2018年5月1日星期二

手工替换进程的令牌 

标题:在内核调试器下给进程提权.

前言:
安全的一个重要话题是权限.
对于操作系统而言,其重要的安全就是两个:
1.进程(用户)自身的权限,即令牌.
2.对象自身的权限,如:文件,注册表,进程,线程,互斥体等.
3.以及和上面相关的结构.

但是对于CPU来说还有另外一个概念的权限,如:常说的ring0,cs代码段的内存的属性等.

另外还有漏洞,

另外还有网络,加密,通讯等的安全.

另外还有各种意义上的非技术的安全.

闲话不多,进入正题.

--------------------------------------------------------------------------------------------------

打开一个cmd.exe,在里面输入whoami,显示如下:
C:\Users\Administrator>whoami
desktop-aps5qst\administrator

挂上内核调试器,进行如下操作:

查看进程的令牌和system进程的令牌信息.

0: kd> vertarget
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff801`b020e000 PsLoadedModuleList = 0xfffff801`b056fff0
Debug session time: Fri Feb 23 08:55:50.166 2018 (UTC + 8:00)
System Uptime: 0 days 0:17:06.651
0: kd> dt nt!_eprocess token 
   +0x358 Token : _EX_FAST_REF
0: kd> dt _EX_FAST_REF
ntdll!_EX_FAST_REF
   +0x000 Object           : Ptr64 Void
   +0x000 RefCnt           : Pos 0, 4 Bits
   +0x000 Value            : Uint8B
0: kd> !process 0 0 system
PROCESS ffff9c804d0b9040
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001aa000  ObjectTable: ffffc201774031c0  HandleCount: 2336.
    Image: System
0: kd> dq ffff9c804d0b9040+358 L1
ffff9c80`4d0b9398  ffffc201`7741804a
0: kd> ? ffffc201`7741804a & ffffffff`fffffff0
Evaluate expression: -68163425173440 = ffffc201`77418040
0: kd> !token ffffc201`77418040
_TOKEN 0xffffc20177418040
TS Session ID: 0
User: S-1-5-18
User Groups: 
 00 S-1-5-32-544
    Attributes - Default Enabled Owner 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-11
    Attributes - Mandatory Default Enabled 
 03 S-1-16-16384
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-18
Privs: 
 02 0x000000002 SeCreateTokenPrivilege            Attributes - 
 03 0x000000003 SeAssignPrimaryTokenPrivilege     Attributes - 
 04 0x000000004 SeLockMemoryPrivilege             Attributes - Enabled Default 
 05 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 07 0x000000007 SeTcbPrivilege                    Attributes - Enabled Default 
 08 0x000000008 SeSecurityPrivilege               Attributes - 
 09 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 10 0x00000000a SeLoadDriverPrivilege             Attributes - 
 11 0x00000000b SeSystemProfilePrivilege          Attributes - Enabled Default 
 12 0x00000000c SeSystemtimePrivilege             Attributes - 
 13 0x00000000d SeProfileSingleProcessPrivilege   Attributes - Enabled Default 
 14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - Enabled Default 
 15 0x00000000f SeCreatePagefilePrivilege         Attributes - Enabled Default 
 16 0x000000010 SeCreatePermanentPrivilege        Attributes - Enabled Default 
 17 0x000000011 SeBackupPrivilege                 Attributes - 
 18 0x000000012 SeRestorePrivilege                Attributes - 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 20 0x000000014 SeDebugPrivilege                  Attributes - Enabled Default 
 21 0x000000015 SeAuditPrivilege                  Attributes - Enabled Default 
 22 0x000000016 SeSystemEnvironmentPrivilege      Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 28 0x00000001c SeManageVolumePrivilege           Attributes - 
 29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
 30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
 31 0x00000001f SeTrustedCredManAccessPrivilege   Attributes - 
 32 0x000000020 SeRelabelPrivilege                Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - Enabled Default 
 34 0x000000022 SeTimeZonePrivilege               Attributes - Enabled Default 
 35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes - Enabled Default 
 36 0x000000024 SeDelegateSessionUserImpersonatePrivilege  Attributes - Enabled Default 
Authentication ID:         (0,3e7)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: *SYSTEM*           TokenFlags: 0x2000 ( Token in use )
Token ID: 3eb              ParentToken ID: 0
Modified ID:               (0, 3ec)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 0
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Invalid AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION with no claims
Process Token TrustLevelSid: S-1-19-1024-8192

查看cmd.exe进程的令牌信息.

0: kd> !process 0 0 cmd.exe
PROCESS ffff9c804e97f080
    SessionId: 1  Cid: 10a4    Peb: fc49f44000  ParentCid: 1224
    DirBase: 9d213000  ObjectTable: ffffc201852a6900  HandleCount:  43.
    Image: cmd.exe
0: kd> dq ffff9c804e97f080+358 L1
ffff9c80`4e97f3d8  ffffc201`80ee306b
0: kd> ? ffffc201`80ee306b & ffffffff`fffffff0
Evaluate expression: -68163262861216 = ffffc201`80ee3060
0: kd> !token ffffc201`80ee3060
_TOKEN 0xffffc20180ee3060
TS Session ID: 0x1
User: S-1-5-21-4121102992-2463281863-3266931683-500
User Groups: 
 00 S-1-5-21-4121102992-2463281863-3266931683-513
    Attributes - Mandatory Default Enabled 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-114
    Attributes - DenyOnly 
 03 S-1-5-21-4121102992-2463281863-3266931683-1000
    Attributes - Mandatory Default Enabled 
 04 S-1-5-32-544
    Attributes - DenyOnly 
 05 S-1-5-32-545
    Attributes - Mandatory Default Enabled 
 06 S-1-5-4
    Attributes - Mandatory Default Enabled 
 07 S-1-2-1
    Attributes - Mandatory Default Enabled 
 08 S-1-5-11
    Attributes - Mandatory Default Enabled 
 09 S-1-5-15
    Attributes - Mandatory Default Enabled 
 10 S-1-5-113
    Attributes - Mandatory Default Enabled 
 11 S-1-5-5-0-263777
    Attributes - Mandatory Default Enabled LogonId 
 12 S-1-2-0
    Attributes - Mandatory Default Enabled 
 13 S-1-5-64-10
    Attributes - Mandatory Default Enabled 
 14 S-1-16-8192
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-21-4121102992-2463281863-3266931683-513
Privs: 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 34 0x000000022 SeTimeZonePrivilege               Attributes - 
Authentication ID:         (0,40725)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: User32             TokenFlags: 0x2a00 ( Token in use )
Token ID: 327462           ParentToken ID: 40728
Modified ID:               (0, 40731)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: (null)

最重要的一步就这一个操作:

0: kd> eq ffff9c80`4e97f3d8 ffffc201`77418040
0: kd> g

下面是验证:

C:\Users\Administrator>whoami
nt authority\system

不过,此时用procexp.exe查看,相应的conhost.exe的权限还是没有变.
而且cmd.exe的安全属性是打不开的,估计是权限不足.
注意:此时需要重新打开一下procexp.exe,否者显示的还是以前的信息.


--------------------------------------------------------------------------------------------------


参考:
https://www.anquanke.com/post/id/87292
https://blog.xpnsec.com/becoming-system/

made by correy
made at 9:32 2018/2/23
http://correy.webs.com
发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)