【51CTO.com原创稿件】
一、Windows-Exploit-Suggester简介
1. 简介
Windows-Exploit-Suggester是受Linux_Exploit_Suggester其官方下载地址是受启发而开发的提权辅助工具:https://github.com/GDSSecurity/Windows-Exploit-Suggester,它是用python运行环境开发而成python3.3以上版本必须安装xlrd 库(https://pypi.python.org/pypi/xlrd),其主要功能是比较systeminfo发现系统是否存在未修复的漏洞。
2. 实现原理
Windows-Exploit-Suggester将微软公开漏洞库下载到本地“生成日期 ms *** .xls”然后根据操作系统版本跟踪文件systeminfo比较生成的文件。微软公开漏洞库下载地址:
http://www.microsoft.com/en-gb/download/confirmation.aspx?id=36982。同时,该工具还将告知用户该漏洞是否公开。exp和可用的Metasploit模块。
二、使用Windows-Exploit-Suggester
1. 下载Windows-Exploit-Suggester、python3.3以及xlrd
https://www.python.org/ftp/python/3.3.3/python-3.3.3.amd64.msihttps://pypi.python.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz#md5=9a91b688cd4945477ac28187a54f9a3bhttps://codeload.github.com/GDSSecurity/Windows-Exploit-Suggester/zip/master2. 本地安装
本地安装python3.3.3安装相应的平台版本程序后,文件xlrd-1.0.0.tar.gz复制到python3.3.3在安装目录下解压,然后命令提示符执行setup.py install。否则***第二次执行会议显示无结果,如图1所示,提示升级或安装xlrd库文件。
图1提示安装xlrd库文件
3. 下载漏洞库
使用以下命令将在本地文件夹下生成生成日期 ms *** .xls”例如,使用命令将生成文件2017-03-20-ms *** .xls生成网上公开资料的文件2017-03-20-ms *** .xlsx这是错误的,如图2所示,执行命令“windows-exploit-suggester.py --update”生成文件2017-03-20-ms *** .xls。
图2生成漏洞库文件
4. 生成系统信息文件
使用“systeminfo > win7sp1-systeminfo.txt”命令生成win7sp1-systeminfo.txt在真实环境中,生成的文件可以下载到本地进行比较。
5. 检查系统漏洞
使用命令“windows-exploit-suggester.py --database 2017-03-20-ms *** .xls --systeminfo win7sp1-systeminfo.txt”查看系统中的高危漏洞,如图3所示,对win7系统检查的结果显示ms14-026可用的PoC。
图3查看win7可利用的poc
6. 查看帮助文件
windows-exploit-suggester.py -h查看使用帮助。
三、技能和高级利用
1. 漏洞远程溢出
使用目标系统systeminfo比较生成文件,例如win2003比较生成的系统信息:
windows-exploit-suggester.py--database2017-03-20-ms *** .xls--systeminfowin2003.txt结果显示存在MS09-043、MS09-004、MS09-002、MS09-001、MS08-078和MS08-070远程溢出漏洞。
2. 审计所有漏洞
所有漏洞命令审计所有漏洞,如图5所示windows2003 服务器审计发现24个漏洞。“--audit -l”审计本地溢出漏洞,“--audit -r”审计远程溢出漏洞。
windows-exploit-suggester.py--audit--database2017-03-20-ms *** .xls--systeminfowin2003.txt
图5审计所有漏洞
3. 搜索本地可利用漏洞信息
“-l”比较 78 补丁,137已知漏洞。“-l”本地参数搜索的漏洞命令如下:
windows-exploit-suggester.py--audit-l--database2017-03-20-ms *** .xls--systeminfowin2003-2.txt本地漏洞的审计发现Windows 2003 server未安装SP2补丁,存在多个本地溢出漏洞,在选择上,选择***如果使用漏洞号,成功率会高很多。例如,在本实验机上建立一个普通账户temp,登录以后将MS15-077如图6所示,,效果如图6所示。
[*]MS15-077:VulnerabilityinATMFontDriverCouldAllowElevationofPrivilege(3077657)-Important[*]MS15-076:VulnerabilityinWindowsRemoteProcedureCallCouldAllowElevationofPrivilege(3067505)-Important[*]MS15-075:VulnerabilitiesinOLECouldAllowElevationofPrivilege(3072633)-Important[*]MS15-074:VulnerabilityinWindowsInstallerServiceCouldAllowElevationofPrivilege(3072630)-Important[*]MS15-073:VulnerabilitiesinWindowsKernel-ModeDriverCouldAllowElevationofPrivilege(3070102)-Important[*]MS15-072:VulnerabilityinWindowsGraphicsComponentCouldAllowElevationofPrivilege(3069392)-Important[*]MS15-071:VulnerabilityinNetlogonCouldAllowElevationofPrivilege(3068457)-Important[*]MS15-061:VulnerabilitiesinWindowsKernel-ModeDriversCouldAllowElevationofPrivilege(3057839)-Important[M]MS15-051:VulnerabilitiesinWindowsKernel-ModeDriversCouldAllowElevationofPrivilege(3057191)-Important[*]https://github.com/hfiref0x/CVE-2015-1701,Win32kElevationofPrivilegeVulnerability,PoC[*]https://www.exploit-db.com/exploits/37367/--WindowsClientCopyImageWin32kExploit,MSF[*]MS15-050:VulnerabilityinServiceControlManagerCouldAllowElevationofPrivilege(3055642)-Important[*]MS15-048:Vulnerabilitiesin.NETFrameworkCouldAllowElevationofPrivilege(3057134)-Important[*]MS15-038:VulnerabilitiesinMicrosoftWindowsCouldAllowElevationofPrivilege(3045685)-Important[*]MS15-025:VulnerabilitiesinWindowsKernelCouldAllowElevationofPrivilege(3038680)-Important[*]MS15-008:VulnerabilityinWindowsKernel-ModeDriverCouldAllowElevationofPrivilege(3019215)-Important[*]MS15-003:VulnerabilityinWindowsUserProfileServiceCouldAllowElevationofPrivilege(3021674)-Important[*]MS14-078:VulnerabilityinIME(Japanese)CouldAllowElevationofPrivilege(2992719)-Moderate[*]MS14-072:Vulnerabilityin.NETFrameworkCouldAllowElevationofPrivilege(3005210)-Important[E]MS14-070:VulnerabilityinTCP/IPCouldAllowElevationofPrivilege(2989935)-Important[*]http://www.exploit-db.com/exploits/35936/--MicrosoftWindowsServer2003SP2-PrivilegeEscalation,PoC[E]MS14-068:VulnerabilityinKerberosCouldAllowElevationofPrivilege(3011780)-Critical[*]http://www.exploit-db.com/exploits/35474/--WindowsKerberos-ElevationofPrivilege(MS14-068),PoC[*]MS14-063:VulnerabilityinFAT32DiskPartitionDriverCouldAllowElevationofPrivilege(2998579)-Important[M]MS14-062:VulnerabilityinMessageQueuingServiceCouldAllowElevationofPrivilege(2993254)-Important[*]http://www.exploit-db.com/exploits/34112/--MicrosoftWindowsXPSP3MQAC.sys-ArbitraryWritePrivilegeEscalation,PoC[*]http://www.exploit-db.com/exploits/34982/--MicrosoftBluetoothPersonalAreaNetworking(BthPan.sys)PrivilegeEscalation[*]MS14-049:VulnerabilityinWindowsInstallerServiceCouldAllowElevationofPrivilege(2962490)-Important[*]MS14-045:VulnerabilitiesinKernel-ModeDriversCouldAllowElevationofPrivilege(2984615)-Important[E]MS14-040:VulnerabilityinAncillaryFunctionDriver(AFD)CouldAllowElevationofPrivilege(2975684)-Important[*]https://www.exploit-db.com/exploits/39525/--MicrosoftWindows7x64-afd.sysPrivilegeEscalation(MS14-040),[*]https://www.exploit-db.com/exploits/39446/--MicrosoftWindows-afd.sysDanglingPointerPrivilegeEscalation(MS14-040),PoC[E]MS14-026:Vulnerabilityin.NETFrameworkCouldAllowElevationofPrivilege(2958732)-Important[*]http://www.exploit-db.com/exploits/35280/,--.NETRemotingServicesRemoteCommandExecution,PoC[E]MS14-002:VulnerabilityinWindowsKernelCouldAllowElevationofPrivilege(2914368)-Important[*]MS13-102:VulnerabilityinLPCClientorLPCServerCouldAllowElevationofPrivilege(2898715)-Important