credential is specified, the command patched in creates a local user and adds them to the specified -LocalGroup, otherwise the specified -Command is patched in. The binary is then written out to the specified -ServicePath. Either -Name must be specified for the service, or a proper object from Get-Service must be passed on the pipeline in order to patch in the appropriate service name the binary will be running under.
EXAMPLES
-------------------------- EXAMPLE 1 --------------------------
Writes a service binary to service.exe in the local directory for VulnSVC that adds a local Administrator (john/Password123!).
-------------------------- EXAMPLE 2 --------------------------
Writes a service binary to service.exe in the local directory for VulnSVC that adds a local Administrator (john/Password123!).
-------------------------- EXAMPLE 3 --------------------------
Writes a service binary to service.exe in the local directory for VulnSVC that adds TESTLAB\john to the Administrators local group.
-------------------------- EXAMPLE 4 --------------------------
Writes a service binary to service.exe in the local directory for VulnSVC that adds a local Administrator (backdoor/Password123!).
-------------------------- EXAMPLE 5 --------------------------
Writes a service binary to service.exe in the local directory for VulnSVC that executes a custom command.
PARAMETERS
-Name
The service name the EXE will be running under.
Type: String
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-UserName
The [domain\]username to add. If not given, it defaults to "john". Domain users are not created, only added to the specified localgroup.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
-Password
The password to set for the added user. If not given, it defaults to "Password123!"
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
-LocalGroup
Local group name to add the user to (default of 'Administrators').
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
-Credential
A [Management.Automation.PSCredential] object specifying the user/password to add.
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
-Command
Custom command to execute instead of user creation.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Path
Path to write the binary out to, defaults to 'service.exe' in the local directory.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: "$(Convert-Path .)\service.exe"
Accept pipeline input: False
Accept wildcard characters: False
OUTPUTS
- PowerUp.ServiceBinary