- 網絡攻防實戰研究:漏洞利用與提權
- 祝烈煌
- 1960字
- 2019-11-18 15:09:30
2.2 提權輔助工具Windows-Exploit-Suggester
本節將介紹提權輔助工具Windows-Exploit-Suggester。
2.2.1 Windows-Exploit-Suggester簡介
Windows-Exploit-Suggester是受Linux_Exploit_Suggester的啟發而開發的一款提權輔助工具,其官方下載地址為https://github.com/GDSSecurity/Windows-Exploit-Suggester。它是用Python開發而成的,運行環境是Python 3.3及以上版本,且必須安裝xlrd庫(https://pypi.python.org/pypi/xlrd),主要功能是通過比對systeminfo生成的文件發現系統是否存在未修復的漏洞。
Windows-Exploit-Suggester通過下載微軟公開漏洞庫到本地“生成日期+mssb.xls”文件,然后根據操作系統版本,與由systeminfo生成的文件進行比對。微軟公開漏洞庫下載地址為http://www.microsoft.com/en-gb/download/confirmation.aspx?id=36982。同時,此工具會告知用戶針對此漏洞是否有公開的EXP和可用的Metasploit模塊。
2.2.2 使用Windows-Exploit-Suggester
(1)下載Windows-Exploit-Suggester、python 3.3及xlrd
https://www.python.org/ftp/python/3.3.3/python-3.3.3.amd64.msi
https://pypi.python.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e
1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz#md5=9a91b688cd4945477ac28187a54f9a3b
https://codeload.github.com/GDSSecurity/Windows-Exploit-Suggester/zip/master
(2)本地安裝
在本地安裝Python 3.3.3對應平臺版本的程序。安裝完成后,將文件xlrd-1.0.0.tar.gz復制到Python 3.3.3安裝目錄下并解壓,然后在命令提示符下執行“setup.py install”命令,否則第1次執行時會顯示“無結果”,如圖2-3所示,提示升級或者安裝xlrd庫文件。
圖2-3 提示安裝xlrd庫文件
(3)下載漏洞庫
在本地文件夾下生成生成“日期+mssb.xls”文件。例如,使用命令生成2017-03-20-mssb.xls文件(網上公開資料指出2017-03-20-mssb.xlsx是錯誤的),如圖2-4所示,執行命令“windows-exploit-suggester.py--update”,生成文件2017-03-20-mssb.xls。
圖2-4 生成漏洞庫文件
(4)生成系統信息文件
使用“systeminfo>win7sp1-systeminfo.txt”命令生成win7sp1-systeminfo.txt文件,在真實環境中可以將生成的文件下載到本地進行比對。
(5)查看系統漏洞
使用命令“windows-exploit-suggester.py--database 2017-03-20-mssb.xls--systeminfo win7sp1-systeminfo.txt”查看系統中存在的高危漏洞。如圖2-5所示為對Windows 7系統進行查看的結果,顯示MS14-026為可以利用的POC。
圖2-5 查看Windows 7中可利用的POC
(6)查看幫助文件
使用“windows-exploit-suggester.py-h”命令查看使用幫助。
2.2.3 技巧與高級利用
1.遠程溢出漏洞
目標系統利用systeminfo生成文件,進行比對。例如,對Windows Server 2003生成的系統信息進行比對,代碼如下。
windows-exploit-suggester.py --database 2017-03-20-mssb.xls --systeminfo
win2003.txt
結果顯示存在MS09-043、MS09-004、MS09-002、MS09-001、MS08-078和MS08-070遠程溢出漏洞,如圖2-6所示。
圖2-6 查看Windows Server 2003存在漏洞
2.審計所有漏洞
使用以下命令對所有漏洞進行審計。如圖2-7所示,對Windows Server 2003服務器進行審計,發現存在24個漏洞。“--audit-l”用于對本地溢出漏洞進行審計,“--audit-r”用于對遠程溢出漏洞進行審計。
圖2-7 審計所有漏洞
windows-exploit-suggester.py --audit --database 2017-03-20-mssb.xls
--systeminfo win2003.txt
3.搜索本地可利用的漏洞信息
帶“-l”參數搜索本地存在的漏洞,命令如下。
windows-exploit-suggester.py --audit -l --database 2017-03-20-mssb.xls
--systeminfo win2003-2.txt
通過審計本地漏洞發現Windows Server 2003未安裝SP2補丁,存在多個本地溢出漏洞。如果攻擊者選擇最新的漏洞號進行利用,成功率會高很多。例如,在本次實驗機上新建一個普通賬號temp,登錄以后對MS15-077漏洞利用程序進行利用,代碼如下,效果如圖2-8所示。
圖2-8 利用本地溢出漏洞獲取系統權限
[*] MS15-077: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege
(3077657) - Important
[*] MS15-076: Vulnerability in Windows Remote Procedure Call Could Allow Elevation
of Privilege (3067505) - Important
[*] MS15-075: Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633)
- Important
[*] MS15-074: Vulnerability in Windows Installer Service Could Allow Elevation
of Privilege (3072630) - Important
[*] MS15-073: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation
of Privilege (3070102) - Important
[*] MS15-072: Vulnerability in Windows Graphics Component Could Allow Elevation
of Privilege (3069392) - Important
[*] MS15-071: Vulnerability in Netlogon Could Allow Elevation of Privilege
(3068457) - Important
[*] MS15-061: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow
Elevation of Privilege (3057839) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow
Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege
Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage
Win32k Exploit, MSF
[*] MS15-050: Vulnerability in Service Control Manager Could Allow Elevation of
Privilege (3055642) - Important
[*] MS15-048: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
(3057134) - Important
[*] MS15-038: Vulnerabilities in Microsoft Windows Could Allow Elevation of
Privilege (3045685) - Important
[*] MS15-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(3038680) - Important
[*] MS15-008: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation
of Privilege (3019215) - Important
[*] MS15-003: Vulnerability in Windows User Profile Service Could Allow Elevation
of Privilege (3021674) - Important
[*] MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege
(2992719) - Moderate
[*] MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege
(3005210) - Important
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)
- Important
[*]http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003
SP2- Privilege Escalation, PoC
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege
(3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation
of Privilege (MS14-068), PoC
[*] MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation
of Privilege (2998579) - Important
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of
Privilege (2993254) - Important
[*]http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3
MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/--Microsoft Bluetooth Personal
Area Networking (BthPan.sys) Privilege Escalation
[*] MS14-049: Vulnerability in Windows Installer Service Could Allow Elevation
of Privilege (2962490) - Important
[*] MS14-045: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of
Privilege (2984615) - Important
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow
Elevation of Privilege (2975684) - Important
[*]https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64-
afd.sys Privilege Escalation (MS14-040),
[*]https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys
Dangling Pointer Privilege Escalation (MS14-040), PoC
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege
(2958732) - Important
[*]http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote
Command Execution, PoC
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege
(2914368) - Important
[*] MS13-102: Vulnerability in LPC Client or LPC Server Could Allow Elevation
of Privilege (2898715) - Important
[*] MS13-062: Vulnerability in Remote Procedure Call Could Allow Elevation of
Privilege (2849470) - Important
[*] MS13-015: Vulnerability in .NET Framework Could Allow Elevation of Privilege
(2800277) - Important
[*] MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(2711167) - Important
[*] MS12-003: Vulnerability in Windows Client/Server Run-time Subsystem Could
Allow Elevation of Privilege (2646524) - Important
[*] MS11-098: Vulnerability in Windows Kernel Could allow Elevation of Privilege
(2633171) - Important
[*] MS11-070: Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
- Important
[*] MS11-051: Vulnerability in Active Directory Certificate Services Web
Enrollment Could Allow Elevation of Privilege (2518295) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(2393802) - Important
[*] MS10-084: Vulnerability in Windows Local Procedure Call Could Cause Elevation
of Privilege (2360937) - Important
[*] MS09-041: Vulnerability in Workstation Service Could Allow Elevation of
Privilege (971657) - Important
[*] MS09-040: Vulnerability in Message Queuing Could Allow Elevation of Privilege
(971032) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow
Elevation of Privilege (970483) - Important
[*] MS09-015: Blended Threat Vulnerability in SearchPath Could Allow Elevation
of Privilege (959426) - Moderate
[*] MS09-012: Vulnerabilities in Windows Could Allow Elevation of Privilege
(959454) - Important
4.查詢無補丁信息的可利用漏洞
查詢微軟漏洞庫中所有可用的Windows Server 2008 R2提權POC信息,命令如下。
windows-exploit-suggester.py --database 2017-03-20-mssb.xls --ostext "windows
server 2008 r2"
結果顯示如圖2-9所示。主要可利用漏洞信息如下。
圖2-9 Windows Server 2008 R2可利用漏洞
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) -
Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation
of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) -
Critical
[*]http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8- Fixed Col
Span ID Full ASLR, DEP & EMET 5., PoC
[*]http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8- Fixed Col
Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*][E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of
Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow
Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code
Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow
Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
5.搜索漏洞
根據關鍵字進行搜索,例如“MS10-061”。
·在搜索引擎中搜索“MS10-061 site:exploit-db.com”。
·在packetstormsecurity網站搜索,地址為https://packetstormsecurity.com/search/?q=MS16-016。