During our last ATM review engagement, we found some interesting executable files that were run by Windows Services under Local System account. These binaries had weak file permissions that allowed us to modify them using the standard ATM user account. As a proof of concept, I decided to inject some code into one of them to take full control of the system.
This post is about the technique I used to inject the code into a .dll used by one of the Windows Services. I’m sure there are many other ways to do this, including with automatic tools, but this old school code injection worked for me, so it is worth sharing. I have renamed the binaries in order to avoid disclosing information about the vendor. Anyway, the issue here was only related to file permissions and not to the actual binaries.