BITS
service having the MiTM listener on 127.0.0.1:6666
and when you have SeImpersonate
or SeAssignPrimaryToken
privileges. During a Windows build review we found a setup where BITS
was intentionally disabled and port 6666
was taken.For the theory, see Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references.
BITS
there are a several COM servers we can abuse. They just need to:IMarshal
interfaceCreateProcessWithToken
(needs SeImpersonate
)CreateProcessAsUser
(needs SeAssignPrimaryToken
)both
135
…SeImpersonate
or SeAssignPrimaryToken
privileges then you are SYSTEM.DCOMCNFG
but good luck, this is gonna be challenging.* SERVICE
accounts. Stopping DCOM
would certainly inhibit this exploit but could have a serious impact on the underlying OS.