2.2 提权辅助工具Windows-Exploit-Suggester
本节将介绍提权辅助工具Windows-Exploit-Suggester。
2.2.1 Windows-Exploit-Suggester简介
Windows-Exploit-Suggester是受Linux_Exploit_Suggester的启发而开发的一款提权辅助工具,其官方下载地址为https://github.com/GDSSecurity/Windows-Exploit-Suggester。它是用Python开发而成的,运行环境是Python 3.3及以上版本,且必须安装xlrd库(https://pypi.python.org/pypi/xlrd),主要功能是通过比对systeminfo生成的文件发现系统是否存在未修复的漏洞。
Windows-Exploit-Suggester通过下载微软公开漏洞库到本地“生成日期+mssb.xls”文件,然后根据操作系统版本,与由systeminfo生成的文件进行比对。微软公开漏洞库下载地址为http://www.microsoft.com/en-gb/download/confirmation.aspx?id=36982。同时,此工具会告知用户针对此漏洞是否有公开的EXP和可用的Metasploit模块。
2.2.2 使用Windows-Exploit-Suggester
(1)下载Windows-Exploit-Suggester、python 3.3及xlrd
https://www.python.org/ftp/python/3.3.3/python-3.3.3.amd64.msi
https://pypi.python.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e
1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz#md5=9a91b688cd4945477ac28187a54f9a3b
https://codeload.github.com/GDSSecurity/Windows-Exploit-Suggester/zip/master
(2)本地安装
在本地安装Python 3.3.3对应平台版本的程序。安装完成后,将文件xlrd-1.0.0.tar.gz复制到Python 3.3.3安装目录下并解压,然后在命令提示符下执行“setup.py install”命令,否则第1次执行时会显示“无结果”,如图2-3所示,提示升级或者安装xlrd库文件。
图2-3 提示安装xlrd库文件
(3)下载漏洞库
在本地文件夹下生成生成“日期+mssb.xls”文件。例如,使用命令生成2017-03-20-mssb.xls文件(网上公开资料指出2017-03-20-mssb.xlsx是错误的),如图2-4所示,执行命令“windows-exploit-suggester.py--update”,生成文件2017-03-20-mssb.xls。
图2-4 生成漏洞库文件
(4)生成系统信息文件
使用“systeminfo>win7sp1-systeminfo.txt”命令生成win7sp1-systeminfo.txt文件,在真实环境中可以将生成的文件下载到本地进行比对。
(5)查看系统漏洞
使用命令“windows-exploit-suggester.py--database 2017-03-20-mssb.xls--systeminfo win7sp1-systeminfo.txt”查看系统中存在的高危漏洞。如图2-5所示为对Windows 7系统进行查看的结果,显示MS14-026为可以利用的POC。
图2-5 查看Windows 7中可利用的POC
(6)查看帮助文件
使用“windows-exploit-suggester.py-h”命令查看使用帮助。
2.2.3 技巧与高级利用
1.远程溢出漏洞
目标系统利用systeminfo生成文件,进行比对。例如,对Windows Server 2003生成的系统信息进行比对,代码如下。
windows-exploit-suggester.py --database 2017-03-20-mssb.xls --systeminfo
win2003.txt
结果显示存在MS09-043、MS09-004、MS09-002、MS09-001、MS08-078和MS08-070远程溢出漏洞,如图2-6所示。
图2-6 查看Windows Server 2003存在漏洞
2.审计所有漏洞
使用以下命令对所有漏洞进行审计。如图2-7所示,对Windows Server 2003服务器进行审计,发现存在24个漏洞。“--audit-l”用于对本地溢出漏洞进行审计,“--audit-r”用于对远程溢出漏洞进行审计。
图2-7 审计所有漏洞
windows-exploit-suggester.py --audit --database 2017-03-20-mssb.xls
--systeminfo win2003.txt
3.搜索本地可利用的漏洞信息
带“-l”参数搜索本地存在的漏洞,命令如下。
windows-exploit-suggester.py --audit -l --database 2017-03-20-mssb.xls
--systeminfo win2003-2.txt
通过审计本地漏洞发现Windows Server 2003未安装SP2补丁,存在多个本地溢出漏洞。如果攻击者选择最新的漏洞号进行利用,成功率会高很多。例如,在本次实验机上新建一个普通账号temp,登录以后对MS15-077漏洞利用程序进行利用,代码如下,效果如图2-8所示。
图2-8 利用本地溢出漏洞获取系统权限
[*] MS15-077: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege
(3077657) - Important
[*] MS15-076: Vulnerability in Windows Remote Procedure Call Could Allow Elevation
of Privilege (3067505) - Important
[*] MS15-075: Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633)
- Important
[*] MS15-074: Vulnerability in Windows Installer Service Could Allow Elevation
of Privilege (3072630) - Important
[*] MS15-073: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation
of Privilege (3070102) - Important
[*] MS15-072: Vulnerability in Windows Graphics Component Could Allow Elevation
of Privilege (3069392) - Important
[*] MS15-071: Vulnerability in Netlogon Could Allow Elevation of Privilege
(3068457) - Important
[*] MS15-061: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow
Elevation of Privilege (3057839) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow
Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege
Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage
Win32k Exploit, MSF
[*] MS15-050: Vulnerability in Service Control Manager Could Allow Elevation of
Privilege (3055642) - Important
[*] MS15-048: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
(3057134) - Important
[*] MS15-038: Vulnerabilities in Microsoft Windows Could Allow Elevation of
Privilege (3045685) - Important
[*] MS15-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(3038680) - Important
[*] MS15-008: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation
of Privilege (3019215) - Important
[*] MS15-003: Vulnerability in Windows User Profile Service Could Allow Elevation
of Privilege (3021674) - Important
[*] MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege
(2992719) - Moderate
