PsExec

PsExec

Main purpose of this utility was to help Windows administrators perform important tasks such as executing commands on remote systems.

The PsExec utility requires a few things on the remote system:

• The Server Message Block (SMB) service which runs on port 139 / 445, must be available and reachable (i.e. not blocked by firewall).
• File and Print Sharing must be enabled.
• The Admin$ share must be available and accessible. It is a hidden SMB share that maps to the Windows directory intended for software deployments (C:\Windows\System32).
• The credentials supplied to the PSExec utility must have permissions to access the Admin$ share.

PsExec Remote Code Execution:

PSExec has a Windows Service image inside of its executable. It takes this service and deploys it to the Admin$ share on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. It turns on the PSExec service on the remote machine. The PSExec service then creates a named pipe that can be used to send commands to the system.

In Exploitation the generated payload is embeded into the executable that is uploaded to the Admin$ share using the supplied credentials. It then uses DCE/RPC interface ( over SMB protocol ) and calls into the Service Control Manager before telling SCM to start the service that we deployed to Admin$ earlier. When the service is started, it starts a new rundll32.exe process, allocates executable memory inside that process and copies the shellcode into it. It then calls the starting address of that memory location as if it were a function pointer, executing the stored shellcode.

Once it does that, the service shuts itself down and cleans itself up. But now running in the memory of your system is that malicious payload. In the example of Metasploit, this would be a Meterpreter payload. Metasploit has a way to use this to great effect without even having to know the credentials ahead of time as long as you’ve already compromised one machine. This is achieved by abusing what we call local authentication tokens and there is a post module called PsExec as local user.

Credits: Rapid 7