提权辅助⼯具Windows-Exploit-Suggester
1提权辅助⼯具Windows-Exploit-Suggester
canteen什么意思
1.1Windows-Exploit-Suggester简介
1.简介
2.实现原理
Windows-Exploit-Suggester通过下载微软公开漏洞库到本地“⽣成⽇期+mssb.xls
通过下载微软公开漏洞库到本地“⽣成⽇期+mssb.xls”⽂件,然后根据操作系统版本,跟
Windows-Exploit-Suggester
systeminfo⽣成的⽂件进⾏⽐对。微软公开漏洞库下载地址:
1.2使⽤Windows-Exploit-Suggester
、python3.3以及xlrd
下载Windows-Exploit-Suggester、
idler1.1.下载Windows-Exploit-Suggester
2.本地安装
本地安装python3.3.3对应平台版本程序,安装完成后,将⽂件xlrd-1.0.复制到python3.3.3安装⽬录下解压,然后命令提⽰符下执⾏tup.py install。否则第⼀次执⾏会显⽰⽆结果,如图1所⽰,提⽰升级或者安装xlrd库⽂件。
图1提⽰安装xlrd库⽂件
变形金刚2主题曲下载3.下载漏洞库
+mssb.xls”⽂件,⽐如使⽤命令会⽣成2017-03-20-mssb.xls⽂件,⽹上公开资料⽣使⽤以下命令,将
在本地⽂件夹下⽣成⽣成⽇期
⽣成⽇期+mssb.xls
是错误的,如图2所⽰,执⾏命令“
所⽰,执⾏命令“windows-exploit-suggester.py
成2017-03-20-mssb.xlsx是错误的,如图2
”⽣成⽂件2017-03-20-mssb.xls。
--update”⽣成⽂件2017-03-20-mssb.xls
图2⽣成漏洞库⽂件
4.⽣成系统信息⽂件
使⽤“systeminfo > ”命令⽣成⽂件,在真实环境中可以将⽣成的⽂件下载到本地进⾏⽐对。
5.查看系统漏洞
个性英语签名使⽤命令“windows-exploit-suggester.py --databa 2017-03-20-mssb.xls
--”查看系统存在的⾼危漏洞,如图3所⽰,对win7系统进⾏查看的结果,显⽰ms14-026为可以利⽤的PoC。
correspondence
图3查看win7可利⽤的poc
6.查看帮助⽂件
windows-exploit-suggester.py -h查看使⽤帮助。
1.3技巧与⾼级利⽤
1.远程溢出漏洞
⽬标系统利⽤systeminfo⽣成⽂件,进⾏⽐对,例如对win2003⽣成的系统信息进⾏⽐对:
windows-exploit-suggester.py
you shall not pass--databa 2017-03-20-mssb.xls --
结果显⽰存在MS09-043、MS09-004、MS09-002、MS09-001、MS08-078和MS08-070远程溢出漏洞。
2.所有漏洞审计
使⽤以下命令进⾏所有漏洞的审计,如图5所⽰,对windows2003服务器进⾏审计发现存在24个漏洞。“--audit -l”对本地溢出漏洞进⾏审计,“--audit -r”对远程溢出漏洞进⾏审计。
windows-exploit-suggester.py--audit --databa 2017-03-20-mssb.
图5审计所有漏洞
3.搜索本地可利⽤漏洞信息
“-l”参数⽐较78补丁,137已知漏洞。带“-l”参数搜索本地存在的漏洞命令如下:
windows-exploit-suggester.py--audit -l --databa 2017-03-20-mssb.
