Git Product home page Git Product logo

bitsinject's Introduction

BITSInject

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service). Use this tool to inject a job with LocalSystem rights (NT AUTHORITY\SYSTEM), and set a command line to run at session 0, as LocalSystem. This tool introduces a new undocumented way of controlling BITS jobs. The program you set as the command line will be executed by the svchost.exe that runs BITS, using CreateProcessAsUserW.

Executing this tool requires local Administrator rights.

  • This tool performs the suggested queue injection method that was presented at DEF CON 25
  • The new general technique presented allows injection and wide manipulation on the queue. This tool is using this technique specifically to gain LocalSystem execution. The injected SYSTEM job gets the properties from the given parameters

References

Folders in this rep:

  • \bt_templates - An 010 Editor template to parse and easily edit your desired state file.
  • \job_payloads - The base job payloads that were crafted and are edited according to the parameters you specify, before injecting to the BITS queue.
  • \state_files - Sample pre-made state files to examine or to overwrite your own.

Usage

Quick & Easy mode - to run a program as SYSTEM:

python BITSInject.py --S "C:\\Windows\\System32\\cmd.exe"

Full Usage example:

python BITSInject.py I_WANT_YOUR_SYSTEM http://127.0.0.1:8080/exe.exe c:\\temp\\exe.exe "C:\\Windows\\System32\\cmd.exe" --vol_path "\\?\Volume{417e8a50-0000-0000-0000-501f00000000}\\" --args "C:\\temp\\inputfile.txt" --localhost_server_port 8080
  • BITSInject.py -h
  • Must run on a Windows OS to use the Microsoft Windows BITS Service. Currently supports Windows 7 and Windows 10. Support for Windows 8 not tested, can be added upon request.
  • Optionally run SimpleBITSServer in background and set the job's RemoteURL to that server to accept a file or intentionally drive the job into the ERROR mode (explained in white paper above).
  • See references about setting a program in the command line to execute - Interactive VS non-interactive (UI0Detect)

Authors

Dor Azouri - Initial work

See also the list of contributors who participated in this project.

License

BSD 3 - clause "New" or "Revised" License

bitsinject's People

Contributors

dorazouri avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.