【51CTO.com原創稿件】
一、Windows-Exploit-Suggester簡介
1. 簡介
Windows-Exploit-Suggester是受Linux_Exploit_Suggester的啟發而開發的一款提權輔助工具,其官方下載下傳位址:https://github.com/GDSSecurity/Windows-Exploit-Suggester,它是用python開發而成,運作環境是python3.3及以上版本,且必須安裝xlrd 庫(https://pypi.python.org/pypi/xlrd),其主要功能是通過比對systeminfo生成的檔案,進而發現系統是否存在未修複漏洞。
2. 實作原理
Windows-Exploit-Suggester通過下載下傳微軟公開漏洞庫到本地“生成日期+mssb.xls”檔案,然後根據作業系統版本,跟systeminfo生成的檔案進行比對。微軟公開漏洞庫下載下傳位址:
http://www.microsoft.com/en-gb/download/confirmation.aspx?id=36982。同時此工具還會告知使用者針對于此漏洞是否有公開的exp和可用的Metasploit子產品。
二、使用Windows-Exploit-Suggester
1. 下載下傳Windows-Exploit-Suggester、python3.3以及xlrd
https://www.python.org/ftp/python/3.3.3/python-3.3.3.amd64.msi
https://pypi.python.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz#md5=9a91b688cd4945477ac28187a54f9a3b
https://codeload.github.com/GDSSecurity/Windows-Exploit-Suggester/zip/master
2. 本地安裝
本地安裝python3.3.3對應平台版本程式,安裝完成後,将檔案xlrd-1.0.0.tar.gz複制到python3.3.3安裝目錄下解壓,然後指令提示符下執行setup.py install。否則***次執行會顯示無結果,如圖1所示,提示更新或者安裝xlrd庫檔案。
圖1提示安裝xlrd庫檔案
3. 下載下傳漏洞庫
使用以下指令,将在本地檔案夾下生成生成日期+mssb.xls”檔案,比如使用指令會生成2017-03-20-mssb.xls檔案,網上公開資料生成2017-03-20-mssb.xlsx是錯誤的,如圖2所示,執行指令“windows-exploit-suggester.py --update”生成檔案2017-03-20-mssb.xls。
圖2生成漏洞庫檔案
4. 生成系統資訊檔案
使用“systeminfo > win7sp1-systeminfo.txt”指令生成win7sp1-systeminfo.txt檔案,在真實環境中可以将生成的檔案下載下傳到本地進行比對。
5. 檢視系統漏洞
使用指令“windows-exploit-suggester.py --database 2017-03-20-mssb.xls --systeminfo win7sp1-systeminfo.txt”檢視系統存在的高危漏洞,如圖3所示,對win7系統進行檢視的結果,顯示ms14-026為可以利用的PoC。
圖3檢視win7可利用的poc
6. 檢視幫助檔案
windows-exploit-suggester.py -h檢視使用幫助。
三、技巧與進階利用
1. 遠端溢出漏洞
目标系統利用systeminfo生成檔案,進行比對,例如對win2003生成的系統資訊進行比對:
windows-exploit-suggester.py --database 2017-03-20-mssb.xls --systeminfo win2003.txt
結果顯示存在MS09-043、MS09-004、MS09-002、MS09-001、MS08-078和MS08-070遠端溢出漏洞。
2. 所有漏洞審計
使用以下指令進行所有漏洞的審計,如圖5所示,對windows2003 伺服器進行審計發現存在24個漏洞。“--audit -l”對本地溢出漏洞進行審計,“--audit -r”對遠端溢出漏洞進行審計。
windows-exploit-suggester.py --audit --database 2017-03-20-mssb.xls --systeminfo win2003.txt
圖5審計所有漏洞
3. 搜尋本地可利用漏洞資訊
“-l”參數比較 78 更新檔,137已知漏洞。帶“-l”參數搜尋本地存在的漏洞指令如下:
windows-exploit-suggester.py --audit -l --database 2017-03-20-mssb.xls --systeminfo win2003-2.txt
通過審計本地漏洞發現Windows 2003 server未安裝SP2更新檔,存在多個本地溢出漏洞,在選擇上,選擇***的漏洞号進行利用,成功性會高很多,例如在本次實驗機上建立一個普通賬号temp,登入以後将MS15-077漏洞利用程式進行利用,效果如圖6所示。
[*] MS15-077: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) - Important
[*] MS15-076: Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege (3067505) - Important
[*] MS15-075: Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633) - Important
[*] MS15-074: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (3072630) - Important
[*] MS15-073: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3070102) - Important
[*] MS15-072: Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392) - Important
[*] MS15-071: Vulnerability in Netlogon Could Allow Elevation of Privilege (3068457) - Important
[*] MS15-061: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*] MS15-050: Vulnerability in Service Control Manager Could Allow Elevation of Privilege (3055642) - Important
[*] MS15-048: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3057134) - Important
[*] MS15-038: Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3045685) - Important
[*] MS15-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (3038680) - Important
[*] MS15-008: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215) - Important
[*] MS15-003: Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674) - Important
[*] MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719) - Moderate
[*] MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) - Important
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*]http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*] MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) - Important
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*]http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*] MS14-049: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490) - Important
[*] MS14-045: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615) - Important
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*]https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040),
[*]https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*]http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[*] MS13-102: Vulnerability in LPC Client or LPC Server Could Allow Elevation of Privilege (2898715) - Important
[*] MS13-062: Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470) - Important
[*] MS13-015: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277) - Important
[*] MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167) - Important
[*] MS12-003: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524) - Important
[*] MS11-098: Vulnerability in Windows Kernel Could allow Elevation of Privilege (2633171) - Important
[*] MS11-070: Vulnerability in WINS Could Allow Elevation of Privilege (2571621) - Important
[*] MS11-051: Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege (2518295) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[*] MS10-084: Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937) - Important
[*] MS09-041: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657) - Important
[*] MS09-040: Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[*] MS09-015: Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426) - Moderate
[*] MS09-012: Vulnerabilities in Windows Could Allow Elevation of Privilege (959454) - Important
圖6利用本地溢出漏洞擷取系統權限
4. 查詢無更新檔資訊的可利用漏洞
查詢微軟漏洞庫中所有可用的windows server 2008 r2提權poc資訊:
windows-exploit-suggester.py --database 2017-03-20-mssb.xls --ostext "windows server 2008 r2"
結果顯示如下7所示,主要可利用漏洞資訊有:
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*][E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
圖7 windows 2008 R2可用漏洞
5. 搜尋漏洞
根據關鍵字進行搜尋例如MS10-061。
(1)在百度浏覽器中搜尋“MS10-061 site:exploit-db.com”
(2) packetstormsecurity網站搜尋
https://packetstormsecurity.com/search/?q=MS16-016
【51CTO原創稿件,合作站點轉載請注明原文作者和出處為51CTO.com】
【編輯推薦】
【責任編輯:IT瘋 TEL:(010)68476606】
點贊 0