Windows内核处理内存中对象的方式存在权限漏洞的提升
| Product | CPU Architecture | Version | Update | Tested |
|---|---|---|---|---|
| Windows 10 | x64/x86/ARM64 | 1909 | ||
| Windows 10 | x64/x86/ARM64 | 1903 | ||
| Windows 10 | x64/x86/ARM64 | 1809 | ||
| Windows 10 | x64/x86/ARM64 | 1803 | ||
| Windows 10 | x64/x86/ARM64 | 1709 | ✔ | |
| Windows 10 | x64/x86 | 1607 | ||
| Windows 10 | x64/x86 | |||
| Windows 8.1 | x64/x86 | |||
| Windows RT 8.1 | ||||
| Windows 7 | x64/x86 | SP1 | ||
| Windows Server 2019 | ||||
| Windows Server 2016 | ||||
| Windows Server 2012 | R2 | |||
| Windows Server 2012 | ||||
| Windows Server 2008 | x64/x86 | SP2 | ||
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server | 1909 | |||
| Windows Server | 1903 | |||
| Windows Server | 1803 |
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
编译环境
- VS2019(.NET Framework 4.7.2)Any CPU Debug
该EXP是使用提权进行文件迁移操作,如果想使用cmd需要自己修改代码,测试机器Windows 10 1709 X64,动图中是把test.dll移动到 C:\Windows\System32目录下,test.dll可以是任意文件。使用exe时需要把NtApiDotNet.dll文件放到同级目录
Use https://github.com/itm4n/UsoDllLoader (Windows >= 1903) OR https://github.com/xct/diaghub (Windows < 1903) for privilege escalation.