Skip to content
/ BITSInject Public

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account

License

BSD-3-Clause license
97 stars 18 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SafeBreach-Labs/BITSInject

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
bt_templates
bt_templates
 
 
job_payloads
job_payloads
 
 
state_files
state_files
 
 
.gitignore
.gitignore
 
 
BITSInject.py
BITSInject.py
 
 
BITSJobPayloads.py
BITSJobPayloads.py
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

BITSInject

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service). Use this tool to inject a job with LocalSystem rights (NT AUTHORITY\SYSTEM), and set a command line to run at session 0, as LocalSystem. This tool introduces a new undocumented way of controlling BITS jobs. The program you set as the command line will be executed by the svchost.exe that runs BITS, using CreateProcessAsUserW.

Executing this tool requires local Administrator rights.

  • This tool performs the suggested queue injection method that was presented at DEF CON 25
  • The new general technique presented allows injection and wide manipulation on the queue. This tool is using this technique specifically to gain LocalSystem execution. The injected SYSTEM job gets the properties from the given parameters

References

Folders in this rep:

  • \bt_templates - An 010 Editor template to parse and easily edit your desired state file.
  • \job_payloads - The base job payloads that were crafted and are edited according to the parameters you specify, before injecting to the BITS queue.
  • \state_files - Sample pre-made state files to examine or to overwrite your own.

Usage

Quick & Easy mode - to run a program as SYSTEM:

python BITSInject.py --S "C:\\Windows\\System32\\cmd.exe"

Full Usage example:

python BITSInject.py I_WANT_YOUR_SYSTEM http://127.0.0.1:8080/exe.exe c:\\temp\\exe.exe "C:\\Windows\\System32\\cmd.exe" --vol_path "\\?\Volume{417e8a50-0000-0000-0000-501f00000000}\\" --args "C:\\temp\\inputfile.txt" --localhost_server_port 8080
  • BITSInject.py -h
  • Must run on a Windows OS to use the Microsoft Windows BITS Service. Currently supports Windows 7 and Windows 10. Support for Windows 8 not tested, can be added upon request.
  • Optionally run SimpleBITSServer in background and set the job's RemoteURL to that server to accept a file or intentionally drive the job into the ERROR mode (explained in white paper above).
  • See references about setting a program in the command line to execute - Interactive VS non-interactive (UI0Detect)

Authors

Dor Azouri - Initial work

See also the list of contributors who participated in this project.

License

BSD 3 - clause "New" or "Revised" License

About

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

97 stars

Watchers

12 watching

Forks

18 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages