PrivKit是一款功能强大的Windows操作系统权限提升漏洞检测工具,该工具本质上是一个Beacon对象文件,可以帮助广大研究人员以高效且快速的方式检测Windows操作系统上由错误配置所导致的提权漏洞。
当前版本的PrivKit支持检测下列Windows操作系统错误配置:
1、未引用的服务路径; 2、自动登录的注册表键; 3、始终安装的提权注册表键; 4、可修改的自动运行项目; 5、可劫持的路径; 6、从凭证管理器枚举凭证数据; 7、查找当前令牌权限;
广大研究人员可以使用下列命令将该项目直接克隆至本地:
git clone https://github.com/mertdas/PrivKit.git
直接加载cna文件,并输入下列命令即可运行PrivKit:
privcheck
如果你想要自行编译工具源码,可以切换到项目目录中,并运行下列命令:
cd PrivKit/
make all
或
cd PrivKit/
x86_64-w64-mingw32-gcc -c cfile.c -o ofile.o
如果你只想要查找某个特定的错误配置,你可以通过“inline-execute”命令来使用对象文件:
inline-execute /path/tokenprivileges.o
[03/20 00:51:06] beacon> privcheck
[03/20 00:51:06] [*] Priv Esc Check Bof by @merterpreter
[03/20 00:51:06] [*] Checking For Unquoted Service Paths..
[03/20 00:51:06] [*] Checking For Autologon Registry Keys..
[03/20 00:51:06] [*] Checking For Always Install Elevated Registry Keys..
[03/20 00:51:06] [*] Checking For Modifiable Autoruns..
[03/20 00:51:06] [*] Checking For Hijackable Paths..
[03/20 00:51:06] [*] Enumerating Credentials From Credential Manager..
[03/20 00:51:06] [*] Checking For Token Privileges..
[03/20 00:51:06] [+] host called home, sent: 10485 bytes
[03/20 00:51:06] [+] received output:
Unquoted Service Path Check Result: Vulnerable service path found: c:\program files (x86)\grasssoft\macro expert\MacroService.exe
本项目的开发与发布遵循GPL-3.0开源许可证协议。
PrivKit:https://github.com/mertdas/PrivKit