近20年Windows权限提升集合
2022-7-27 08:30:32 Author: 天驿安全(查看原文) 阅读量:28 收藏

来源:https://github.com/Ascotbe/Kernelhub

来源:https://www.ascotbe.com/2020/08/10/KernelHub/#%E5%88%A9%E7%94%A8%E6%96%B9%E5%BC%8F-4

前言

该项目是一个Windows提权搜集项目,除未通过测试EXP都有详细说明以及演示GIF图,如果项目中的代码有您的代码,本人为标注来源的请提交Issues

未测试成功编号

下列编号都是在筛选后未能通过复现测试的CVE,附带未成功原因,欢迎提交PR

SecurityBulletinRemarks
CVE-2015-0002有源码未能测试成功
CVE-2015-0062有源码和EXP未能测试成功
CVE-2015-1725有源码未知编译方式
CVE-2016-3309有源码和EXP未能测试成功
CVE-2014-6321只有winshock_test.sh文件
CVE-2019-0859需要安装windows7 sp1 x64 需要更新2019年3月份的补丁
CVE-2018-8440
CVE-2018-1038有源码未知编译方式
CVE-2013-5065缺少NDProxy环境
CVE-2013-0008
CVE-2009-0079未能利用
CVE-2011-0045未能找到可用EXP
CVE-2010-2554未能找到可用EXP
CVE-2005-1983有源码和EXP未能测试成功
CVE-2012-0002蓝屏漏洞无实际利用价值
CVE-2010-0020未能找到可用EXP
CVE-2014-6324
CVE-2018-0743未能找到利用POC

