提权辅助工具Windows-Exploit-Suggester

1提权辅助工具Windows-Exploit-Suggester

1.1Windows-Exploit-Suggester简介

1.简介

Windows-Exploit-Suggester是受Linux_Exploit_Suggester的启发而开发的一款提权辅助工具,其官方下载地址:https://github.com/GDSSecurity/Windows-Exploit-Suggester,它是用python开发而成,运行环境是python3.3及以上版本,且必须安装xlrd库(https://pypi.python.org/pypi/xlrd),其主要功能是通过比对systeminfo生成的文件,从而发现系统是否存在未修复漏洞。

2.实现原理

Windows-Exploit-Suggester通过下载微软公开漏洞库到本地“生成日期+mssb.xls”文件,然后根据操作系统版本,跟systeminfo生成的文件进行比对。微软公开漏洞库下载地址:

http://www.microsoft.com/en-gb/download/confirmation.aspx?id=36982。同时此工具还会告知用户针对于此漏洞是否有公开的exp和可用的Metasploit模块。

1.2使用Windows-Exploit-Suggester

1.下载Windows-Exploit-Suggesterpython3.3以及xlrd

https://www.python.org/ftp/python/3.3.3/python-3.3.3.amd64.msi

https://www.python.org/ftp/python/3.3.3/python-3.3.3.msi

https://pypi.python.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz#md5=9a91b688cd4945477ac28187a54f9a3b

https://codeload.github.com/GDSSecurity/Windows-Exploit-Suggester/zip/master

2.本地安装

本地安装python3.3.3对应平台版本程序,安装完成后,将文件xlrd-1.0.0.tar.gz复制到python3.3.3安装目录下解压,然后命令提示符下执行setup.py install。否则第一次执行会显示无结果,如图1所示,提示升级或者安装xlrd库文件。


图1提示安装xlrd库文件

3.下载漏洞库

使用以下命令,将在本地文件夹下生成生成日期+mssb.xls”文件,比如使用命令会生成2017-03-20-mssb.xls文件,网上公开资料生成2017-03-20-mssb.xlsx是错误的,如图2所示,执行命令“windows-exploit-suggester.py

--update”生成文件2017-03-20-mssb.xls


图2生成漏洞库文件

4.生成系统信息文件

使用“systeminfo > win7sp1-systeminfo.txt”命令生成win7sp1-systeminfo.txt文件,在真实环境中可以将生成的文件下载到本地进行比对。

5.查看系统漏洞

使用命令“windows-exploit-suggester.py --database 2017-03-20-mssb.xls

--systeminfo win7sp1-systeminfo.txt”查看系统存在的高危漏洞,如图3所示,对win7系统进行查看的结果,显示ms14-026为可以利用的PoC。


图3查看win7可利用的poc

6.查看帮助文件

windows-exploit-suggester.py -h查看使用帮助。

1.3技巧与高级利用

1.远程溢出漏洞

目标系统利用systeminfo生成文件,进行比对,例如对win2003生成的系统信息进行比对:

windows-exploit-suggester.py

--database 2017-03-20-mssb.xls --systeminfo win2003.txt

结果显示存在MS09-043、MS09-004、MS09-002、MS09-001、MS08-078和MS08-070远程溢出漏洞。

2.所有漏洞审计

使用以下命令进行所有漏洞的审计,如图5所示,对windows2003服务器进行审计发现存在24个漏洞。“--audit -l”对本地溢出漏洞进行审计,“--audit -r”对远程溢出漏洞进行审计。

windows-exploit-suggester.py--audit --database 2017-03-20-mssb.xls--systeminfo win2003.txt


图5审计所有漏洞

3.搜索本地可利用漏洞信息

“-l”参数比较78补丁,137已知漏洞。带“-l”参数搜索本地存在的漏洞命令如下:

windows-exploit-suggester.py--audit -l --database 2017-03-20-mssb.xls--systeminfo win2003-2.txt

通过审计本地漏洞发现Windows 2003 server未安装SP2补丁,存在多个本地溢出漏洞,在选择上,选择最新的漏洞号进行利用,成功性会高很多,例如在本次实验机上新建一个普通账号temp,登录以后将MS15-077漏洞利用程序进行利用,效果如图6所示。


[*] MS15-077: Vulnerability in ATM Font Driver CouldAllow Elevation of Privilege (3077657) - Important

