ǰÑÔ
µ±ÄãÔÚ°®º¦ÕߵĻúÆ÷ÉÏÖ´ÐÐһЩ²Ù×÷ʱ£¬·¢ÏÖÓÐһЩ²Ù×÷±»¾Ü¾øÖ´ÐУ¬ÎªÁË»ñµÃÊܺ¦»úÆ÷µÄÍêȫȨÏÞ£¬ÄãÐèÒªÈÆ¹ýÏÞÖÆ£¬»ñÈ¡±¾À´Ã»ÓеÄһЩȨÏÞ£¬ÕâЩȨÏÞ¿ÉÒÔÓÃÀ´É¾³ýÎļþ£¬²é¿´Ë½ÓÐÐÅÏ¢£¬»òÕß°²×°ÌØÊâ³ÌÐò£¬±ÈÈ粡¶¾¡£MetasploitÓкܶàÖÖºóÉøÍ¸·½·¨£¬¿ÉÒÔÓÃÓÚ¶ÔÄ¿±ê»úÆ÷µÄȨÏÞÈÆ¹ý£¬×îÖÕ»ñÈ¡µ½ÏµÍ³È¨ÏÞ¡£
»·¾³ÒªÇó£º
1.¹¥»÷»ú£ºkali linux
2.Ä¿±ê»ú£ºWin 7
ÔÚÒѾ»ñÈ¡µ½Ò»¸ömeterpreter shellºó£¬¼ÙÈçsessionΪ1£¬ÇÒȨÏÞ²»ÊÇϵͳȨÏÞµÄǰÌáÏ£¬Ê¹ÓÃÒÔÏÂÁгöµÄ¼¸ÖÖÌáȨ·½·¨£º
Ò»¡¢ÈƹýUAC½øÐÐÌáȨ
±¾·½·¨Ö÷ÒªÓÐÒÔÏÂ3¸öÄ£¿é¡£

ÉÏÃæÕâЩģ¿éµÄÏêϸÐÅÏ¢ÔÚmetasploitÀïÒÑÓнéÉÜ£¬ÕâÀï²»ÔÙ¶à˵£¬Ö÷Ҫ˵һÏÂʹÓ÷½·¨¡£ÒÔexploit/windows/local/bypassuacÄ£¿éΪÀý
¸ÃÄ£¿éÔÚwindows 32λºÍ64λ϶¼ÓÐЧ¡£
msf > use exploit/windows/local/bypassuac msf exploit(bypassuac) > set session 1 msf exploit(bypassuac) > exploit |
±¾Ä£¿éÖ´Ðгɹ¦ºó½«»á·µ»ØÒ»¸öеÄmeterpreter shell£¬ÈçÏÂ

Ä£¿éÖ´Ðгɹ¦ºó£¬Ö´ÐÐgetuid·¢ÏÖ»¹ÊÇÆÕͨȨÏÞ£¬²»ÒªÊ§Íû£¬¼ÌÐøÖ´ÐÐgetsystem£¬Ôٴβ鿴ȨÏÞ£¬³É¹¦ÈƹýUAC£¬ÇÒÒѾÊÇϵͳȨÏÞÁË¡£
ÆäËûÁ½¸öÄ£¿éÓ÷¨ºÍÉÏÃæÒ»Ñù£¬ÔÀíÓÐËù²»Í¬£¬Ö´Ðгɹ¦ºó¶¼»á·µ»ØÒ»¸öеÄmeterpreter
shell£¬ÇÒ¶¼ÐèÒªÖ´ÐÐgetsystem»ñȡϵͳȨÏÞ¡£ÈçÏÂͼ£º

exploit/windows/local/bypassuac_injection? |
¶þ¡¢Ìá¸ß³ÌÐòÔËÐм¶±ð(runas)
ÕâÖÖ·½·¨¿ÉÒÔÀûÓÃexploit/windows/local/askÄ£¿é£¬µ«ÊǸÃÄ£¿éʵ¼ÊÉÏÖ»ÊÇÒÔ¸ßȨÏÞÖØÆôÒ»¸ö·µ»ØÊ½shellcode,²¢Ã»ÓÐÈÆ¹ýUAC£¬»á´¥·¢ÏµÍ³UAC£¬Êܺ¦»úÆ÷ÓÐÌáʾ£¬ÌáʾÓû§ÊÇ·ñÒªÔËÐУ¬Èç¹ûÓû§Ñ¡Ôñ¡°yes¡±£¬¾Í¿ÉÒÔ³ÌÐò·µ»ØÒ»¸ö¸ßȨÏÞmeterpreter
shell(ÐèÒªÖ´ÐÐgetsystem)¡£ÈçÏ£º

ÔÚÊܺ¦»úÆ÷Éϻᵯ³öUAC£¬ÌáʾÓû§ÊÇ·ñÔËÐС£ÈçÏ£º

Èý¡¢ÀûÓÃwindowsÌáȨ©¶´½øÐÐÌáȨ
¿ÉÒÔÀûÓÃmetasploitÏÂÒÑÓеÄÌáȨ©¶´£¬Èçms13_053,ms14_058,ms16_016,ms16_032µÈ¡£ÏÂÃæÒÔms14_058ΪÀý¡£
msf > exploit/windows/local/ms14_058_track_popup_menu msf exploit(ms14_058_track_popup_menu) > set session 1 msf exploit(ms14_058_track_popup_menu) > exploit |

ÓÃwindowsÌáȨ©¶´ÌáȨʱ£¬»áÖ±½Ó·µ»Ø¸ßȨÏÞmeterpreter
shell£¬²»ÐèÒªÔÙÖ´ÐÐgetsystemÃüÁî¡£
ÐèҪ˵Ã÷µÄÊÇ£ºÔÚʵ¼Ê²âÊÔʱ£¬Èç¹û³öÏÖÄ¿±ê»úÆ÷ȷʵÓЩ¶´£¬µ«ÊÇÌáȨûÓгɹ¦Ê±£¬ÇëÈ·ÈÏÄãµÄTARGETºÍPAYLOADÊÇ·ñÉèÖÃÕýÈ·£¬64λµÄϵͳ×îºÃÓÃ64λµÄPAYLOAD¡£ |