Ryze-T/CNVD-2022-10270-LPE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
CNVD-2022-10270-LPE/README.md
Ryze-T 907e5ec39f Update README.md
2022-02-24 10:37:25 +08:00

32 lines
1.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CNVD-2022-10270-LPE
## 用法
基于向日葵RCE的本地权限提升无需指定端口
UsagesunloginLPE.exe Cmd [sunloginClientPath]
sunloginClientPath 选填若不是默认安装路径则需要指定默认安装路径C:\Program Files\Oray\SunLogin\SunloginClient
如 sunloginLPE.exe "whoami"
![20220224102724](https://user-images.githubusercontent.com/76553352/155446699-49771a7b-2411-46b2-822b-ef353e21ebbe.png)
如 sunloginLPE.exe "net user"
![image](https://user-images.githubusercontent.com/76553352/155446749-31153e71-5eed-4e15-8bd6-aaa7ef727bde.png)
若指定路径如 sunloginLPE.exe "whoami" "C:\Program Files\Oray\SunLogin\SunloginClient"
![image](https://user-images.githubusercontent.com/76553352/155446775-7e87cc1f-43ad-4f25-a559-391b6fb3afaf.png)
## 无需指定端口的原因
现在流传的方法是扫描40000-60000的端口但实际上跟着IDA分析过程会看到生成端口并绑定服务时有写入的动作最终写入的文件是
sunlogin_service.xxx.log指定端口如下
![image](https://user-images.githubusercontent.com/76553352/155446806-8e6b1547-c46b-4b81-a753-1591901030fe.png)
因此只需要在去读最新的日志文件并进行正则匹配,就不需要进行端口扫描。
Reference in New Issue View Git Blame Copy Permalink