Newer
Older
DirtyScripts / privesc / Sherlock.ps1
  1. <#
  2.  
  3. File: Sherlock.ps1
  4. Author: @_RastaMouse
  5. License: GNU General Public License v3.0
  6.  
  7. #>
  8.  
  9. <#
  10.  
  11. RTM build reference, because I'm stupid and forget...
  12.  
  13. 6002: Vista SP2/2008 SP2
  14. 7600: 7/2008 R2
  15. 7601: 7 SP1/2008 R2 SP1
  16. 9200: 8/2012
  17. 9600: 8.1/2012 R2
  18. 10240: 10 Threshold
  19. 10586: 10 Threshold 2
  20. 14393: 10 Redstone/2016
  21. 15063: 10 Redstone 2
  22. 16299: 10 Redstone 3
  23. 17134: 10 Redstone 4
  24.  
  25. #>
  26.  
  27. $Global:ExploitTable = $null
  28.  
  29. function Get-FileVersionInfo ($FilePath) {
  30.  
  31. $VersionInfo = (Get-Item $FilePath).VersionInfo
  32. $FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart )
  33. return $FileVersion
  34.  
  35. }
  36.  
  37. function Get-InstalledSoftware($SoftwareName) {
  38.  
  39. $SoftwareVersion = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -eq $SoftwareName } | Select-Object Version
  40. $SoftwareVersion = $SoftwareVersion.Version # I have no idea what I'm doing
  41. return $SoftwareVersion
  42.  
  43. }
  44.  
  45. function Get-Architecture {
  46.  
  47. # This is the CPU architecture. Returns "64-bit" or "32-bit".
  48. $CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
  49.  
  50. # This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86".
  51. $ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE
  52.  
  53. return $CPUArchitecture, $ProcessArchitecture
  54.  
  55. }
  56.  
  57. function Get-CPUCoreCount {
  58.  
  59. $CoreCount = (Get-WmiObject Win32_Processor).NumberOfLogicalProcessors
  60. return $CoreCount
  61.  
  62. }
  63.  
  64. function New-ExploitTable {
  65.  
  66. # Create the table
  67. $Global:ExploitTable = New-Object System.Data.DataTable
  68.  
  69. # Create the columns
  70. $Global:ExploitTable.Columns.Add("Title")
  71. $Global:ExploitTable.Columns.Add("MSBulletin")
  72. $Global:ExploitTable.Columns.Add("CVEID")
  73. $Global:ExploitTable.Columns.Add("Link")
  74. $Global:ExploitTable.Columns.Add("VulnStatus")
  75.  
  76. # Add the exploits we are interested in.
  77.  
  78. # MS10
  79. $Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/")
  80. $Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/")
  81. # MS13
  82. $Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/")
  83. $Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/")
  84. # MS14
  85. $Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/")
  86. # MS15
  87. $Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/")
  88. $Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/")
  89. # MS16
  90. $Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/")
  91. $Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/")
  92. $Global:ExploitTable.Rows.Add("Windows Kernel-Mode Drivers EoP","MS16-034","2016-0093/94/95/96","https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?")
  93. $Global:ExploitTable.Rows.Add("Win32k Elevation of Privilege","MS16-135","2016-7255","https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135")
  94. # Miscs that aren't MS
  95. $Global:ExploitTable.Rows.Add("Nessus Agent 6.6.2 - 6.10.3","N/A","2017-7199","https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html")
  96.  
  97. }
  98.  
  99. function Set-ExploitTable ($MSBulletin, $VulnStatus) {
  100.  
  101. if ( $MSBulletin -like "MS*" ) {
  102.  
  103. $Global:ExploitTable | Where-Object { $_.MSBulletin -eq $MSBulletin
  104.  
  105. } | ForEach-Object {
  106.  
  107. $_.VulnStatus = $VulnStatus
  108.  
  109. }
  110.  
  111. } else {
  112.  
  113.  
  114. $Global:ExploitTable | Where-Object { $_.CVEID -eq $MSBulletin
  115.  
  116. } | ForEach-Object {
  117.  
  118. $_.VulnStatus = $VulnStatus
  119.  
  120. }
  121.  
  122. }
  123.  
  124. }
  125.  
  126. function Get-Results {
  127.  
  128. $Global:ExploitTable
  129.  
  130. }
  131.  
  132. function Find-AllVulns {
  133.  
  134. if ( !$Global:ExploitTable ) {
  135.  
  136. $null = New-ExploitTable
  137. }
  138.  
  139. Find-MS10015
  140. Find-MS10092
  141. Find-MS13053
  142. Find-MS13081
  143. Find-MS14058
  144. Find-MS15051
  145. Find-MS15078
  146. Find-MS16016
  147. Find-MS16032
  148. Find-MS16034
  149. Find-MS16135
  150. Find-CVE20177199
  151.  
  152. Get-Results
  153.  
  154. }
  155.  
  156. function Find-MS10015 {
  157.  
  158. $MSBulletin = "MS10-015"
  159. $Architecture = Get-Architecture
  160.  
  161. if ( $Architecture[0] -eq "64-bit" ) {
  162.  
  163. $VulnStatus = "Not supported on 64-bit systems"
  164.  
  165. } Else {
  166.  
  167. $Path = $env:windir + "\system32\ntoskrnl.exe"
  168. $VersionInfo = Get-FileVersionInfo($Path)
  169. $VersionInfo = $VersionInfo.Split(".")
  170.  
  171. $Build = $VersionInfo[2]
  172. $Revision = $VersionInfo[3].Split(" ")[0]
  173.  
  174. switch ( $Build ) {
  175.  
  176. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20591" ] }
  177. default { $VulnStatus = "Not Vulnerable" }
  178.  
  179. }
  180.  
  181. }
  182.  
  183. Set-ExploitTable $MSBulletin $VulnStatus
  184.  
  185. }
  186.  
  187. function Find-MS10092 {
  188.  
  189. $MSBulletin = "MS10-092"
  190. $Architecture = Get-Architecture
  191.  
  192. if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
  193.  
  194. $Path = $env:windir + "\system32\schedsvc.dll"
  195.  
  196. } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
  197.  
  198. $Path = $env:windir + "\sysnative\schedsvc.dll"
  199.  
  200. }
  201.  
  202. $VersionInfo = Get-FileVersionInfo($Path)
  203. $VersionInfo = $VersionInfo.Split(".")
  204.  
  205. $Build = $VersionInfo[2]
  206. $Revision = $VersionInfo[3].Split(" ")[0]
  207.  
  208. switch ( $Build ) {
  209.  
  210. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20830" ] }
  211. default { $VulnStatus = "Not Vulnerable" }
  212.  
  213. }
  214.  
  215. Set-ExploitTable $MSBulletin $VulnStatus
  216.  
  217. }
  218.  
  219. function Find-MS13053 {
  220.  
  221. $MSBulletin = "MS13-053"
  222. $Architecture = Get-Architecture
  223.  
  224. if ( $Architecture[0] -eq "64-bit" ) {
  225.  
  226. $VulnStatus = "Not supported on 64-bit systems"
  227.  
  228. } Else {
  229.  
  230. $Path = $env:windir + "\system32\win32k.sys"
  231. $VersionInfo = Get-FileVersionInfo($Path)
  232. $VersionInfo = $VersionInfo.Split(".")
  233.  
  234. $Build = $VersionInfo[2]
  235. $Revision = $VersionInfo[3].Split(" ")[0]
  236.  
  237. switch ( $Build ) {
  238.  
  239. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "17000" ] }
  240. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22348" ] }
  241. 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20732" ] }
  242. default { $VulnStatus = "Not Vulnerable" }
  243.  
  244. }
  245.  
  246. }
  247.  
  248. Set-ExploitTable $MSBulletin $VulnStatus
  249.  
  250. }
  251.  
  252. function Find-MS13081 {
  253.  
  254. $MSBulletin = "MS13-081"
  255. $Architecture = Get-Architecture
  256.  
  257. if ( $Architecture[0] -eq "64-bit" ) {
  258.  
  259. $VulnStatus = "Not supported on 64-bit systems"
  260.  
  261. } Else {
  262.  
  263. $Path = $env:windir + "\system32\win32k.sys"
  264. $VersionInfo = Get-FileVersionInfo($Path)
  265. $VersionInfo = $VersionInfo.Split(".")
  266.  
  267. $Build = $VersionInfo[2]
  268. $Revision = $VersionInfo[3].Split(" ")[0]
  269.  
  270. switch ( $Build ) {
  271.  
  272. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
  273. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22435" ] }
  274. 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20807" ] }
  275. default { $VulnStatus = "Not Vulnerable" }
  276.  
  277. }
  278.  
  279. }
  280.  
  281. Set-ExploitTable $MSBulletin $VulnStatus
  282.  
