> 科技资讯 > windwos提权漏洞CVE-2023-21746复现(LocalPotato)

windwos提权漏洞CVE-2023-21746复现(LocalPotato)

科技资讯 投稿 5800 0 评论

windwos提权漏洞CVE-2023-21746复现(LocalPotato)

0x01 漏洞原理

Windows NTLM 在进行身份验证时存在漏洞,允许拥有低权限的本地攻 击者通过运行特制程序将权限提升至 SYSTEM。

0x02 影响版本

Windows Server 2012 R2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation
Windows Server 2016
Windows Server 2022 (Server Core installation
Windows Server 2022
Windows Server 2012 (Server Core installation
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 
1 (Server Core installation
Windows Server 2008 R2 for x64-based Systems Service Pack 
Windows Server 2012 R2 (Server Core installation
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 11 version 21H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2019 (Server Core installation
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems

0x02 漏洞复现exp

参考https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
1、编译RpcClient文件生成exe,编译SpringCSP生成dll

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path
3、将SprintCSP.dll复制到可写路径




5、提权成功会在在C:\ProgramData路径下会生成一个whoamiall.txt文件,里面写有whoami的返回结果

编程笔记 » windwos提权漏洞CVE-2023-21746复现(LocalPotato)

赞同 (28) or 分享 (0)
游客 发表我的评论   换个身份
取消评论

表情
(0)个小伙伴在吐槽