Windows Win32k 权限提权漏洞

0X01  简介:

  本篇文章将集中介绍三个利用windows win32k服务提权的漏洞。

0X02  CVE-2018-8639:

    1、未正确处理窗口类成员对象导致的Double-free类型本地权限提升漏洞。

    2、影响范围:

来自CVE:
Windows 7
Windows Server 2012 R2
Windows RT 8.1
Windows Server 2008
Windows Server 2019
Windows Server 2012
Windows 8.1
Windows Server 2016
Windows Server 2008 R2
Windows 10 1607、1703、1709、1803、1809

来自CNVD:
Windows Server 2008 R2 SP1
Windows Server 2008 SP2
Windows 7 SP1
Windows Server 2012
Windows Server 2012 R2
Windows 8.1
Windows RT 8.1 SP0
Windows 10 1607、1703、1709、1803、1809
Windows Server 2016
Windows Server 2019

    3、exp:

1、https://github.com/ze0r/CVE-2018-8639-exp    来自ze0r大佬。(蓝屏几率比较高,作为备用)
2、https://github.com/timwhitez/CVE-2018-8639-EXP    来自timwhite大佬

    4、复现:

    1)ze0r大佬的exp:(我未复现成功,这是别的大佬的图)

    

    2)timwhite大佬的exp:

    使用方法:CVE-2018-8639-EXP.exe "命令"        这里会直接以system权限执行命令。

    

   5、总结:第一个exp可作为备用的来用,因为这个exp很容易蓝屏导致目标崩溃。而且提权速度很感人。好处一点是,可以提一次权,然后就不用管了;第二个exp作为主要提权选择,使用方式上面说的很清楚,很稳定、并且很速度很快,缺点是每次执行命令都必须使用这个exe程序。上述两个exp均不支持webshell调用,只能用于本地提权。

   6、修复:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8639         官方补丁地址,涉及到的补丁编号参考官方补丁地址。

   7、参考文章: https://mp.weixin.qq.com/s/AUk91ty4JQjKQ6X2jD_Twg

0X03  cve-2019-0803:

  1、漏洞描述:当 Win32k 组件无法正确处理内存中的对象时,Windows 中存在特权提升漏洞。成功利用此漏洞的攻击者可以在内核模式中运行任意代码。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

  2、影响版本:

Microsoft Windows Server 2019 0
Microsoft Windows Server 2016 0
Microsoft Windows Server 2012 R2 0
Microsoft Windows Server 2012 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 1803 0
Microsoft Windows Server 1709 0
Microsoft Windows RT 8.1
Microsoft Windows 8.1 for x64-based Systems 0
Microsoft Windows 8.1 for 32-bit Systems 0
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 10 Version 1809 for x64-based Systems 0
Microsoft Windows 10 Version 1809 for ARM64-based Systems 0
Microsoft Windows 10 Version 1809 for 32-bit Systems 0
Microsoft Windows 10 Version 1803 for x64-based Systems 0
Microsoft Windows 10 Version 1803 for ARM64-based Systems 0
Microsoft Windows 10 Version 1803 for 32-bit Systems 0
Microsoft Windows 10 version 1709 for x64-based Systems 0
Microsoft Windows 10 Version 1709 for ARM64-based Systems 0
Microsoft Windows 10 version 1709 for 32-bit Systems 0
Microsoft Windows 10 version 1703 for x64-based Systems 0
Microsoft Windows 10 version 1703 for 32-bit Systems 0
Microsoft Windows 10 Version 1607 for x64-based Systems 0
Microsoft Windows 10 Version 1607 for 32-bit Systems 0
Microsoft Windows 10 for x64-based Systems 0
Microsoft Windows 10 for 32-bit Systems 0

  3、exp:

1、https://github.com/k8gege/K8tools
2、https://github.com/ExpLife0011/CVE-2019-0803

  1)

  

  4、复现:

    1)

    

    

    2)

    

    

    比较:K8师傅的exp更稳定一些,一发入魂。但是执行命令的时候需要运行exp程序;ExpLife0011师傅的虽然不是很稳,但是一次提权,后面执行命令就不需要再执行exp程序了。

  5、修复:https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-0803

  6、参考文章:https://blog.csdn.net/weixin_30908649/article/details/97823518

0X04  CVE-2020-1054:

  1、漏洞描述:漏洞存在于Win32k内核模块中,利用该漏洞最终会造成权限提升。该漏洞由Check Point Research的Netanel Ben-Simon和Yoav Alon以及奇虎360 Vulcan Team的bee13oy报告。他们在今年的OffensiveCon20会议上发表了名为 Bugs on the Windshield: Fuzzing the Windows Kernel 的演讲。在演讲中详细介绍了他们找到这个bug的过程。

  2、影响版本:

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

  3、exp:https://github.com/0xeb-bp/cve-2020-1054

       https://github.com/HongYe-Code/CVE-2020-1054

  4、漏洞复现:

    复现的平台是:win7 x64

    使用的exp为:https://github.com/HongYe-Code/CVE-2020-1054,具体使用方法先将整个项目下载下来,然后根据项目原有配置使用visual studio编译成exe文件即可。

    

 

   原版exp:https://github.com/0xeb-bp/cve-2020-1054,建议使用windows平台构建。下载的时候直接运行exe程序,过程中使用梯子,即可顺利安装。只不过速度会稍稍有点慢。但是可以一次直接构建完成。

     在使用的时候,原本的exp直接把靶机打蓝屏了。具体原因不太懂,有想了解具体原因的,可以看两位大佬的原理分析。我会在参考文章中贴出来。总得来说,建议使用第二个exp 另外在复现的时候,靶机的内存必须超过4g,我的靶机内存为2g的时候,会报错:run out of memory allocating Bitmaps

  5、修复:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1054

  6、参考文章:

    看雪分析文章:https://bbs.pediy.com/thread-260884.htm

    原版大佬文章:https://0xeb-bp.github.io/blog/2020/06/15/cve-2020-1054-analysis.html

0X05  总结:

  提权tips
  补丁号有很多个,不同的系统补丁号不一样,有时新的补丁包含旧洞补丁旧的补丁号会被替换掉,所以每次提权都应该先到官方查看下对应补丁号。
不要老是查询有没旧的补丁号,然后再去提权,没有旧的补丁号不代表没补。
  漏洞修复链接:   
    https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-0803
    https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-0708
  两者只是漏洞编号不一致,其他都相同。
posted @ 2020-07-06 22:05  夜尽终会天明  阅读(1239)  评论(0编辑  收藏  举报