[*] MS15-076: Vulnerability in Windows Remote ProcedureCall Could Allow Elevation of Privilege (3067505) - Important

[*] MS15-075: Vulnerabilities in OLE Could AllowElevation of Privilege (3072633) - Important

[*] MS15-074: Vulnerability in Windows InstallerService Could Allow Elevation of Privilege (3072630) - Important

[*] MS15-073: Vulnerabilities in Windows Kernel-ModeDriver Could Allow Elevation of Privilege (3070102) - Important

[*] MS15-072: Vulnerability in Windows GraphicsComponent Could Allow Elevation of Privilege (3069392) - Important

[*] MS15-071: Vulnerability in Netlogon Could AllowElevation of Privilege (3068457) - Important

[*] MS15-061: Vulnerabilities in Windows Kernel-ModeDrivers Could Allow Elevation of Privilege (3057839) - Important

[M] MS15-051: Vulnerabilities in Windows Kernel-ModeDrivers Could Allow Elevation of Privilege (3057191) - Important

[*]https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of PrivilegeVulnerability, PoC

[*]https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImageWin32k Exploit, MSF

[*] MS15-050:Vulnerability in Service Control Manager Could Allow Elevation of Privilege (3055642)- Important

[*] MS15-048: Vulnerabilities in .NET Framework CouldAllow Elevation of Privilege (3057134) - Important

[*] MS15-038: Vulnerabilities in Microsoft WindowsCould Allow Elevation of Privilege (3045685) - Important

[*] MS15-025: Vulnerabilities in Windows Kernel CouldAllow Elevation of Privilege (3038680) - Important

[*] MS15-008: Vulnerability in Windows Kernel-ModeDriver Could Allow Elevation of Privilege (3019215) - Important

[*] MS15-003: Vulnerability in Windows User ProfileService Could Allow Elevation of Privilege (3021674) - Important

[*] MS14-078: Vulnerability in IME (Japanese) CouldAllow Elevation of Privilege (2992719) - Moderate

[*] MS14-072: Vulnerability in .NET Framework CouldAllow Elevation of Privilege (3005210) - Important

[E] MS14-070: Vulnerability in TCP/IP Could AllowElevation of Privilege (2989935) - Important

[*]http://www.exploit-db.com/exploits/35936/ --Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC

[E] MS14-068:Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) -Critical

[*]http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos -Elevation of Privilege (MS14-068), PoC

[*] MS14-063:Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege(2998579) - Important

[M] MS14-062: Vulnerability in Message Queuing ServiceCould Allow Elevation of Privilege (2993254) - Important

[*]http://www.exploit-db.com/exploits/34112/ --Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC

[*]http://www.exploit-db.com/exploits/34982/ -- Microsoft BluetoothPersonal Area Networking (BthPan.sys) Privilege Escalation

[*] MS14-049:Vulnerability in Windows Installer Service Could Allow Elevation of Privilege(2962490) - Important

[*] MS14-045: Vulnerabilities in Kernel-Mode DriversCould Allow Elevation of Privilege (2984615) - Important

[E] MS14-040: Vulnerability in Ancillary FunctionDriver (AFD) Could Allow Elevation of Privilege (2975684) - Important

[*]https://www.exploit-db.com/exploits/39525/ --Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040),

[*]https://www.exploit-db.com/exploits/39446/ --Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040),PoC

[E] MS14-026: Vulnerability in .NET Framework CouldAllow Elevation of Privilege (2958732) - Important

[*]http://www.exploit-db.com/exploits/35280/, -- .NETRemoting Services Remote Command Execution, PoC

[E] MS14-002: Vulnerability in Windows Kernel CouldAllow Elevation of Privilege (2914368) - Important

[*] MS13-102: Vulnerability in LPC Client or LPC ServerCould Allow Elevation of Privilege (2898715) - Important

[*] MS13-062: Vulnerability in Remote Procedure CallCould Allow Elevation of Privilege (2849470) - Important

[*] MS13-015: Vulnerability in .NET Framework CouldAllow Elevation of Privilege (2800277) - Important

[*] MS12-042: Vulnerabilities in Windows Kernel CouldAllow Elevation of Privilege (2711167) - Important

[*] MS12-003: Vulnerability in Windows Client/ServerRun-time Subsystem Could Allow Elevation of Privilege (2646524) - Important

[*] MS11-098: Vulnerability in Windows Kernel Couldallow Elevation of Privilege (2633171) - Important