编号列表

SecurityBulletinDescriptionOperatingSystem
CVE-2020-1472Netlogon Elevation of PrivilegeWindows 2008/2012/2016/2019/1903/1909/2004
CVE-2020-0796SMBv3 Remote Code ExecutionWindows 1903/1909
CVE-2020-0787Windows Background Intelligent Transfer ServiceWindows 7/8/10/2008/2012/2016/2019
CVE-2019-1458Win32k Elevation of PrivilegeWindows 7/8/10/2008/2012/2016
CVE-2019-1388Windows Certificate Dialog Elevation of PrivilegeWindows 7/8/2008/2012/2016/2019
CVE-2019-0859Win32k Elevation of PrivilegeWindows 7/8/10/2008/2012/2016/2019
CVE-2019-0803Win32k Elevation of PrivilegeWindows 7/8/10/2008/2012/2016/2019
CVE-2018-8639Win32k Elevation of PrivilegeWindows 7/8/10/2008/2012/2016/2019
CVE-2018-8453Win32k Elevation of PrivilegeWindows 7/8/10/2008/2012/2016/2019
CVE-2018-8440Windows ALPC Elevation of PrivilegeWindows 7/8/10/2008/2012/2016
CVE-2018-8120Win32k Elevation of PrivilegeWindows 7/2008
CVE-2018-1038Windows Kernel Elevation of PrivilegeWindows 7/2008
CVE-2018-0743Windows Subsystem for Linux Elevation of PrivilegeWindows 10/2016
CVE-2018-0833SMBv3 Null Pointer Dereference Denial of ServiceWindows 8/2012
CVE-2017-8464LNK Remote Code ExecutionWindows 7/8/10/2008/2012/2016
CVE-2017-0213Windows COM Elevation of PrivilegeWindows 7/8/10/2008/2012/2016
CVE-2017-0143Windows Kernel Mode DriversWindows 7/8/10/2008/2012/2016/Vista
CVE-2017-0101GDI Palette Objects Local Privilege EscalationWindows 7/8/10/2008/2012/Vista
CVE-2016-7255Windows Kernel Mode DriversWindows 7/8/10/2008/2012/2016/Vista
CVE-2016-3371Windows Kernel Elevation of PrivilegeWindows 7/8/10/2008/2012/Vista
CVE-2016-3309Win32k Elevation of PrivilegeWindows 7/8/10/2008/2012/Vista
CVE-2016-3225Windows SMB Server Elevation of PrivilegeWindows 7/8/10/2008/2012/Vista
CVE-2016-0099Secondary Logon HandleWindows 7/8/10/2008/2012/Vista
CVE-2016-0095Win32k Elevation of PrivilegeWindows 7/8/10/2008/2012/Vista
CVE-2016-0051WebDAV Elevation of PrivilegeWindows 7/8/10/2008/2012/Vista
CVE-2016-0041Win32k Memory Corruption Elevation of PrivilegeWindows 7/8/10/2008/2012/Vista
CVE-2015-2546Win32k Memory Corruption Elevation of PrivilegeWindows 7/8/10/2008/2012/Vista
CVE-2015-2387ATMFD.DLL Memory CorruptionWindows 7/8/2003/2008/2012/Vista/Rt
CVE-2015-2370Windows RPC Elevation of PrivilegeWindows 7/8/10/2003/2008/2012/Vista
CVE-2015-1725Win32k Elevation of PrivilegeWindows 7/8/10/2003/2008/2012/Vista
CVE-2015-1701Windows Kernel Mode DriversWindows 7/2003/2008/Vista
CVE-2015-0062Windows Create Process Elevation of PrivilegeWindows 7/8/2008/2012
CVE-2015-0057Win32k Elevation of PrivilegeWindows 7/8/2003/2008/2012/Vista
CVE-2015-0003Win32k Elevation of PrivilegeWindows 7/8/2003/2008/2012/Vista
CVE-2015-0002Microsoft Application Compatibility Infrastructure Elevation of PrivilegeWindows 7/8/2003/2008/2012
CVE-2014-6324Kerberos Checksum VulnerabilityWindows 7/8/2003/2008/2012/Vista
CVE-2014-6321Microsoft Schannel Remote Code ExecutionWindows 7/8/2003/2008/2012/Vista
CVE-2014-4113Win32k.sys Elevation of PrivilegeWindows 7/8/2003/2008/2012/Vista
CVE-2014-4076TCP/IP Elevation of PrivilegeWindows 2003
CVE-2014-1767Ancillary Function Driver Elevation of PrivilegeWindows 7/8/2003/2008/2012/Vista
CVE-2013-5065NDProxy.sysWindows XP/2003
CVE-2013-1345Kernel DriverWindows 7/8/2003/2008/2012/Vista/Rt/Xp
CVE-2013-1332DirectX Graphics Kernel Subsystem Double FetchWindows 7/8/2003/2008/2012/Vista/Rt
CVE-2013-0008Win32k Improper Message HandlingWindows 7/8/2008/2012/Vista/Rt
CVE-2012-0217Service BusWindows 7/2003/2008/Xp
CVE-2012-0002Remote Desktop ProtocolWindows 7/2003/2008/Vista/Xp
CVE-2011-2005Ancillary Function Driver Elevation of PrivilegeWindows 2003/Xp
CVE-2011-1974NDISTAPI Elevation of PrivilegeWindows 2003/Xp
CVE-2011-1249Ancillary Function Driver Elevation of PrivilegeWindows 7/2003/2008/Vista/Xp
CVE-2011-0045Windows Kernel Integer TruncationWindows Xp
CVE-2010-4398Driver Improper Interaction with Windows KernelWindows 7/2003/2008/Vista/Xp
CVE-2010-3338Task SchedulerWindows 7/2008/Vista
CVE-2010-2554Tracing Registry Key ACLWindows 7/2008/Vista
CVE-2010-1897Win32k Window CreationWindows 7/2003/2008/Vista/Xp
CVE-2010-0270SMB Client TransactionWindows 7/2008
CVE-2010-0233Windows Kernel Double FreeWindows 2000/2003/2008/Vista/Xp
CVE-2010-0020SMB Pathname OverflowWindows 7/2000/2003/2008/Vista/Xp
CVE-2009-2532SMBv2 Command ValueWindows 2008/Vista
CVE-2009-0079Windows RPCSS Service IsolationWindows 2003/Xp
CVE-2008-4250Server ServiceWindows 2000/2003/Vista/Xp
CVE-2008-4037SMB Credential ReflectionWindows 2000/2003/2008/Vista/Xp
CVE-2008-3464AFD Kernel OverwriteWindows 2003/Xp
CVE-2008-1084Win32.sysWindows 2000/2003/2008/Vista/Xp
CVE-2006-3439Remote Code ExecutionWindows 2000/2003/Xp
CVE-2005-1983PnP ServiceWindows 2000/Xp
CVE-2003-0352Buffer Overrun In RPC InterfaceWindows 2000/2003/Xp/Nt

