Hiding Files by Exploiting Spaces in Windows Paths

This is by no means a new thing. I've known about it for a really really long time, as I'm sure a whole lot of other people do, but for some reason no one uses it. Kind of like NTFS file streams, it's neat but not very many people make use of it.

There was a twitter post about something similar to this the other day and it took me by surprise that not everyone knew about it and that it was being treated as a novel approach.

Usually everyone talks about this for the exploitation of privilege, I use it to hide the true execution path to files. All of this requires that you have admin like permissions for it to work, this is pretty much worthless to the regular non priv. user.

So I thought I'd write up a post on it.

The basic premise is this: If you have a path with a space in it, Windows will break the path and attempt to execute all files with that path name as the file name.

Example: C:\Program Files\Crappy App\Whatever.exe

We will assume some program is attempting to start the application at the path above. IF the path is not enclosed in quotes (") it will attempt to run C:\Program.exe, C:\Program.bat, etc and then C:\Program Files\crappy.exe, C:\Program Files\crappy.bat, etc.. THEN if it fails to find any of those it finally launches the intended application.

OMG we just figured out how to super leet hack the world...

No not quite.

A lesser known bit of trivia... Windows will freak the hell out if you have a program named Program.exe in the C: directory. If you restart your computer and that file exists windows will alert you that it exists and instruct you to delete it or delete it automatically I don't remember for sure. This is because the good folks at MS know this is a problem, this is one of the reasons why you don't have file create permission on the C: drive but you do have folder create permission as a generic user. It is fun to make a Program.exe file that just echo's hello and put it in the C: drive and see what applications trigger it though. (I'm looking at you Notepad++)

Usually when there are spaces in the path those are all places you, as a regular non-priv user, don't have write permissions to. The only time I've seen where this was exploitable from a non privledged user was in some custom in house applications registry keys and some poorly written batch startup scripts with incorrect folder permissions. I've never viewed a service without quotes around the binpath, with spaces in the binpath, and that path is writable by non privileged users. Not saying it doesn't happen but it's fairly rare, from what I've seen.

But back on track, I'm talking about hiding files, or really just disguising where the files that are actually being executed really are.

You can use this technique to obfuscate locations in the registry, in services binpath, in batch files, all over the place.

I prefer to create services rather than registry run keys for nefarious programs that need to stay persistent. Lots of people check the registry occasionally, and nothing screams suspicious like a weird registry key in the run areas.

When was the last time you did a binpath= check and made sure all the paths were inclosed in quotes? When was the last time you checked all those and then compiled a list of the paths without quotes and with spaces then checked for like named executables in those paths?

The answer is never. 

So say we use this batch file to create a new service:

@echo off
sc create "Windows UDP Processor" binpath= "C:\program files\common files\run.exe" start= demand type= own
sc description "Windows UDP Processor" "Manages Windows UDP Routing Traffic"

*note: I always try to make things look as un-suspicious as possible hence the "sc description" command to add a description to the service. It's the little things kids.

Since we didn't use escaped quotes in the bin path we end up with a binpath of this:
C:\Program Files\Common Files\Run.exe
Instead of
"C:\Program Files\Common Files\Run.exe"

(we SHOULD have used this "\"C:\Program files\common files\run.exe"\" as the binpath)

I've already dumped my malicious file common.exe in C:\Program Files\.

When this service starts it will run C:\Program Files\common.exe not C:\Program Files\Common Files\Run.exe

IF the service ever gets examined most likely the person will check Run.exe, see that it's legit / harmless and move on missing the real file that is being executed.

Pretty sneaky right?

Well except for the part where you created a new service, that's still kinda sketchy.
But, if you find a legit service with spaces (more than one, usually in C:\Program Files) in the path you can modify the binpath of the service and remove the quotes (that it should have) and then place your file in the path with the proper name. Having your malicious file start the intended executable will belay suspicion.

There you have it, a legitimate service, pointing to a legitimate executable, but we're jumping in the middle and getting our file executed.

Then all you have to do is worry about AntiVirus programs going NOM NOM NOM on your files.

This works for Service BinPaths and Registry Keys, with batch files you have to go about it a little different.

With Batch files you can't have spaces in the path. End of the story.

So if you tried to call C:\Program Files\Crappy App\Whatever.exe without quotes, unless there's a C:\Programs.exe it's going to fail with a file not found.
So you have to use the short path name for everything up to where you want it to break and execute the file.
Like this:
C:\Progra~1\Crappy App\Whatever.exe
This would execute C:\Program Files\Crappy.exe

So there you have it, a different view. Using spaces to hide the true path of execution instead of using it to exploit a priv escalation.