MS15-0 7 6(CVE-2 0 1 5-2 3 7 0 vulnerability) the use of analysis-vulnerability warning-the black bar safety net

2015-08-15T00:00:00
ID MYHACK58:62201565765
Type myhack58
Reporter 佚名
Modified 2015-08-15T00:00:00

Description

2 0 1 5 year 7 month 1 4 day,that is,a month ago, on that busy Tuesday,Microsoft fixes exist on the Windows platform in a number of Privilege escalation vulnerabilities. In these vulnerabilities,there is a presence in the DCOM/RPC vulnerability,this vulnerability allows an attacker to initiate a NTLM authentication request,and then will be able to monitor the target host of the TCP socket communication data. This problem is caused by Google's security research team of James Forshaw(@tiraniddo)found. About this vulnerability detailed information as well as the potential use of the method can be Click here to view. His article describes in detail the attacker's attack the ideas,they can use the NTLM returns the data,and then through the ingenious method to obtain the target system's access permissions,and without system administrator privileges to the malicious file is written to the’C:\Windows\(2)’directory. Now,if you want to try to use this vulnerability to elevate account privileges,then this method has no effect. So,researchers naturally will thought of,will exploit the way to to the target host disk of arbitrary position is written to an arbitrary file. Fortunately,Forshaw also on a symbolic link and a communication link such areas through a lot of research,and these knowledge for the exploit to be very helpful. We are here to provide you with the He in 2 0 1 5 besides having Information Security Conference on speech at the presentation,and his GitHub code. Now,I need from the vulnerability information extracted from the non-privileged symbolic links to files policy. Essentially,it will use a communication link,and associate it with a symbolic link to bind,and then all the parameters into a global namespace,that is\RPC Control\,and in the absence of the system administrator privileges to get the C:\Folder\FileA points to C:\FileB file pointer. Let's take a closer look at how it will file into the‘C:\Windows\System32\Evil.dll’: 1. In the‘C:\Windows\Temp\{Random}’ and‘C:\Users\Public\Libraries\Sym’between the establishment of an entry recorded link; 2. In‘\??\ C:\Users\Public\Libraries\Sym’with‘\RPC Control\’is established between a new directory link; 3. In‘\RPC Control\ (2)’and‘\??\ C:\Windows\System32\Evil.dll’between the establishment of a symbolic link; 4. In the exploit process,the system will try to‘C:\Windows\Temp\{Random}/’directory is written to a file,and point it to‘C:\Windows\System32\Evil.dll’; You need to note is:in the CreateSymlink project,step 2 and step 3 are both performed. Through the above operation to modify the PoC code,we can convert any one file to copy to one with special privileges of position. We will also be the final product named’ Trebuchet’ is. ! You might think:“so what? You just can write into any file.“ We will exploit the methods available to you,how you want to use these methods depends entirely on your own,but if you're on DLL hijacking more familiar,then the elevation of privileges for you also will not be very difficult. POC: https://github.com/monoxgas/Trebuchet It is worth noting that: In every 2-3 minutes,this exploit method can only be used once. Otherwise, a remote call request is the target host to the local system hang. Currently,the Interop DLL must be with the exploit files in the same directory. This exploit method only in the Windows 7/8. 1 3 2 Bit 6 4 bit system platforms on been tested. All the license code belongs to the Google company or James Forshaw of individuals all. Project the vast majority of the code can be optimized or simplified. In this,we would like to thank James Forshaw give us the analysis of the material,as well as for his research efforts.