Skip to content

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account

License

Notifications You must be signed in to change notification settings

SafeBreach-Labs/BITSInject

Repository files navigation

BITSInject

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service). Use this tool to inject a job with LocalSystem rights (NT AUTHORITY\SYSTEM), and set a command line to run at session 0, as LocalSystem. This tool introduces a new undocumented way of controlling BITS jobs. The program you set as the command line will be executed by the svchost.exe that runs BITS, using CreateProcessAsUserW.

Executing this tool requires local Administrator rights.

  • This tool performs the suggested queue injection method that was presented at DEF CON 25
  • The new general technique presented allows injection and wide manipulation on the queue. This tool is using this technique specifically to gain LocalSystem execution. The injected SYSTEM job gets the properties from the given parameters

References

Folders in this rep:

  • \bt_templates - An 010 Editor template to parse and easily edit your desired state file.
  • \job_payloads - The base job payloads that were crafted and are edited according to the parameters you specify, before injecting to the BITS queue.
  • \state_files - Sample pre-made state files to examine or to overwrite your own.

Usage

Quick & Easy mode - to run a program as SYSTEM:

python BITSInject.py --S "C:\\Windows\\System32\\cmd.exe"

Full Usage example:

python BITSInject.py I_WANT_YOUR_SYSTEM http://127.0.0.1:8080/exe.exe c:\\temp\\exe.exe "C:\\Windows\\System32\\cmd.exe" --vol_path "\\?\Volume{417e8a50-0000-0000-0000-501f00000000}\\" --args "C:\\temp\\inputfile.txt" --localhost_server_port 8080
  • BITSInject.py -h
  • Must run on a Windows OS to use the Microsoft Windows BITS Service. Currently supports Windows 7 and Windows 10. Support for Windows 8 not tested, can be added upon request.
  • Optionally run SimpleBITSServer in background and set the job's RemoteURL to that server to accept a file or intentionally drive the job into the ERROR mode (explained in white paper above).
  • See references about setting a program in the command line to execute - Interactive VS non-interactive (UI0Detect)

Authors

Dor Azouri - Initial work

See also the list of contributors who participated in this project.

License

BSD 3 - clause "New" or "Revised" License

About

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages