windwos提权漏洞CVE-2023-21746复现(LocalPotato)

kztm

0x01 漏洞原理

LocalPotato攻击是一种针对本地认证的NTLM反射攻击。

Windows NTLM 在进行身份验证时存在漏洞,允许拥有低权限的本地攻 击者通过运行特制程序将权限提升至 SYSTEM。

0x02 影响版本

Windows Server 2012 R2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 
1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 
Windows Server 2012 R2 (Server Core installation)
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 11 version 21H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems

0x02 漏洞复现exp

参考https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
1、编译RpcClient文件生成exe,编译SpringCSP生成dll

2、查找具有可写权限的系统路径,使用命令
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path

以e盘的go路径为例
3、将SprintCSP.dll复制到可写路径

4、直接运行RpcClient,出现如下提示即表示提权成功

第一次执行的时候提示我windows StorSvc服务即(Storage server)没有开,但我记得这个服务是默认开启的,运行执行services.msc查看

原先是自动(延迟启动),修改为自动后重启重新复现成功。
5、提权成功会在在C:\ProgramData路径下会生成一个whoamiall.txt文件,里面写有whoami的返回结果

分类:

技术点:

相关文章:

猜你喜欢
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode