近20年Windows权限提升集合
前言
该项目是一个Windows提权搜集项目,除未通过测试EXP都有详细说明以及演示GIF图,如果项目中的代码有您的代码,本人为标注来源的请提交Issues
提示
本项目优先追踪内核相关提权漏洞,如果当月漏洞存在远程命令执行的话,只有在互联网生存在EXP或者POC的时候才会更新,如有遗漏欢迎提Issues并带上利用代码
编号列表
| SecurityBulletin | Description | OperatingSystem |
|---|---|---|
| CVE-2021-1732 | Windows Win32k | Windows 10/2019/Server |
| CVE-2021-1709 | Windows Win32k | Windows 7/8.1/10/2008/2012/2016/2019/Server |
| CVE-2020-17087 | Windows Kernel Local Elevation of Privilege Vulnerability | Windows 7/8.1/10/2008/2012/2016/2019/Server |
| CVE-2020-16938 | Windows Kernel Information Disclosure Vulnerability | Windows Server |
| CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability | Windows 10/2019/Server |
| CVE-2020-1472 | Netlogon Elevation of Privilege | Windows 2008/2012/2016/2019/Server |
| CVE-2020-0796 | SMBv3 Remote Code Execution | Windows Server |
| CVE-2020-0787 | Windows Background Intelligent Transfer Service | Windows 7/8/10/2008/2012/2016/2019 |
| CVE-2019-1458 | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016 |
| CVE-2019-1388 | Windows Certificate Dialog Elevation of Privilege | Windows 7/8/2008/2012/2016/2019 |
| CVE-2019-0859 | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 |
| CVE-2019-0803 | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 |
| CVE-2018-8639 | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 |
| CVE-2018-8453 | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 |
| CVE-2018-8440 | Windows ALPC Elevation of Privilege | Windows 7/8/10/2008/2012/2016 |
| CVE-2018-8120 | Win32k Elevation of Privilege | Windows 7/2008 |
| CVE-2018-1038 | Windows Kernel Elevation of Privilege | Windows 7/2008 |
| CVE-2018-0743 | Windows Subsystem for Linux Elevation of Privilege | Windows 10/2016 |
| CVE-2018-0833 | SMBv3 Null Pointer Dereference Denial of Service | Windows 8/2012 |
| CVE-2017-8464 | LNK Remote Code Execution | Windows 7/8/10/2008/2012/2016 |
| CVE-2017-0213 | Windows COM Elevation of Privilege | Windows 7/8/10/2008/2012/2016 |
| CVE-2017-0143 | Windows Kernel Mode Drivers | Windows 7/8/10/2008/2012/2016/Vista |
| CVE-2017-0101 | GDI Palette Objects Local Privilege Escalation | Windows 7/8/10/2008/2012/Vista |
| CVE-2016-7255 | Windows Kernel Mode Drivers | Windows 7/8/10/2008/2012/2016/Vista |
| CVE-2016-3371 | Windows Kernel Elevation of Privilege | Windows 7/8/10/2008/2012/Vista |
| CVE-2016-3309 | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/Vista |
| CVE-2016-3225 | Windows SMB Server Elevation of Privilege | Windows 7/8/10/2008/2012/Vista |
| CVE-2016-0099 | Secondary Logon Handle | Windows 7/8/10/2008/2012/Vista |
| CVE-2016-0095 | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/Vista |
| CVE-2016-0051 | WebDAV Elevation of Privilege | Windows 7/8/10/2008/2012/Vista |
| CVE-2016-0041 | Win32k Memory Corruption Elevation of Privilege | Windows 7/8/10/2008/2012/Vista |
| CVE-2015-2546 | Win32k Memory Corruption Elevation of Privilege | Windows 7/8/10/2008/2012/Vista |
| CVE-2015-2387 | ATMFD.DLL Memory Corruption | Windows 7/8/2003/2008/2012/Vista/Rt |
| CVE-2015-2370 | Windows RPC Elevation of Privilege | Windows 7/8/10/2003/2008/2012/Vista |
| CVE-2015-1725 | Win32k Elevation of Privilege | Windows 7/8/10/2003/2008/2012/Vista |
| CVE-2015-1701 | Windows Kernel Mode Drivers | Windows 7/2003/2008/Vista |
| CVE-2015-0062 | Windows Create Process Elevation of Privilege | Windows 7/8/2008/2012 |
| CVE-2015-0057 | Win32k Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista |
| CVE-2015-0003 | Win32k Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista |
| CVE-2015-0002 | Microsoft Application Compatibility Infrastructure Elevation of Privilege | Windows 7/8/2003/2008/2012 |
| CVE-2014-6324 | Kerberos Checksum Vulnerability | Windows 7/8/2003/2008/2012/Vista |
| CVE-2014-6321 | Microsoft Schannel Remote Code Execution | Windows 7/8/2003/2008/2012/Vista |
| CVE-2014-4113 | Win32k.sys Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista |
| CVE-2014-4076 | TCP/IP Elevation of Privilege | Windows 2003 |
| CVE-2014-1767 | Ancillary Function Driver Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista |
| CVE-2013-5065 | NDProxy.sys | Windows XP/2003 |
| CVE-2013-1345 | Kernel Driver | Windows 7/8/2003/2008/2012/Vista/Rt/Xp |
| CVE-2013-1332 | DirectX Graphics Kernel Subsystem Double Fetch | Windows 7/8/2003/2008/2012/Vista/Rt |
| CVE-2013-0008 | Win32k Improper Message Handling | Windows 7/8/2008/2012/Vista/Rt |
| CVE-2012-0217 | Service Bus | Windows 7/2003/2008/Xp |
| CVE-2012-0002 | Remote Desktop Protocol | Windows 7/2003/2008/Vista/Xp |
| CVE-2011-2005 | Ancillary Function Driver Elevation of Privilege | Windows 2003/Xp |
| CVE-2011-1974 | NDISTAPI Elevation of Privilege | Windows 2003/Xp |
| CVE-2011-1249 | Ancillary Function Driver Elevation of Privilege | Windows 7/2003/2008/Vista/Xp |
| CVE-2011-0045 | Windows Kernel Integer Truncation | Windows Xp |
| CVE-2010-4398 | Driver Improper Interaction with Windows Kernel | Windows 7/2003/2008/Vista/Xp |
| CVE-2010-3338 | Task Scheduler | Windows 7/2008/Vista |
| CVE-2010-2554 | Tracing Registry Key ACL | Windows 7/2008/Vista |
| CVE-2010-1897 | Win32k Window Creation | Windows 7/2003/2008/Vista/Xp |
| CVE-2010-0270 | SMB Client Transaction | Windows 7/2008 |
| CVE-2010-0233 | Windows Kernel Double Free | Windows 2000/2003/2008/Vista/Xp |
| CVE-2010-0020 | SMB Pathname Overflow | Windows 7/2000/2003/2008/Vista/Xp |
| CVE-2009-2532 | SMBv2 Command Value | Windows 2008/Vista |
| CVE-2009-0079 | Windows RPCSS Service Isolation | Windows 2003/Xp |
| CVE-2008-4250 | Server Service | Windows 2000/2003/Vista/Xp |
| CVE-2008-4037 | SMB Credential Reflection | Windows 2000/2003/2008/Vista/Xp |
| CVE-2008-3464 | AFD Kernel Overwrite | Windows 2003/Xp |
| CVE-2008-1084 | Win32.sys | Windows 2000/2003/2008/Vista/Xp |
| CVE-2006-3439 | Remote Code Execution | Windows 2000/2003/Xp |
| CVE-2005-1983 | PnP Service | Windows 2000/Xp |
| CVE-2003-0352 | Buffer Overrun In RPC Interface | Windows 2000/2003/Xp/Nt |
所需环境
测试目标系统
