Saturday, November 22, 2014

Notes about Windows Privilege Escalation

I need to research and understand windows privilege escalation better so this is the beginning of the journey.

Links to a couple of web pages that I have found to be great:
http://pentestmonkey.net/tools/windows-privesc-check
http://www.fuzzysecurity.com/tutorials/16.html
http://www.fuzzysecurity.com/tutorials/18.html
http://www.slideshare.net/harmj0y/power-up-34515686

accesschk.exe from the SYS Internals Suite

Evaluating closer the Windows Privilege Escalation python script I was curious how the latest windows patches were discovered and scrubbed against metasploit.  Found that the following link takes you to an Excel spreadsheet containing all of the windows security bulletins:

http://www.microsoft.com/en-us/download/details.aspx?id=36982

From fuzzysecurity.com I extracted some of the privilege escalation KB numbers...
KiTrap0D - KB979682
MS10-021 - KB979683
MS10-059 - KB982799
MS11-011 - KB2393802
MS11-080 - KB2592799

Pulled from metasploit the local exploits that can be run:
--------------------------------------------------------

exploit/windows/local/always_install_elevated - excellent  Windows AlwaysInstallElevated MSI

exploit/windows/local/bypassuac_injection - excellent  Windows Escalate UAC Protection Bypass (In Memory Injection)

exploit/windows/local/ms10_015_kitrap0d - great Windows SYSTEM Escalation via KiTrap0D

exploit/windows/local/ms10_092_schelevator - excellent  Windows Escalate Task Scheduler XML Privilege Escalation

exploit/windows/local/ms11_080_afdjoinleaf - average    MS11-080 AfdJoinLeaf Privilege Escalation

exploit/windows/local/ms13_005_hwnd_broadcast - excellent  MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation

exploit/windows/local/ms13_053_schlamperei - average Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

exploit/windows/local/ms13_081_track_popup_menu - average    Windows TrackPopupMenuEx Win32k NULL Page

exploit/windows/local/ms13_097_ie_registry_symlink - great MS13-097 Registry Symlink IE Sandbox Escape

exploit/windows/local/ms14_009_ie_dfsvc - great MS14-009 .NET Deployment Service IE Sandbox Escape

exploit/windows/local/ms_ndproxy - average    MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

exploit/windows/local/ppr_flatten_rec - average    Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation

exploit/windows/local/trusted_service_path - excellent  Windows Service Trusted Path Privilege Escalation

exploit/windows/local/virtual_box_guest_additions - average    VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation

post/windows/escalate - Also look at these post exploitation modules...


Pulled from the exploitdb files.csv list on Kali Linux the following:
-----------------------------------------------------------------
root@p9jer5:/usr/share/exploitdb# cat files.csv | grep -e "MS0" -e "MS1" | grep -i -e "escala" -e "elevation"

350,platforms/windows/local/350.c,"MS Windows 2000 Utility Manager Privilege Elevation Exploit (MS04-019)",2004-07-14,"Cesar Cerrudo",windows,local,0
351,platforms/windows/local/351.c,"MS Windows 2K POSIX Subsystem Privilege Escalation Exploit (MS04-020)",2004-07-17,bkbll,windows,local,0
1198,platforms/windows/local/1198.c,"MS Windows CSRSS Local Privilege Escalation Exploit (MS05-018)",2005-09-06,eyas,windows,local,0
1407,platforms/windows/local/1407.c,"MS Windows 2k Kernel APC Data-Free Local Escalation Exploit (MS05-055)",2006-01-05,SoBeIt,windows,local,0
1911,platforms/windows/local/1911.c,"MS Windows XP/2K (Mrxsmb.sys) Privilege Escalation PoC (MS06-030)",2006-06-14,"Ruben Santamarta ",windows,local,0
2412,platforms/windows/local/2412.c,"MS Windows (Windows Kernel) Privilege Escalation Exploit (MS06-049)",2006-09-21,SoBeIt,windows,local,0
3688,platforms/windows/local/3688.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0
3755,platforms/windows/local/3755.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2",2007-04-17,"Lionel d'Hauenens",windows,local,0
3804,platforms/windows/remote/3804.txt,"MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)",2007-04-26,"Lionel d'Hauenens",windows,remote,0
5518,platforms/windows/local/5518.txt,"MS Windows XP SP2 (win32k.sys) Privilege Escalation Exploit (MS08-025)",2008-04-28,"Ruben Santamarta ",windows,local,0
14611,platforms/windows/dos/14611.c,"Microsoft Windows 'SfnLOGONNOTIFY' Local Privilege Escalation Vulnerability (MS10-048)",2010-08-10,MJ0011,windows,dos,0
18176,platforms/windows/local/18176.py,"Windows Afd.sys - Privilege Escalation Exploit (MS11-080)",2011-11-30,ryujin,windows,local,0
21844,platforms/windows/local/21844.rb,"MS11-080 AfdJoinLeaf Privilege Escalation",2012-10-10,metasploit,windows,local,0
27296,platforms/windows/local/27296.rb,"MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation",2013-08-02,metasploit,windows,local,0

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...