[*] MS11-070: Vulnerability in WINS Could AllowElevation of Privilege (2571621) - Important

[*] MS11-051: Vulnerability in Active DirectoryCertificate Services Web Enrollment Could Allow Elevation of Privilege(2518295) - Important

[E] MS11-011: Vulnerabilities in Windows Kernel CouldAllow Elevation of Privilege (2393802) - Important

[*] MS10-084: Vulnerability in Windows Local ProcedureCall Could Cause Elevation of Privilege (2360937) - Important

[*] MS09-041: Vulnerability in Workstation ServiceCould Allow Elevation of Privilege (971657) - Important

[*] MS09-040: Vulnerability in Message Queuing CouldAllow Elevation of Privilege (971032) - Important

[M] MS09-020: Vulnerabilities in Internet InformationServices (IIS) Could Allow Elevation of Privilege (970483) - Important

[*] MS09-015: Blended Threat Vulnerability inSearchPath Could Allow Elevation of Privilege (959426) - Moderate

[*] MS09-012: Vulnerabilities in Windows Could AllowElevation of Privilege (959454) - Important


图6利用本地溢出漏洞获取系统权限

4.查询无补丁信息的可利用漏洞

查询微软漏洞库中所有可用的windows

server 2008 r2提权poc信息:

windows-exploit-suggester.py --database 2017-03-20-mssb.xls

--ostext "windows server 2008 r2"

结果显示如下7所示,主要可利用漏洞信息有:

[M] MS13-009: Cumulative Security Update

for Internet Explorer (2792100) - Critical

[M] MS13-005: Vulnerability in Windows

Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important

[E] MS12-037: Cumulative Security Update

for Internet Explorer (2699988) - Critical

[*]http://www.exploit-db.com/exploits/35273/

-- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC

[*]http://www.exploit-db.com/exploits/34815/

-- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass

(MS12-037), PoC

[*][E] MS11-011: Vulnerabilities in Windows

Kernel Could Allow Elevation of Privilege (2393802) - Important

[M] MS10-073: Vulnerabilities in Windows

Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important

[M] MS10-061: Vulnerability in Print

Spooler Service Could Allow Remote Code Execution (2347290) - Critical

[E] MS10-059: Vulnerabilities in the

Tracing Feature for Services Could Allow Elevation of Privilege (982799) -

Important

[E] MS10-047: Vulnerabilities in Windows

Kernel Could Allow Elevation of Privilege (981852) - Important

[M] MS10-002: Cumulative Security Update

for Internet Explorer (978207) - Critical

[M] MS09-072: Cumulative Security Update

for Internet Explorer (976325) - Critical


图7 windows2008 R2可用漏洞

5.搜索漏洞

根据关键字进行搜索例如MS10-061。

(1).在百度浏览器中搜索“MS10-061

site:exploit-db.com”

(2). packetstormsecurity网站搜索

https://packetstormsecurity.com/search/?q=MS16-016

https://github.com/abatchy17/WindowsExploits

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 204,053评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 85,527评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 150,779评论 0 337
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,685评论 1 276
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,699评论 5 366
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,609评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 37,989评论 3 396
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,654评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,890评论 1 298
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,634评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,716评论 1 330
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,394评论 4 319
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,976评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,950评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,191评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 44,849评论 2 349
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,458评论 2 342

推荐阅读更多精彩内容

  • **2014真题Directions:Read the following text. Choose the be...
    又是夜半惊坐起阅读 9,363评论 0 23
  • 每个人受到不同程度的外界刺激时,注意力会随着变化,这种变化能够化成一条曲线,而在这条曲线上,有一个区域,当我们处于...
    林窗鲸落阅读 1,180评论 1 0
  • 今天妹妹的朋友订婚,觉得自己嫉妒了,怎么办,看着小伙伴前后都结婚好生气,上次有听不怎么喜欢的一位朋友,遇到自己真爱...
    丽清笑阅读 243评论 0 0
  • 1.又一个人走路回家 她还好吗想要回答 这些日子有没有把自己照顾啊 腼腆的我们在长大 你的背影拉长年华 做了很久的...
    简书邮递员阅读 225评论 0 1
  • 文/洛小简 我依然“相心”你,对全世界都能毫不避讳,却偏偏不敢告诉你。我的心时而疼痛时而快乐,像抽风的蝴蝶,跌跌撞...
    洛小简阅读 440评论 6 3