Windows by default are vulnerable to several vulnerabilities that could allow an attacker to execute malicious code in order to abuse a system. From the other side patching systems sufficiently is one of the main problems in security. Even if an organization has a patching policy in place if important patches are not implemented immediately this can still give short window to an attacker to exploit a vulnerability and escalate his privileges inside a system and therefore inside the network.

This article will discuss how to identify missing patches related to privilege escalation and the necessary code to exploit the issue.

Discovery of Missing Patches

The discovery of missing patches can be identified easily either through manual methods or automatic. Manually this can be done easily be executing the following command which will enumerate all the installed patches.

wmic qfe get Caption,Description,HotFixID,InstalledOn

The output will be similar to this:

Enumeration of Installed Patches

The HotFixID can be used in correlation with the table below in order to discover any missing patches related to privilege escalation. As the focus is on privilege escalation the command can be modified slightly to discover patches based on the KB number.

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" /C:"KB4018483"

Alternatively this can be done automatically via Metasploit, Credential Nessus Scan or via a custom script that will look for missing patches related to privilege escalation.

Metasploit

There is a Metasploit module which can quickly identify any missing patches based on the Knowledge Base number and specifically patches for which there is a Metasploit module.

post/windows/gather/enum_patches

Metasploit – Patches Enumeration

Windows Exploit Suggester

Gotham Digital Security released a tool with the name Windows Exploit Suggester which compares the patch level of a system against the Microsoft vulnerability database and can be used to identify those exploits that could lead to privilege escalation. The only requirement is that requires the system information from the target.

Windows Exploit Suggester

PowerShell

There is also a PowerShell script which target to identify patches that can lead to privilege escalation. This script is called Sherlock and it will check a system for the following:

  • MS10-015 : User Mode to Ring (KiTrap0D)
  • MS10-092 : Task Scheduler
  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13-081 : TrackPopupMenuEx Win32k NULL Page
  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15-051 : ClientCopyImage Win32k
  • MS15-078 : Font Driver Buffer Overflow
  • MS16-016 : ‘mrxdav.sys’ WebDAV
  • MS16-032 : Secondary Logon Handle
  • CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc

The output of this tool can be seen below:

Sherlock – Missing Patches

Sherlock – Identification of Privilege Escalation Patches

Privilege Escalation Table

The following table has been compiled to assist in the process of privilege escalation due to lack of sufficient patching.

Operating System Description Security Bulletin KB Exploit
Windows Server 2016 Windows Kernel Mode Drivers MS16-135 3199135 Exploit

Github
Windows Server 2008 ,7,8,10 Windows Server 2012 Secondary Logon Handle MS16-032 3143141  GitHub

ExploitDB

Metasploit
Windows Server 2008, Vista, 7 WebDAV MS16-016 3136041 Github
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012 Windows Kernel Mode Drivers MS15-051 3057191 GitHub

ExploitDB

Metasploit
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8 Win32k.sys MS14-058 3000061 GitHub

ExploitDB

Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 AFD Driver MS14-040 2975684 Python

EXE

ExploitDB

Github
Windows XP, Windows Server 2003 Windows Kernel MS14-002 2914368 Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 Kernel Mode Driver MS13-005 2778930 Metasploit

ExploitDB

GitHub
Windows Server 2008, 7 Task Scheduler MS10-092 2305420 Metasploit

ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP  KiTrap0D MS10-015 977165 Exploit

ExploitDB

GitHub

Metasploit
Windows Server 2003, XP NDProxy MS14-002 2914368 Exploit

ExploitDB

ExploitDB

Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 Kernel Driver MS15-061 3057839 Github
Windows Server 2003, XP AFD.sys MS11-080 2592799 EXE

Metasploit

ExploitDB
Windows Server 2003, XP NDISTAPI MS11-062 2566454 ExploitDB
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 RPC MS15-076 3067505 Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 Hot Potato MS16-075 3164038 GitHub

PowerShell

HotPotato
Windows Server 2003, Windows Server 2008, 7, XP Kernel Driver MS15-010 3036220 GitHub

ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP AFD.sys MS11-046 2503665 EXE

ExploitDB

windows内核提权的更多相关文章

  1. msf利用- windows内核提权漏洞

    windows内核提权漏洞 环境: Kali Linux(攻击机) 192.168.190.141 Windows2003SP2(靶机) 192.168.190.147 0x01寻找可利用的exp 实 ...

  2. Windows原理深入学习系列-Windows内核提权

    这是[信安成长计划]的第 22 篇文章 0x00 目录 0x01 介绍 0x02 替换 Token 0x03 编辑 ACL 0x04 修改 Privileges 0x05 参考文章 继续纠正网上文章中 ...

  3. 2018-2019-2 20165215《网络对抗技术》Exp10 Final Windows本地内核提权+Exploit-Exercises Nebula学习与实践

    目录 PART ONE :Windows本地内核提权 漏洞概述 漏洞原理 漏洞复现 windbg调试本地内核 查看SSDT表和SSDTShadow表 查看窗口站结构体信息 利用Poc验证漏洞 漏洞利用 ...

  4. 9.CVE-2016-5195(脏牛)内核提权漏洞分析

    漏洞描述: 漏洞编号:CVE-2016-5195 漏洞名称:脏牛(Dirty COW) 漏洞危害:低权限用户利用该漏洞技术可以在全版本Linux系统上实现本地提权 影响范围:Linux内核>=2 ...

  5. Linux本地内核提权漏洞复现(CVE-2019-13272)

    Linux本地内核提权漏洞复现(CVE-2019-13272) 一.漏洞描述 当调用PTRACE_TRACEME时,ptrace_link函数将获得对父进程凭据的RCU引用,然后将该指针指向get_c ...

  6. CVE-2019-13272:Linux本地内核提权漏洞复现

    0x00 简介 2019年07月20日,Linux正式修复了一个本地内核提权漏洞.通过此漏洞,攻击者可将普通权限用户提升为Root权限. 0x01 漏洞概述 当调用PTRACE_TRACEME时,pt ...

  7. ssh远程端口转发&&windows系统提权之信息收集&&网安工具分享(部分)

    一.ssh远程端口转发 背景:当我们在渗透过程中,获取到内网的一台仅有内网IP的服务器后,我们可以通过ssh隧道,将内网某个主机的端口进行远程转发 1.网络拓扑图 假设获取的服务器为web服务器,we ...

  8. windows下提权基础

    拿到webshell很多时候代表渗透的开始,下面带来windows提权基础 环境:虚拟机 win7系统 首先:查看权限whoami 我们知道windows的高权限应该是administrator和sy ...

  9. 新Windows本地提权漏洞学习(CVE-2019-0841)

    1.这是一个啥漏洞? 睁眼一看,妈呀本地提权,快加入本地提权漏洞利用包里,速度加入.github连接我就不发了.担心被认为是传播黑客工具,咱们在这里单纯学习一下漏洞的原理和部分源代码. 2.文件读写权 ...

随机推荐

  1. python爬取斗图网中的 “最新套图”和“最新表情”

    1.分析斗图网 斗图网地址:http://www.doutula.com 网站的顶部有这两个部分: 先分析“最新套图” 发现地址栏变成了这个链接,我们在点击第二页 可见,每一页的地址栏只有后面的pag ...

  2. 180719-Quick-Task 动态脚本支持框架之使用介绍篇

    文章链接:https://liuyueyi.github.io/hexblog/2018/07/19/180719-Quick-Task-动态脚本支持框架之使用介绍篇/ Quick-Task 动态脚本 ...

  3. fastdfs+nginx+image_filter安装与生成缩略图

    fastdfs简介 类似google FS的一个轻量级分布式文件系统,纯C实现,支持linux.FreeBSD等UNIX系统: 只能通过API访问,不支持POXIS: 文件不分块存储,上传的文件和OS ...

  4. 英特尔近日发布最新版实感™ SDK R5 (v7)

    英特尔开发人员专区 原文地址 英特尔® 实感™ SDK 的 7.0.23.8048 版本(也称为 R5)现已推出.您将看到的主要变化包括: 支持英特尔® 实感™ SR300 摄像头:应于 2016 年 ...

  5. vue cli 3 +jquery

    const webpack = require('webpack')module.exports = { // baseUrl type:{string} default:'/' // 将部署应用程序 ...

  6. Numpy入门笔记第二天

    # 数组的组合 import numpy as np arr1 = np.arange(5) arr2 = np.arange(3) print arr1 print arr2 [0 1 2 3 4] ...

  7. LeetCode 148——排序链表

    1. 题目 2. 解答 2.1 快速排序 可参考 快速排序和归并排序 中的第一种快速排序思想,与在数组中排序有两点不同. 第一,我们需要取最后一个元素作为主元,在数组中可以直接访问到最后一个元素,但在 ...

  8. 利用Tensorflow进行自然语言处理(NLP)系列之二高级Word2Vec

    本篇也同步笔者另一博客上(https://blog.csdn.net/qq_37608890/article/details/81530542) 一.概述 在上一篇中,我们介绍了Word2Vec即词向 ...

  9. POJ2528的另一种解法(线段切割)

    题目:Mayor's posters 原文地址 首先本题题意是:有一面墙,被等分为1QW份,一份的宽度为一个单位宽度.现在往墙上贴N张海报,每张海报的宽度是任意 的,但是必定是单位宽度的整数倍,且&l ...

  10. 《我是IT小小鸟》读笔

    兴趣是第一原则.一定要根据自己的兴趣确定发展方向,不要盲目从众和跟风.没有一个人的经历是可以复制的,多思考,不要照搬他人的做法,学习一下想法还是可以的,具体方法因人而异.学习软件技术时,不仅在知识节点 ...