#Windows 7 SP1 X64 ed2k://|file|cn_windows_7_home_premium_with_sp1_x64_dvd_u_676691.iso|3420557312|1A3CF44F3F5E0BE9BBC1A938706A3471|/#Windows 7 SP1 X86ed2k://|file|cn_windows_7_home_premium_with_sp1_x86_dvd_u_676770.iso|2653276160|A8E8BD4421174DF34BD14D60750B3CDB|/#Windows Server 2008 R2 SP1 X64 ed2k://|file|cn_windows_server_2008_r2_standard_enterprise_datacenter_and_web_with_sp1_x64_dvd_617598.iso|3368839168|D282F613A80C2F45FF23B79212A3CF67|/#Windows Server 2003 R2 SP2 x86ed2k://|file|cn_win_srv_2003_r2_enterprise_with_sp2_vl_cd1_X13-46432.iso|637917184|284DC0E76945125035B9208B9199E465|/#Windows Server 2003 R2 SP2 x64ed2k://|file|cn_win_srv_2003_r2_enterprise_x64_with_sp2_vl_cd1_X13-47314.iso|647686144|107F10D2A7FF12FFF0602FF60602BB37|/#Windows Server 2008 SP2 x86ed2k://|file|cn_windows_server_standard_enterprise_and_datacenter_with_sp2_x86_dvd_x15-41045.iso|2190057472|E93B029C442F19024AA9EF8FB02AC90B|/#Windows Server 2000 SP4 x86ed2k://|file|ZRMPSEL_CN.iso|402690048|00D1BDA0F057EDB8DA0B29CF5E188788|/#Windows Server 2003 SP2 x86thunder://QUFodHRwOi8vcy5zYWZlNS5jb20vV2luZG93c1NlcnZlcjIwMDNTUDJFbnRlcnByaXNlRWRpdGlvbi5pc29aWg==#Windows 8.1 x86ed2k://|file|cn_windows_8_1_enterprise_x86_dvd_2972257.iso|3050842112|6B60ABF8282F943FE92327463920FB67|/#Windows 8.1 x64ed2k://|file|cn_windows_8_1_x64_dvd_2707237.iso|4076017664|839CBE17F3CE8411E8206B92658A91FA|/#Windows 10 1709 x64ed2k://|file|cn_windows_10_multi-edition_vl_version_1709_updated_dec_2017_x64_dvd_100406208.iso|5007116288|317BDC520FA2DD6005CBA8293EA06DF6|/#Windows 10 2004 x64 (2020-05-21 release version)magnet:?xt=urn:btih:8E49569FDE852E4F3CCB3D13EFB296B6B02D82A6#Windows 10 1909 x64 ed2k://|file|cn_windows_10_business_editions_version_1909_x64_dvd_0ca83907.iso|5275090944|9BCD5FA6C8009E4D0260E4B23008BD47|/
Linux编译环境
sudo vim /etc/apt/sources.list#在sources.list末尾添加deb http://us.archive.ubuntu.com/ubuntu trusty main universesudo apt-get update sudo apt-get install mingw32 mingw32-binutils mingw32-runtime sudo apt-get install gcc-mingw-w64-i686 g++-mingw-w64-i686 mingw-w64-tools
Windows编译环境
VS2019(内置V142、V141、V120、V110、V100、V141_xp、V120_xp、V110_xp、MFC)
关于错误
由于项目内容较多,难免有些错别字或者遗漏的CVE编号等问题,如果您发现了错误,还望提交Issues来帮助我维护该项目。
未测试成功编号
下列编号都是在筛选后未能通过复现测试的CVE,附带未成功原因,欢迎提交PR
| SecurityBulletin | Remarks |
|---|---|
| CVE-2021-1709 | 2021年1月补丁,例行更新 |
| CVE-2020-17087 | 2020年11月补丁,只有概念验证,无利用代码 |
| CVE-2015-0002 | 有源码未能测试成功 |
| CVE-2015-0062 | 有源码和EXP未能测试成功 |
| CVE-2015-1725 | 有源码未知编译方式 |
| CVE-2016-3309 | 有源码和EXP未能测试成功 |
| CVE-2014-6321 | 只有winshock_test.sh文件 |
| CVE-2019-0859 | 需要安装windows7 sp1 x64 需要更新2019年3月份的补丁 |
| CVE-2018-8440 | 未知 |
| CVE-2018-1038 | 有源码未知编译方式 |
| CVE-2013-5065 | 缺少NDProxy环境 |
| CVE-2013-0008 | 未知 |
| CVE-2009-0079 | 未能利用 |
| CVE-2011-0045 | 未能找到可用EXP |
| CVE-2010-2554 | 未能找到可用EXP |
| CVE-2005-1983 | 有源码和EXP未能测试成功 |
| CVE-2012-0002 | 蓝屏漏洞无实际利用价值 |
| CVE-2010-0020 | 未能找到可用EXP |
| CVE-2014-6324 | 未知 |
| CVE-2018-0743 | 未能找到利用POC |
免责声明
本项目仅面向合法授权的企业安全建设行为,在使用本项目进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。
如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。
在使用本项目前,请您务必审慎阅读、充分理解各条款内容,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。 除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要使用本项目。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
参考项目&网站
最新回复 (0)