  283. }
  284.  
  285. function Find-MS14058 {
  286.  
  287. $MSBulletin = "MS14-058"
  288. $Architecture = Get-Architecture
  289.  
  290. if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
  291.  
  292. $Path = $env:windir + "\system32\win32k.sys"
  293.  
  294. } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
  295.  
  296. $Path = $env:windir + "\sysnative\win32k.sys"
  297.  
  298. }
  299.  
  300. $VersionInfo = Get-FileVersionInfo($Path)
  301. $VersionInfo = $VersionInfo.Split(".")
  302.  
  303. $Build = $VersionInfo[2]
  304. $Revision = $VersionInfo[3].Split(" ")[0]
  305.  
  306. switch ( $Build ) {
  307.  
  308. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
  309. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
  310. 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
  311. 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
  312. default { $VulnStatus = "Not Vulnerable" }
  313.  
  314. }
  315.  
  316. Set-ExploitTable $MSBulletin $VulnStatus
  317.  
  318. }
  319.  
  320. function Find-MS15051 {
  321.  
  322. $MSBulletin = "MS15-051"
  323. $Architecture = Get-Architecture
  324.  
  325. if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
  326.  
  327. $Path = $env:windir + "\system32\win32k.sys"
  328.  
  329. } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
  330.  
  331. $Path = $env:windir + "\sysnative\win32k.sys"
  332.  
  333. }
  334.  
  335. $VersionInfo = Get-FileVersionInfo($Path)
  336. $VersionInfo = $VersionInfo.Split(".")
  337.  
  338. $Build = $VersionInfo[2]
  339. $Revision = $VersionInfo[3].Split(" ")[0]
  340.  
  341. switch ( $Build ) {
  342.  
  343. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18000" ] }
  344. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
  345. 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
  346. 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
  347. default { $VulnStatus = "Not Vulnerable" }
  348.  
  349. }
  350.  
  351. Set-ExploitTable $MSBulletin $VulnStatus
  352.  
  353. }
  354.  
  355. function Find-MS15078 {
  356.  
  357. $MSBulletin = "MS15-078"
  358.  
  359. $Path = $env:windir + "\system32\atmfd.dll"
  360. $VersionInfo = Get-FileVersionInfo($Path)
  361. $VersionInfo = $VersionInfo.Split(" ")
  362.  
  363. $Revision = $VersionInfo[2]
  364.  
  365. switch ( $Revision ) {
  366.  
  367. 243 { $VulnStatus = "Appears Vulnerable" }
  368. default { $VulnStatus = "Not Vulnerable" }
  369.  
  370. }
  371.  
  372. Set-ExploitTable $MSBulletin $VulnStatus
  373.  
  374. }
  375.  
  376. function Find-MS16016 {
  377.  
  378. $MSBulletin = "MS16-016"
  379. $Architecture = Get-Architecture
  380.  
  381. if ( $Architecture[0] -eq "64-bit" ) {
  382.  
  383. $VulnStatus = "Not supported on 64-bit systems"
  384.  
  385. } Else {
  386.  
  387. $Path = $env:windir + "\system32\drivers\mrxdav.sys"
  388. $VersionInfo = Get-FileVersionInfo($Path)
  389. $VersionInfo = $VersionInfo.Split(".")
  390.  
  391. $Build = $VersionInfo[2]
  392. $Revision = $VersionInfo[3].Split(" ")[0]
  393.  
  394. switch ( $Build ) {
  395.  
  396. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16000" ] }
  397. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "23317" ] }
  398. 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21738" ] }
  399. 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18189" ] }
  400. 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16683" ] }
  401. 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "103" ] }
  402. default { $VulnStatus = "Not Vulnerable" }
  403.  
  404. }
  405.  
  406. }
  407.  
  408. Set-ExploitTable $MSBulletin $VulnStatus
  409.  
  410. }
  411.  
  412. function Find-MS16032 {
  413.  
  414. $MSBulletin = "MS16-032"
  415. $CPUCount = Get-CPUCoreCount
  416.  
  417. if ( $CPUCount -eq "1" ) {
  418.  
  419. $VulnStatus = "Not Supported on single-core systems"
  420. } Else {
  421. $Architecture = Get-Architecture
  422.  
  423. if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
  424.  
  425. $Path = $env:windir + "\system32\seclogon.dll"
  426.  
  427. } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
  428.  
  429. $Path = $env:windir + "\sysnative\seclogon.dll"
  430.  
