关联漏洞
标题:
Microsoft Winlogon 安全漏洞
(CVE-2024-43583)
描述:Microsoft Winlogon是美国微软(Microsoft)公司的一个内置在微软公司开发的Windows NT系列操作系统的组件。 Microsoft Winlogon存在安全漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 11 Version 22H2 for ARM64-based
描述
Proof of Concept for CVE-2024-43583
介绍
# CVE-2024-43583 - Windows Privilege Escalation Exploit
**Author:** No0B@ckSappi3
**Instagram:** No0BackSappi3
## Overview
CVE-2024-43583 is an **elevation of privilege** vulnerability affecting Microsoft's **Winlogon** component. Exploiting this flaw allows a low-privileged user to escalate their privileges to **SYSTEM**, leading to full system compromise.
This proof-of-concept (PoC) leverages **Debugger Hijacking** via the Windows **Image File Execution Options (IFEO)** registry key to replace a legitimate system process with a malicious payload.
## Affected Windows Versions
Windows Versions Affected
Windows 10 (1507 - 22H2)
Windows 11 (21H2 - 24H2)
Windows Server 2008 SP2 - 2022
## ⚠️ Disclaimer
> This exploit is for **educational and research purposes only**. Do not use it on unauthorized systems. Misuse of this exploit may be illegal.
---
## Exploit Usage
### **Setup**
Ensure Python is installed on the target system. If not, use the compiled `.exe` version.
### **Run the Exploit**
#### **Option 1: Run Directly from a Low-Privileged User**
```cmd
python poc-43583.py
```
#### **Option 2: Run via Task Scheduler**
1. **Create Scheduled Task:** (Run as Administrator)
```powershell
schtasks /create /tn "LowPrivExploit" /tr "C:\Path\To\python.exe C:\Path\To\poc-43583.py" /sc once /st 00:00 /ru lowpriv /f
```
2. **Run Task:**
```powershell
schtasks /run /tn "LowPrivExploit"
```
3. **Trigger the Exploit:** Open Task Manager (`Ctrl + Shift + Esc`). If successful, a SYSTEM shell will appear instead.
### ** Verify Privilege Escalation**
Once the exploit runs, check your privileges:
```cmd
whoami
```
Expected Output:
```
nt authority\system
```
---
## 🛠️ Cleanup
### **Method 1: Use the PoC to Restore Defaults**
Re-run the script and select **option [2]** to remove the hijack.
### **Method 2: Manually Delete the Registry Key**
1. Open **Administrator Command Prompt**.
2. Run:
```cmd
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f
```
3. **Delete the Scheduled Task (if used):**
```powershell
schtasks /delete /tn "LowPrivExploit" /f
```
---
## Detection & Mitigation
- **Check for unexpected Debugger keys:**
```powershell
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
```
- **Enable Windows Defender Tamper Protection** to prevent registry modifications.
- **Use EDR/SIEM solutions** to detect unauthorized registry changes.
---
## 📝 References
- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43583)
- [Exploit Development Guide](https://attack.mitre.org/techniques/T1546/)
文件快照
[4.0K] /data/pocs/fe1536505ab5b29dddd49e1ff130e14aba9d6ad0
├── [1.7K] poc-43583.py
└── [2.7K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。