[*] MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege
(3005210) - Important
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)
- Important
[*]http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003
SP2- Privilege Escalation, PoC
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege
(3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation
of Privilege (MS14-068), PoC
[*] MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation
of Privilege (2998579) - Important
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of
Privilege (2993254) - Important
[*]http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3
MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/--Microsoft Bluetooth Personal
Area Networking (BthPan.sys) Privilege Escalation
[*] MS14-049: Vulnerability in Windows Installer Service Could Allow Elevation
of Privilege (2962490) - Important
[*] MS14-045: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of
Privilege (2984615) - Important
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow
Elevation of Privilege (2975684) - Important
[*]https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64-
afd.sys Privilege Escalation (MS14-040),
[*]https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys
Dangling Pointer Privilege Escalation (MS14-040), PoC
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege
(2958732) - Important
[*]http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote
Command Execution, PoC
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege
(2914368) - Important
[*] MS13-102: Vulnerability in LPC Client or LPC Server Could Allow Elevation
of Privilege (2898715) - Important
[*] MS13-062: Vulnerability in Remote Procedure Call Could Allow Elevation of
Privilege (2849470) - Important
[*] MS13-015: Vulnerability in .NET Framework Could Allow Elevation of Privilege
(2800277) - Important
[*] MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(2711167) - Important
[*] MS12-003: Vulnerability in Windows Client/Server Run-time Subsystem Could
Allow Elevation of Privilege (2646524) - Important
[*] MS11-098: Vulnerability in Windows Kernel Could allow Elevation of Privilege
(2633171) - Important
[*] MS11-070: Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
- Important
[*] MS11-051: Vulnerability in Active Directory Certificate Services Web
Enrollment Could Allow Elevation of Privilege (2518295) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(2393802) - Important
[*] MS10-084: Vulnerability in Windows Local Procedure Call Could Cause Elevation
of Privilege (2360937) - Important
[*] MS09-041: Vulnerability in Workstation Service Could Allow Elevation of
Privilege (971657) - Important
[*] MS09-040: Vulnerability in Message Queuing Could Allow Elevation of Privilege
(971032) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow
Elevation of Privilege (970483) - Important
[*] MS09-015: Blended Threat Vulnerability in SearchPath Could Allow Elevation
of Privilege (959426) - Moderate
[*] MS09-012: Vulnerabilities in Windows Could Allow Elevation of Privilege
(959454) - Important
4.查询无补丁信息的可利用漏洞
查询微软漏洞库中所有可用的Windows Server 2008 R2提权POC信息,命令如下。
windows-exploit-suggester.py --database 2017-03-20-mssb.xls --ostext "windows
server 2008 r2"
结果显示如图2-9所示。主要可利用漏洞信息如下。
图2-9 Windows Server 2008 R2可利用漏洞
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) -
Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation
of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) -
Critical
[*]http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8- Fixed Col
Span ID Full ASLR, DEP & EMET 5., PoC
[*]http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8- Fixed Col
Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*][E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of
Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow
Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code
Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow
Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
5.搜索漏洞
根据关键字进行搜索,例如“MS10-061”。
·在搜索引擎中搜索“MS10-061 site:exploit-db.com”。
·在packetstormsecurity网站搜索,地址为https://packetstormsecurity.com/search/?q=MS16-016。