windows内核提权

Posted 渗透测试中心

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了windows内核提权相关的知识,希望对你有一定的参考价值。

   Windows by default are vulnerable to several vulnerabilities that could allow an attacker to execute malicious code in order to abuse a system. From the other side patching systems sufficiently is one of the main problems in security. Even if an organization has a patching policy in place if important patches are not implemented immediately this can still give short window to an attacker to exploit a vulnerability and escalate his privileges inside a system and therefore inside the network.

This article will discuss how to identify missing patches related to privilege escalation and the necessary code to exploit the issue.

Discovery of Missing Patches

The discovery of missing patches can be identified easily either through manual methods or automatic. Manually this can be done easily be executing the following command which will enumerate all the installed patches.

wmic qfe get Caption,Description,HotFixID,InstalledOn

The output will be similar to this:

技术分享

Enumeration of Installed Patches

The HotFixID can be used in correlation with the table below in order to discover any missing patches related to privilege escalation. As the focus is on privilege escalation the command can be modified slightly to discover patches based on the KB number.

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" /C:"KB4018483"

Alternatively this can be done automatically via Metasploit, Credential Nessus Scan or via a custom script that will look for missing patches related to privilege escalation.

Metasploit

There is a Metasploit module which can quickly identify any missing patches based on the Knowledge Base number and specifically patches for which there is a Metasploit module.

post/windows/gather/enum_patches
技术分享

Metasploit – Patches Enumeration

Windows Exploit Suggester

Gotham Digital Security released a tool with the name Windows Exploit Suggester which compares the patch level of a system against the Microsoft vulnerability database and can be used to identify those exploits that could lead to privilege escalation. The only requirement is that requires the system information from the target.

技术分享

Windows Exploit Suggester

PowerShell

There is also a PowerShell script which target to identify patches that can lead to privilege escalation. This script is called Sherlock and it will check a system for the following:

  • MS10-015 : User Mode to Ring (KiTrap0D)
  • MS10-092 : Task Scheduler
  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13-081 : TrackPopupMenuEx Win32k NULL Page
  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15-051 : ClientCopyImage Win32k
  • MS15-078 : Font Driver Buffer Overflow
  • MS16-016 : ‘mrxdav.sys’ WebDAV
  • MS16-032 : Secondary Logon Handle
  • CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc

The output of this tool can be seen below:

技术分享

Sherlock – Missing Patches

技术分享

Sherlock – Identification of Privilege Escalation Patches

Privilege Escalation Table

The following table has been compiled to assist in the process of privilege escalation due to lack of sufficient patching.

Operating SystemDescriptionSecurity BulletinKBExploit
Windows Server 2016 Windows Kernel Mode Drivers MS16-135 3199135 Exploit

 

Github

Windows Server 2008 ,7,8,10 Windows Server 2012 Secondary Logon Handle MS16-032 3143141  GitHub

 

ExploitDB

Metasploit

Windows Server 2008, Vista, 7 WebDAV MS16-016 3136041 Github
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012 Windows Kernel Mode Drivers MS15-051 3057191 GitHub

 

ExploitDB

Metasploit

Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8 Win32k.sys MS14-058 3000061 GitHub

 

ExploitDB

Metasploit

Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 AFD Driver MS14-040 2975684 Python

 

EXE

ExploitDB

Github

Windows XP, Windows Server 2003 Windows Kernel MS14-002 2914368 Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 Kernel Mode Driver MS13-005 2778930 Metasploit

 

ExploitDB

GitHub

Windows Server 2008, 7 Task Scheduler MS10-092 2305420 Metasploit

 

ExploitDB

Windows Server 2003, Windows Server 2008, 7, XP  KiTrap0D MS10-015 977165 Exploit

 

ExploitDB

GitHub

Metasploit

Windows Server 2003, XP NDProxy MS14-002 2914368 Exploit

 

ExploitDB

ExploitDB

Github

Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 Kernel Driver MS15-061 3057839 Github
Windows Server 2003, XP AFD.sys MS11-080 2592799 EXE

 

Metasploit

ExploitDB

Windows Server 2003, XP NDISTAPI MS11-062 2566454 ExploitDB
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 RPC MS15-076 3067505 Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 Hot Potato MS16-075 3164038 GitHub

 

PowerShell

HotPotato

Windows Server 2003, Windows Server 2008, 7, XP Kernel Driver MS15-010 3036220 GitHub

 

ExploitDB

Windows Server 2003, Windows Server 2008, 7, XP AFD.sys MS11-046 2503665 EXE

 

ExploitDB

以上是关于windows内核提权的主要内容,如果未能解决你的问题,请参考以下文章

Windows 提权

[提权]CVE-2018-8120漏洞复现

Windows内核之中断门提权

什么是电脑内核提权漏洞?

CTF-内核漏洞提权

内网渗透系列:权限提升方法小结