[*]MS13-062:VulnerabilityinRemoteProcedureCallCouldAllowElevationofPrivilege(2849470)-Important[*]MS13-015:Vulnerabilityin.NETFrameworkCouldAllowElevationofPrivilege(2800277)-Important[*]MS12-042:VulnerabilitiesinWindowsKernelCouldAllowElevationofPrivilege(2711167)-Important[*]MS12-003:VulnerabilityinWindowsClient/ServerRun-timeSubsystemCouldAllowElevationofPrivilege(2646524)-Important[*]MS11-098:VulnerabilityinWindowsKernelCouldallowElevationofPrivilege(2633171)-Important[*]MS11-070:VulnerabilityinWINSCouldAllowElevationofPrivilege(2571621)-Important[*]MS11-051:VulnerabilityinActiveDirectoryCertificateServicesWebEnrollmentCouldAllowElevationofPrivilege(2518295)-Important[E]MS11-011:VulnerabilitiesinWindowsKernelCouldAllowElevationofPrivilege(2393802)-Important[*]MS10-084:VulnerabilityinWindowsLocalProcedureCallCouldCauseElevationofPrivilege(2360937)-Important[*]MS09-041:VulnerabilityinWorkstationServiceCouldAllowElevationofPrivilege(971657)-Important[*]MS09-040:VulnerabilityinMessageQueuingCouldAllowElevationofPrivilege(971032)-Important[M]MS09-020:VulnerabilitiesinInternetInformationServices(IIS)CouldAllowElevationofPrivilege(970483)-Important[*]MS09-015:BlendedThreatVulnerabilityinSearchPathCouldAllowElevationofPrivilege(959426)-Moderate[*]MS09-012:VulnerabilitiesinWindowsCouldAllowElevationofPrivilege(959454)-Important
图6利用本地溢出漏洞获取系统权限
4. 可以利用漏洞查询无补丁信息
查询所有可用的微软漏洞库windows server 2008 r2提权poc信息:
windows-exploit-suggester.py--database2017-03-20-ms *** .xls--ostext"windowsserver2008r2"结果如下7所示,漏洞信息主要可用:
[M]MS13-009:CumulativeSecurityUpdateforInternetExplorer(2792100)-Critical[M]MS13-005:VulnerabilityinWindowsKernel-ModeDriverCouldAllowElevationofPrivilege(2778930)-Important[E]MS12-037:CumulativeSecurityUpdateforInternetExplorer(2699988)-Critical[*]http://www.exploit-db.com/exploits/35273/--InternetExplorer8-FixedColSpanIDFullASLR,DEP&EMET5.,PoC[*]http://www.exploit-db.com/exploits/34815/--InternetExplorer8-FixedColSpanIDFullASLR,DEP&EMET5.0Bypass(MS12-037),PoC[*][E]MS11-011:VulnerabilitiesinWindowsKernelCouldAllowElevationofPrivilege(2393802)-Important[M]MS10-073:VulnerabilitiesinWindowsKernel-ModeDriversCouldAllowElevationofPrivilege(981957)-Important[M]MS10-061:VulnerabilityinPrintSpoolerServiceCouldAllowRemoteCodeExecution(2347290)-Critical[E]MS10-059:VulnerabilitiesintheTracingFeatureforServicesCouldAllowElevationofPrivilege(982799)-Important[E]MS10-047:VulnerabilitiesinWindowsKernelCouldAllowElevationofPrivilege(981852)-Important[M]MS10-002:CumulativeSecurityUpdateforInternetExplorer(978207)-Critical[M]MS09-072:CumulativeSecurityUpdateforInternetExplorer(976325)-Critical
图7 windows 2008 R2可用漏洞
5. 搜索漏洞
例如,根据关键字搜索MS10-061。
(1)在百度浏览器中搜索“MS10-061 site:exploit-db.com”
(2) packetstormsecurity网站搜索
https://packetstormsecurity.com/search/?q=MS16-016
【51CTO原稿,合作网站转载请注明原作者和来源51CTO.com】