通过审计本地漏洞发现Windows 2003 rver未安装SP2补丁,存在多个本地溢出漏洞,在选择上,选择最新的漏洞号进⾏利⽤,成功性会⾼很多,例如在本次实验机上新建⼀个普通账号temp,登录以后将MS15-077漏洞利⽤程序进⾏利⽤,效果如图6所⽰。
[*] MS15-077: Vulnerability in ATM Font Driver CouldAllow Elevation of Privilege (3077657) - Important
[*] MS15-076: Vulnerability in Windows Remote ProcedureCall Could Allow Elevation of Privilege (3067505) - Important
[*] MS15-075: Vulnerabilities in OLE Could AllowElevation of Privilege (3072633) - Important
单词思维导图[*] MS15-074: Vulnerability in Windows InstallerService Could Allow Elevation of Privilege (3072630) - Important
[*] MS15-073: Vulnerabilities in Windows Kernel-ModeDriver Could Allow Elevation of Privilege (3070102) - Important
[*] MS15-072: Vulnerability in Windows GraphicsComponent Could Allow Elevation of Privilege (3069392) - Important
[*] MS15-071: Vulnerability in Netlogon Could AllowElevation of Privilege (3068457) - Important
[*] MS15-061: Vulnerabilities in Windows Kernel-ModeDrivers Could Allow Elevation of Privilege (3057839) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-ModeDrivers Could Allow Elevation of Privilege (3057191) - Important
[*] MS15-050:Vulnerability in Service Control Manager Could Allow Elevation of Privilege (3055642)- Important
[*] MS15-048: Vulnerabilities in Framework CouldAllow Elevation of Privilege (3057134) - Important
[*] MS15-038: Vulnerabilities in Microsoft WindowsCould Allow Elevation of Privilege (3045685) - Important
[*] MS15-025: Vulnerabilities in Windows Kernel CouldAllow Elevation of Privilege (3038680) - Important
[*] MS15-008: Vulnerability in Windows Kernel-ModeDriver Could Allow Elevation of Privilege (3019215) - Important
[*] MS15-003: Vulnerability in Windows Ur ProfileService Could Allow Elevation of Privilege (3021674) - Important
[*] MS14-078: Vulnerability in IME (Japane) CouldAllow Elevation of Privilege (2992719) - Moderate
[*] MS14-072: Vulnerability in Framework CouldAllow Elevation of Privilege (3005210) - Important
[E] MS14-070: Vulnerability in TCP/IP Could AllowElevation of Privilege (2989935) - Important
[E] MS14-068:Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) -Critical
[*] MS14-063:Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege(2998579) - Important
[M] MS14-062: Vulnerability in Message Queuing ServiceCould Allow Elevation of Privilege (2993254) - Important
[*] MS14-049:Vulnerability in Windows Installer Service Could Allow Elevation of Privilege(2962490) - Important
[*] MS14-045: Vulnerabilities in Kernel-Mode DriversCould Allow Elevation of Privilege (2984615) - Important
[E] MS14-040: Vulnerability in Ancillary FunctionDriver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[E] MS14-026: Vulnerability in Framework CouldAllow Elevation of Privilege (2958732) - Important
[E] MS14-002: Vulnerability in Windows Kernel CouldAllow Elevation of Privilege (2914368) - Important
[*] MS13-102: Vulnerability in LPC Client or LPC ServerCould Allow Elevation of Privilege (2898715) - Important
[*] MS13-062: Vulnerability in Remote Procedure CallCould Allow Elevation of Privilege (2849470) - Important
[*] MS13-015: Vulnerability in Framework CouldAllow Elevation of Privilege (2800277) - Important
[*] MS12-042: Vulnerabilities in Windows Kernel CouldAllow Elevation of Privilege (2711167) - Important
[*] MS12-003: Vulnerability in Windows Client/ServerRun-time Subsystem Could Allow Elevation of Privilege (2646524) -Important
[*] MS11-098: Vulnerability in Windows Kernel Couldallow Elevation of Privilege (2633171) - Important
[*] MS11-070: Vulnerability in WINS Could AllowElevation of Privilege (2571621) - Important
[*] MS11-051: Vulnerability in Active DirectoryCertificate Services Web Enrollment Could Allow Elevation of Privilege(2518295) -Important
[E] MS11-011: Vulnerabilities in Windows Kernel CouldAllow Elevation of Privilege (2393802) - Important
[*] MS10-084: Vulnerability in Windows Local ProcedureCall Could Cau Elevation of Privilege (2360937) - Importantbotox是什么
[*] MS09-041: Vulnerability in Workstation ServiceCould Allow Elevation of Privilege (971657) - Important
sassy[*] MS09-040: Vulnerability in Message Queuing CouldAllow Elevation of Privilege (971032) - Important
[M] MS09-020: Vulnerabilities in Internet InformationServices (IIS) Could Allow Elevation of Privilege (970483) - Important
[*] MS09-015: Blended Threat Vulnerability inSearchPath Could Allow Elevation of Privilege (959426) - Moderate
[*] MS09-012: Vulnerabilities in Windows Could AllowElevation of Privilege (959454) - Important
图6利⽤本地溢出漏洞获取系统权限
4.查询⽆补丁信息的可利⽤漏洞
查询微软漏洞库中所有可⽤的windows
rver 2008 r2提权poc信息:
windows-exploit-suggester.py --databa 2017-03-20-mssb.xls
--ostext "windows rver 2008 r2"
结果显⽰如下7所⽰,主要可利⽤漏洞信息有:
[M] MS13-009: Cumulative Security Update
for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows
Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update
for Internet Explorer (2699988) - Critical
-- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
-- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*][E] MS11-011: Vulnerabilities in Windows
timor
Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows
Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print
