Exploitation Tools

BITSInject – Abusing BITS

October 6, 2017
3 Min Read

Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file

Comprehending this file’s binary structure allowed us to change a job’s properties (such as RemoteURL, Destination Path…) in runtime and even inject our own custom job, using none of BITS’ public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.

BITSInject is a one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service). Use this tool to inject a job with LocalSystem rights (NT AUTHORITY\SYSTEM), and set a command line to run at session 0, as LocalSystem. This tool introduces a new undocumented way of controlling BITS jobs. The program you set as the command line will be executed by the svchost.exe that runs BITS, using CreateProcessAsUserW.

Executing this tool requires local Administrator rights.

  • This tool performs the suggested queue injection method that was presented at DEF CON 25
  • The new general technique presented allows injection and wide manipulation on the queue. This tool is using this technique specifically to gain LocalSystem execution. The injected SYSTEM job gets the properties from the given parameters

 

Usage

Quick & Easy mode – to run a program as SYSTEM:

python BITSInject.py --S "C:\\Windows\\System32\\cmd.exe"

Full Usage example:

python BITSInject.py I_WANT_YOUR_SYSTEM http://127.0.0.1:8080/exe.exe c:\\temp\\exe.exe "C:\\Windows\\System32\\cmd.exe" --vol_path "\\?\Volume{417e8a50-0000-0000-0000-501f00000000}\\" --args "C:\\temp\\inputfile.txt" --localhost_server_port 8080
  • BITSInject.py -h
  • Must run on a Windows OS to use the Microsoft Windows BITS Service. Currently supports Windows 7 and Windows 10. Support for Windows 8 not tested, can be added upon request.
  • Optionally run SimpleBITSServer in background and set the job’s RemoteURL to that server to accept a file or intentionally drive the job into the ERROR mode (explained in white paper above).
  • See references about setting a program in the command line to execute – Interactive VS non-interactive (UI0Detect)

Download BITSInject

Tags