所需环境

  • 测试目标系统

    #Windows 7 SP1 X64
    ed2k://|file|cn_windows_7_home_premium_with_sp1_x64_dvd_u_676691.iso|3420557312|1A3CF44F3F5E0BE9BBC1A938706A3471|/
    #Windows 7 SP1 X86
    ed2k://|file|cn_windows_7_home_premium_with_sp1_x86_dvd_u_676770.iso|2653276160|A8E8BD4421174DF34BD14D60750B3CDB|/
    #Windows Server 2008 R2 SP1 X64
    ed2k://|file|cn_windows_server_2008_r2_standard_enterprise_datacenter_and_web_with_sp1_x64_dvd_617598.iso|3368839168|D282F613A80C2F45FF23B79212A3CF67|/
    #Windows Server 2003 R2 SP2 x86
    ed2k://|file|cn_win_srv_2003_r2_enterprise_with_sp2_vl_cd1_X13-46432.iso|637917184|284DC0E76945125035B9208B9199E465|/
    #Windows Server 2003 R2 SP2 x64
    ed2k://|file|cn_win_srv_2003_r2_enterprise_x64_with_sp2_vl_cd1_X13-47314.iso|647686144|107F10D2A7FF12FFF0602FF60602BB37|/
    #Windows Server 2008 SP2 x86
    ed2k://|file|cn_windows_server_standard_enterprise_and_datacenter_with_sp2_x86_dvd_x15-41045.iso|2190057472|E93B029C442F19024AA9EF8FB02AC90B|/
    #Windows Server 2000 SP4 x86
    ed2k://|file|ZRMPSEL_CN.iso|402690048|00D1BDA0F057EDB8DA0B29CF5E188788|/
    #Windows Server 2003 SP2 x86
    thunder://QUFodHRwOi8vcy5zYWZlNS5jb20vV2luZG93c1NlcnZlcjIwMDNTUDJFbnRlcnByaXNlRWRpdGlvbi5pc29aWg==
    #Windows 8.1 x86
    ed2k://|file|cn_windows_8_1_enterprise_x86_dvd_2972257.iso|3050842112|6B60ABF8282F943FE92327463920FB67|/
    #Windows 8.1 x64
    ed2k://|file|cn_windows_8_1_x64_dvd_2707237.iso|4076017664|839CBE17F3CE8411E8206B92658A91FA|/
    #Windows 10 1709 x64
    ed2k://|file|cn_windows_10_multi-edition_vl_version_1709_updated_dec_2017_x64_dvd_100406208.iso|5007116288|317BDC520FA2DD6005CBA8293EA06DF6|/
  • Linux编译环境

    sudo vim /etc/apt/sources.list
    #在sources.list末尾添加deb http://us.archive.ubuntu.com/ubuntu trusty main universe
    sudo apt-get update
    sudo apt-get install mingw32 mingw32-binutils mingw32-runtime
    sudo apt-get install gcc-mingw-w64-i686 g++-mingw-w64-i686 mingw-w64-tools
  • Windows编译环境

    VS2019(内置V142、V141、V120、V110、V100、V141_xp、V120_xp、V110_xp、MFC)

关于错误

由于项目内容较多,难免有些错别字或者遗漏的CVE编号等问题,如果您发现了错误,还望提交Issues来帮助我维护该项目。

免责声明

本项目仅面向合法授权的企业安全建设行为,在使用本项目进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。

如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。

在使用本项目前,请您务必审慎阅读、充分理解各条款内容,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要使用本项目。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。

参考项目&网站

  • windows-kernel-exploits

  • WindowsExploits

  • Exploits

  • CVE

  • CVE Details


文章来源: http://mp.weixin.qq.com/s?__biz=MzkxNjIxNDQyMQ==&mid=2247491002&idx=1&sn=656ab1a92310058d0edbab8f1368dfba&chksm=c1521a40f6259356eda605dadd032a8846a42bb277774e0304279e5749c24e12d6f770f0d141#rd
如有侵权请联系:admin#unsafe.sh