windwos提權漏洞CVE-2023-21746復現(LocalPotato)

我是菜狗2發表於2023-02-20

0x01 漏洞原理

LocalPotato攻擊是一種針對本地認證的NTLM反射攻擊。

Windows NTLM 在進行身份驗證時存在漏洞,允許擁有低許可權的本地攻 擊者透過執行特製程式將許可權提升至 SYSTEM。

0x02 影響版本

Windows Server 2012 R2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 
1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 
Windows Server 2012 R2 (Server Core installation)
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 11 version 21H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems

0x02 漏洞復現exp

參考https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
1、編譯RpcClient檔案生成exe,編譯SpringCSP生成dll

2、查詢具有可寫許可權的系統路徑,使用命令
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path

以e盤的go路徑為例
3、將SprintCSP.dll複製到可寫路徑

4、直接執行RpcClient,出現如下提示即表示提權成功

第一次執行的時候提示我windows StorSvc服務即(Storage server)沒有開,但我記得這個服務是預設開啟的,執行執行services.msc檢視

原先是自動(延遲啟動),修改為自動後重啟重新復現成功。
5、提權成功會在在C:\ProgramData路徑下會生成一個whoamiall.txt檔案,裡面寫有whoami的返回結果

相關文章