  431. }
  432.  
  433. $VersionInfo = Get-FileVersionInfo($Path)
  434.  
  435. $VersionInfo = $VersionInfo.Split(".")
  436.  
  437. $Build = [int]$VersionInfo[2]
  438. $Revision = [int]$VersionInfo[3].Split(" ")[0]
  439.  
  440. switch ( $Build ) {
  441.  
  442. 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19598 -Or ( $Revision -ge 23000 -And $Revision -le 23909 ) ] }
  443. 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19148 ] }
  444. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19148 -Or ( $Revision -ge 23000 -And $Revision -le 23347 ) ] }
  445. 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17649 -Or ( $Revision -ge 21000 -And $Revision -le 21767 ) ] }
  446. 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18230 ] }
  447. 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 16724 ] }
  448. 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 161 ] }
  449. default { $VulnStatus = "Not Vulnerable" }
  450.  
  451. }
  452. }
  453. Set-ExploitTable $MSBulletin $VulnStatus
  454.  
  455. }
  456.  
  457. function Find-MS16034 {
  458.  
  459. $MSBulletin = "MS16-034"
  460. $Architecture = Get-Architecture
  461.  
  462. if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
  463.  
  464. $Path = $env:windir + "\system32\win32k.sys"
  465.  
  466. } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
  467.  
  468. $Path = $env:windir + "\sysnative\win32k.sys"
  469.  
  470. }
  471.  
  472. $VersionInfo = Get-FileVersionInfo($Path)
  473.  
  474. $VersionInfo = $VersionInfo.Split(".")
  475.  
  476. $Build = [int]$VersionInfo[2]
  477. $Revision = [int]$VersionInfo[3].Split(" ")[0]
  478.  
  479. switch ( $Build ) {
  480.  
  481. 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19597 -Or $Revision -lt 23908 ] }
  482. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19145 -Or $Revision -lt 23346 ] }
  483. 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17647 -Or $Revision -lt 21766 ] }
  484. 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18228 ] }
  485. default { $VulnStatus = "Not Vulnerable" }
  486.  
  487. }
  488. Set-ExploitTable $MSBulletin $VulnStatus
  489.  
  490. }
  491.  
  492. function Find-CVE20177199 {
  493.  
  494. $CVEID = "2017-7199"
  495. $SoftwareVersion = Get-InstalledSoftware "Nessus Agent"
  496. if ( !$SoftwareVersion ) {
  497.  
  498. $VulnStatus = "Not Vulnerable"
  499.  
  500. } else {
  501.  
  502. $SoftwareVersion = $SoftwareVersion.Split(".")
  503.  
  504. $Major = [int]$SoftwareVersion[0]
  505. $Minor = [int]$SoftwareVersion[1]
  506. $Build = [int]$SoftwareVersion[2]
  507.  
  508. switch( $Major ) {
  509.  
  510. 6 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Minor -eq 10 -and $Build -le 3 -Or ( $Minor -eq 6 -and $Build -le 2 ) -Or ( $Minor -le 9 -and $Minor -ge 7 ) ] } # 6.6.2 - 6.10.3
  511. default { $VulnStatus = "Not Vulnerable" }
  512.  
  513. }
  514.  
  515. }
  516.  
  517. Set-ExploitTable $CVEID $VulnStatus
  518.  
  519. }
  520.  
  521. function Find-MS16135 {
  522.  
  523. $MSBulletin = "MS16-135"
  524. $Architecture = Get-Architecture
  525.  
  526. if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
  527.  
  528. $Path = $env:windir + "\system32\win32k.sys"
  529.  
  530. } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
  531.  
  532. $Path = $env:windir + "\sysnative\win32k.sys"
  533.  
  534. }
  535.  
  536. $VersionInfo = Get-FileVersionInfo($Path)
  537. $VersionInfo = $VersionInfo.Split(".")
  538. $Build = [int]$VersionInfo[2]
  539. $Revision = [int]$VersionInfo[3].Split(" ")[0]
  540.  
  541. switch ( $Build ) {
  542.  
  543. 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 23584 ] }
  544. 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 18524 ] }
  545. 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 16384 ] }
  546. 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] }
  547. 14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] }
  548. default { $VulnStatus = "Not Vulnerable" }
  549.  
  550. }
  551.  
  552. Set-ExploitTable $MSBulletin $VulnStatus
  553.  
  554. }
Buy Me A Coffee