0X01 簡介:
本篇文章將集中介紹三個利用windows win32k服務提權的漏洞。
0X02 CVE-2018-8639:
1、未正確處理窗口類成員對象導致的Double-free類型本地權限提升漏洞。
2、影響范圍:
來自CVE: Windows 7 Windows Server 2012 R2 Windows RT 8.1 Windows Server 2008 Windows Server 2019 Windows Server 2012 Windows 8.1 Windows Server 2016 Windows Server 2008 R2 Windows 10 1607、1703、1709、1803、1809 來自CNVD: Windows Server 2008 R2 SP1 Windows Server 2008 SP2 Windows 7 SP1 Windows Server 2012 Windows Server 2012 R2 Windows 8.1 Windows RT 8.1 SP0 Windows 10 1607、1703、1709、1803、1809 Windows Server 2016 Windows Server 2019
3、exp:
1、https://github.com/ze0r/CVE-2018-8639-exp 來自ze0r大佬。(藍屏幾率比較高,作為備用) 2、https://github.com/timwhitez/CVE-2018-8639-EXP 來自timwhite大佬
4、復現:
1)ze0r大佬的exp:(我未復現成功,這是別的大佬的圖)
2)timwhite大佬的exp:
使用方法:CVE-2018-8639-EXP.exe "命令" 這里會直接以system權限執行命令。
5、總結:第一個exp可作為備用的來用,因為這個exp很容易藍屏導致目標崩潰。而且提權速度很感人。好處一點是,可以提一次權,然后就不用管了;第二個exp作為主要提權選擇,使用方式上面說的很清楚,很穩定、並且很速度很快,缺點是每次執行命令都必須使用這個exe程序。上述兩個exp均不支持webshell調用,只能用於本地提權。
6、修復:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8639 官方補丁地址,涉及到的補丁編號參考官方補丁地址。
7、參考文章: https://mp.weixin.qq.com/s/AUk91ty4JQjKQ6X2jD_Twg
0X03 cve-2019-0803:
1、漏洞描述:當 Win32k 組件無法正確處理內存中的對象時,Windows 中存在特權提升漏洞。成功利用此漏洞的攻擊者可以在內核模式中運行任意代碼。攻擊者可隨后安裝程序;查看、更改或刪除數據;或者創建擁有完全用戶權限的新帳戶。
2、影響版本:
Microsoft Windows Server 2019 0 Microsoft Windows Server 2016 0 Microsoft Windows Server 2012 R2 0 Microsoft Windows Server 2012 0 Microsoft Windows Server 2008 R2 for x64-based Systems SP1 Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 1803 0 Microsoft Windows Server 1709 0 Microsoft Windows RT 8.1 Microsoft Windows 8.1 for x64-based Systems 0 Microsoft Windows 8.1 for 32-bit Systems 0 Microsoft Windows 7 for x64-based Systems SP1 Microsoft Windows 7 for 32-bit Systems SP1 Microsoft Windows 10 Version 1809 for x64-based Systems 0 Microsoft Windows 10 Version 1809 for ARM64-based Systems 0 Microsoft Windows 10 Version 1809 for 32-bit Systems 0 Microsoft Windows 10 Version 1803 for x64-based Systems 0 Microsoft Windows 10 Version 1803 for ARM64-based Systems 0 Microsoft Windows 10 Version 1803 for 32-bit Systems 0 Microsoft Windows 10 version 1709 for x64-based Systems 0 Microsoft Windows 10 Version 1709 for ARM64-based Systems 0 Microsoft Windows 10 version 1709 for 32-bit Systems 0 Microsoft Windows 10 version 1703 for x64-based Systems 0 Microsoft Windows 10 version 1703 for 32-bit Systems 0 Microsoft Windows 10 Version 1607 for x64-based Systems 0 Microsoft Windows 10 Version 1607 for 32-bit Systems 0 Microsoft Windows 10 for x64-based Systems 0 Microsoft Windows 10 for 32-bit Systems 0
3、exp:
1、https://github.com/k8gege/K8tools 2、https://github.com/ExpLife0011/CVE-2019-0803
1)
4、復現:
1)
2)
比較:K8師傅的exp更穩定一些,一發入魂。但是執行命令的時候需要運行exp程序;ExpLife0011師傅的雖然不是很穩,但是一次提權,后面執行命令就不需要再執行exp程序了。
5、修復:https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-0803
6、參考文章:https://blog.csdn.net/weixin_30908649/article/details/97823518
0X04 CVE-2020-1054:
1、漏洞描述:漏洞存在於Win32k內核模塊中,利用該漏洞最終會造成權限提升。該漏洞由Check Point Research的Netanel Ben-Simon和Yoav Alon以及奇虎360 Vulcan Team的bee13oy報告。他們在今年的OffensiveCon20會議上發表了名為 Bugs on the Windshield: Fuzzing the Windows Kernel 的演講。在演講中詳細介紹了他們找到這個bug的過程。
2、影響版本:
Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1709 for 32-bit Systems Windows 10 Version 1709 for ARM64-based Systems Windows 10 Version 1709 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server, version 1803 (Server Core Installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation)
3、exp:https://github.com/0xeb-bp/cve-2020-1054
https://github.com/HongYe-Code/CVE-2020-1054
4、漏洞復現:
復現的平台是:win7 x64
使用的exp為:https://github.com/HongYe-Code/CVE-2020-1054,具體使用方法先將整個項目下載下來,然后根據項目原有配置使用visual studio編譯成exe文件即可。
原版exp:https://github.com/0xeb-bp/cve-2020-1054,建議使用windows平台構建。下載的時候直接運行exe程序,過程中使用梯子,即可順利安裝。只不過速度會稍稍有點慢。但是可以一次直接構建完成。
在使用的時候,原本的exp直接把靶機打藍屏了。具體原因不太懂,有想了解具體原因的,可以看兩位大佬的原理分析。我會在參考文章中貼出來。總得來說,建議使用第二個exp 另外在復現的時候,靶機的內存必須超過4g,我的靶機內存為2g的時候,會報錯:run out of memory allocating Bitmaps
5、修復:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1054
6、參考文章:
看雪分析文章:https://bbs.pediy.com/thread-260884.htm
原版大佬文章:https://0xeb-bp.github.io/blog/2020/06/15/cve-2020-1054-analysis.html
0X05 總結: