diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php index d19c6b8..77785b6 100755 --- a/ReportToolz/rep2.php +++ b/ReportToolz/rep2.php @@ -88,7 +88,7 @@ $start = 0; $end = 0; foreach($line as $key => $val){ if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; } - if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; } + if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; } $line[$key] = trim($val); } diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php index d19c6b8..77785b6 100755 --- a/ReportToolz/rep2.php +++ b/ReportToolz/rep2.php @@ -88,7 +88,7 @@ $start = 0; $end = 0; foreach($line as $key => $val){ if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; } - if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; } + if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; } $line[$key] = trim($val); } diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php index 91f688b..6b382e2 100755 --- a/ReportToolz/repgen.php +++ b/ReportToolz/repgen.php @@ -5,7 +5,7 @@ /*** * Configuration options */ -$template = "templates/odt/blank_template_v0.4.odt"; +$template = "templates/odt/blank_template_v0.5.odt"; $CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt"; $vulnTemplate = "templates/odt/vuln_template.xml"; @@ -101,7 +101,7 @@ // squash vulns into one bbig xml $value = ""; if(!empty($Serious)){ - $value .= ' + $value .= ' diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php index d19c6b8..77785b6 100755 --- a/ReportToolz/rep2.php +++ b/ReportToolz/rep2.php @@ -88,7 +88,7 @@ $start = 0; $end = 0; foreach($line as $key => $val){ if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; } - if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; } + if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; } $line[$key] = trim($val); } diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php index 91f688b..6b382e2 100755 --- a/ReportToolz/repgen.php +++ b/ReportToolz/repgen.php @@ -5,7 +5,7 @@ /*** * Configuration options */ -$template = "templates/odt/blank_template_v0.4.odt"; +$template = "templates/odt/blank_template_v0.5.odt"; $CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt"; $vulnTemplate = "templates/odt/vuln_template.xml"; @@ -101,7 +101,7 @@ // squash vulns into one bbig xml $value = ""; if(!empty($Serious)){ - $value .= ' + $value .= ' diff --git a/ReportToolz/templates/odt/blank_template_v0.5.odt b/ReportToolz/templates/odt/blank_template_v0.5.odt new file mode 100755 index 0000000..a16047b --- /dev/null +++ b/ReportToolz/templates/odt/blank_template_v0.5.odt Binary files differ diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php index d19c6b8..77785b6 100755 --- a/ReportToolz/rep2.php +++ b/ReportToolz/rep2.php @@ -88,7 +88,7 @@ $start = 0; $end = 0; foreach($line as $key => $val){ if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; } - if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; } + if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; } $line[$key] = trim($val); } diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php index 91f688b..6b382e2 100755 --- a/ReportToolz/repgen.php +++ b/ReportToolz/repgen.php @@ -5,7 +5,7 @@ /*** * Configuration options */ -$template = "templates/odt/blank_template_v0.4.odt"; +$template = "templates/odt/blank_template_v0.5.odt"; $CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt"; $vulnTemplate = "templates/odt/vuln_template.xml"; @@ -101,7 +101,7 @@ // squash vulns into one bbig xml $value = ""; if(!empty($Serious)){ - $value .= ' + $value .= ' diff --git a/ReportToolz/templates/odt/blank_template_v0.5.odt b/ReportToolz/templates/odt/blank_template_v0.5.odt new file mode 100755 index 0000000..a16047b --- /dev/null +++ b/ReportToolz/templates/odt/blank_template_v0.5.odt Binary files differ diff --git a/privesc/Sherlock.ps1 b/privesc/Sherlock.ps1 new file mode 100644 index 0000000..a741b9d --- /dev/null +++ b/privesc/Sherlock.ps1 @@ -0,0 +1,566 @@ +<# + + File: Sherlock.ps1 + Author: @_RastaMouse + License: GNU General Public License v3.0 + +#> + +<# + +RTM build reference, because I'm stupid and forget... + +6002: Vista SP2/2008 SP2 +7600: 7/2008 R2 +7601: 7 SP1/2008 R2 SP1 +9200: 8/2012 +9600: 8.1/2012 R2 +10240: 10 Threshold +10586: 10 Threshold 2 +14393: 10 Redstone/2016 +15063: 10 Redstone 2 +16299: 10 Redstone 3 +17134: 10 Redstone 4 + +#> + +$Global:ExploitTable = $null + +function Get-FileVersionInfo ($FilePath) { + + $VersionInfo = (Get-Item $FilePath).VersionInfo + $FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart ) + + return $FileVersion + +} + +function Get-InstalledSoftware($SoftwareName) { + + $SoftwareVersion = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -eq $SoftwareName } | Select-Object Version + $SoftwareVersion = $SoftwareVersion.Version # I have no idea what I'm doing + + return $SoftwareVersion + +} + +function Get-Architecture { + + # This is the CPU architecture. Returns "64-bit" or "32-bit". + $CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture + + # This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86". + $ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE + + return $CPUArchitecture, $ProcessArchitecture + +} + +function Get-CPUCoreCount { + + $CoreCount = (Get-WmiObject Win32_Processor).NumberOfLogicalProcessors + + return $CoreCount + +} + +function New-ExploitTable { + + # Create the table + $Global:ExploitTable = New-Object System.Data.DataTable + + # Create the columns + $Global:ExploitTable.Columns.Add("Title") + $Global:ExploitTable.Columns.Add("MSBulletin") + $Global:ExploitTable.Columns.Add("CVEID") + $Global:ExploitTable.Columns.Add("Link") + $Global:ExploitTable.Columns.Add("VulnStatus") + + # Add the exploits we are interested in. + + # MS10 + $Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/") + $Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/") + # MS13 + $Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/") + $Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/") + # MS14 + $Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/") + # MS15 + $Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/") + $Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/") + # MS16 + $Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/") + $Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/") + $Global:ExploitTable.Rows.Add("Windows Kernel-Mode Drivers EoP","MS16-034","2016-0093/94/95/96","https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?") + $Global:ExploitTable.Rows.Add("Win32k Elevation of Privilege","MS16-135","2016-7255","https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135") + # Miscs that aren't MS + $Global:ExploitTable.Rows.Add("Nessus Agent 6.6.2 - 6.10.3","N/A","2017-7199","https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html") + +} + +function Set-ExploitTable ($MSBulletin, $VulnStatus) { + + if ( $MSBulletin -like "MS*" ) { + + $Global:ExploitTable | Where-Object { $_.MSBulletin -eq $MSBulletin + + } | ForEach-Object { + + $_.VulnStatus = $VulnStatus + + } + + } else { + + + $Global:ExploitTable | Where-Object { $_.CVEID -eq $MSBulletin + + } | ForEach-Object { + + $_.VulnStatus = $VulnStatus + + } + + } + +} + +function Get-Results { + + $Global:ExploitTable + +} + +function Find-AllVulns { + + if ( !$Global:ExploitTable ) { + + $null = New-ExploitTable + + } + + Find-MS10015 + Find-MS10092 + Find-MS13053 + Find-MS13081 + Find-MS14058 + Find-MS15051 + Find-MS15078 + Find-MS16016 + Find-MS16032 + Find-MS16034 + Find-MS16135 + Find-CVE20177199 + + Get-Results + +} + +function Find-MS10015 { + + $MSBulletin = "MS10-015" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\ntoskrnl.exe" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20591" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS10092 { + + $MSBulletin = "MS10-092" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\schedsvc.dll" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\schedsvc.dll" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20830" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS13053 { + + $MSBulletin = "MS13-053" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\win32k.sys" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "17000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22348" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20732" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS13081 { + + $MSBulletin = "MS13-081" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\win32k.sys" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22435" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20807" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS14058 { + + $MSBulletin = "MS14-058" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS15051 { + + $MSBulletin = "MS15-051" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS15078 { + + $MSBulletin = "MS15-078" + + $Path = $env:windir + "\system32\atmfd.dll" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(" ") + + $Revision = $VersionInfo[2] + + switch ( $Revision ) { + + 243 { $VulnStatus = "Appears Vulnerable" } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS16016 { + + $MSBulletin = "MS16-016" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\drivers\mrxdav.sys" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "23317" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21738" ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18189" ] } + 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16683" ] } + 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "103" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS16032 { + + $MSBulletin = "MS16-032" + + $CPUCount = Get-CPUCoreCount + + if ( $CPUCount -eq "1" ) { + + $VulnStatus = "Not Supported on single-core systems" + + } Else { + + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\seclogon.dll" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\seclogon.dll" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + + $VersionInfo = $VersionInfo.Split(".") + + $Build = [int]$VersionInfo[2] + $Revision = [int]$VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19598 -Or ( $Revision -ge 23000 -And $Revision -le 23909 ) ] } + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19148 ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19148 -Or ( $Revision -ge 23000 -And $Revision -le 23347 ) ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17649 -Or ( $Revision -ge 21000 -And $Revision -le 21767 ) ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18230 ] } + 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 16724 ] } + 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 161 ] } + default { $VulnStatus = "Not Vulnerable" } + + } + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS16034 { + + $MSBulletin = "MS16-034" + + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + + $VersionInfo = $VersionInfo.Split(".") + + $Build = [int]$VersionInfo[2] + $Revision = [int]$VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19597 -Or $Revision -lt 23908 ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19145 -Or $Revision -lt 23346 ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17647 -Or $Revision -lt 21766 ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18228 ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-CVE20177199 { + + $CVEID = "2017-7199" + $SoftwareVersion = Get-InstalledSoftware "Nessus Agent" + + if ( !$SoftwareVersion ) { + + $VulnStatus = "Not Vulnerable" + + } else { + + $SoftwareVersion = $SoftwareVersion.Split(".") + + $Major = [int]$SoftwareVersion[0] + $Minor = [int]$SoftwareVersion[1] + $Build = [int]$SoftwareVersion[2] + + switch( $Major ) { + + 6 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Minor -eq 10 -and $Build -le 3 -Or ( $Minor -eq 6 -and $Build -le 2 ) -Or ( $Minor -le 9 -and $Minor -ge 7 ) ] } # 6.6.2 - 6.10.3 + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $CVEID $VulnStatus + +} + +function Find-MS16135 { + + $MSBulletin = "MS16-135" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = [int]$VersionInfo[2] + $Revision = [int]$VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 23584 ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 18524 ] } + 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 16384 ] } + 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] } + 14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} \ No newline at end of file diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php index d19c6b8..77785b6 100755 --- a/ReportToolz/rep2.php +++ b/ReportToolz/rep2.php @@ -88,7 +88,7 @@ $start = 0; $end = 0; foreach($line as $key => $val){ if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; } - if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; } + if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; } $line[$key] = trim($val); } diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php index 91f688b..6b382e2 100755 --- a/ReportToolz/repgen.php +++ b/ReportToolz/repgen.php @@ -5,7 +5,7 @@ /*** * Configuration options */ -$template = "templates/odt/blank_template_v0.4.odt"; +$template = "templates/odt/blank_template_v0.5.odt"; $CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt"; $vulnTemplate = "templates/odt/vuln_template.xml"; @@ -101,7 +101,7 @@ // squash vulns into one bbig xml $value = ""; if(!empty($Serious)){ - $value .= ' + $value .= ' diff --git a/ReportToolz/templates/odt/blank_template_v0.5.odt b/ReportToolz/templates/odt/blank_template_v0.5.odt new file mode 100755 index 0000000..a16047b --- /dev/null +++ b/ReportToolz/templates/odt/blank_template_v0.5.odt Binary files differ diff --git a/privesc/Sherlock.ps1 b/privesc/Sherlock.ps1 new file mode 100644 index 0000000..a741b9d --- /dev/null +++ b/privesc/Sherlock.ps1 @@ -0,0 +1,566 @@ +<# + + File: Sherlock.ps1 + Author: @_RastaMouse + License: GNU General Public License v3.0 + +#> + +<# + +RTM build reference, because I'm stupid and forget... + +6002: Vista SP2/2008 SP2 +7600: 7/2008 R2 +7601: 7 SP1/2008 R2 SP1 +9200: 8/2012 +9600: 8.1/2012 R2 +10240: 10 Threshold +10586: 10 Threshold 2 +14393: 10 Redstone/2016 +15063: 10 Redstone 2 +16299: 10 Redstone 3 +17134: 10 Redstone 4 + +#> + +$Global:ExploitTable = $null + +function Get-FileVersionInfo ($FilePath) { + + $VersionInfo = (Get-Item $FilePath).VersionInfo + $FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart ) + + return $FileVersion + +} + +function Get-InstalledSoftware($SoftwareName) { + + $SoftwareVersion = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -eq $SoftwareName } | Select-Object Version + $SoftwareVersion = $SoftwareVersion.Version # I have no idea what I'm doing + + return $SoftwareVersion + +} + +function Get-Architecture { + + # This is the CPU architecture. Returns "64-bit" or "32-bit". + $CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture + + # This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86". + $ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE + + return $CPUArchitecture, $ProcessArchitecture + +} + +function Get-CPUCoreCount { + + $CoreCount = (Get-WmiObject Win32_Processor).NumberOfLogicalProcessors + + return $CoreCount + +} + +function New-ExploitTable { + + # Create the table + $Global:ExploitTable = New-Object System.Data.DataTable + + # Create the columns + $Global:ExploitTable.Columns.Add("Title") + $Global:ExploitTable.Columns.Add("MSBulletin") + $Global:ExploitTable.Columns.Add("CVEID") + $Global:ExploitTable.Columns.Add("Link") + $Global:ExploitTable.Columns.Add("VulnStatus") + + # Add the exploits we are interested in. + + # MS10 + $Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/") + $Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/") + # MS13 + $Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/") + $Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/") + # MS14 + $Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/") + # MS15 + $Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/") + $Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/") + # MS16 + $Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/") + $Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/") + $Global:ExploitTable.Rows.Add("Windows Kernel-Mode Drivers EoP","MS16-034","2016-0093/94/95/96","https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?") + $Global:ExploitTable.Rows.Add("Win32k Elevation of Privilege","MS16-135","2016-7255","https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135") + # Miscs that aren't MS + $Global:ExploitTable.Rows.Add("Nessus Agent 6.6.2 - 6.10.3","N/A","2017-7199","https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html") + +} + +function Set-ExploitTable ($MSBulletin, $VulnStatus) { + + if ( $MSBulletin -like "MS*" ) { + + $Global:ExploitTable | Where-Object { $_.MSBulletin -eq $MSBulletin + + } | ForEach-Object { + + $_.VulnStatus = $VulnStatus + + } + + } else { + + + $Global:ExploitTable | Where-Object { $_.CVEID -eq $MSBulletin + + } | ForEach-Object { + + $_.VulnStatus = $VulnStatus + + } + + } + +} + +function Get-Results { + + $Global:ExploitTable + +} + +function Find-AllVulns { + + if ( !$Global:ExploitTable ) { + + $null = New-ExploitTable + + } + + Find-MS10015 + Find-MS10092 + Find-MS13053 + Find-MS13081 + Find-MS14058 + Find-MS15051 + Find-MS15078 + Find-MS16016 + Find-MS16032 + Find-MS16034 + Find-MS16135 + Find-CVE20177199 + + Get-Results + +} + +function Find-MS10015 { + + $MSBulletin = "MS10-015" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\ntoskrnl.exe" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20591" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS10092 { + + $MSBulletin = "MS10-092" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\schedsvc.dll" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\schedsvc.dll" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20830" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS13053 { + + $MSBulletin = "MS13-053" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\win32k.sys" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "17000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22348" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20732" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS13081 { + + $MSBulletin = "MS13-081" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\win32k.sys" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22435" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20807" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS14058 { + + $MSBulletin = "MS14-058" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS15051 { + + $MSBulletin = "MS15-051" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS15078 { + + $MSBulletin = "MS15-078" + + $Path = $env:windir + "\system32\atmfd.dll" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(" ") + + $Revision = $VersionInfo[2] + + switch ( $Revision ) { + + 243 { $VulnStatus = "Appears Vulnerable" } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS16016 { + + $MSBulletin = "MS16-016" + $Architecture = Get-Architecture + + if ( $Architecture[0] -eq "64-bit" ) { + + $VulnStatus = "Not supported on 64-bit systems" + + } Else { + + $Path = $env:windir + "\system32\drivers\mrxdav.sys" + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = $VersionInfo[2] + $Revision = $VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16000" ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "23317" ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21738" ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18189" ] } + 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16683" ] } + 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "103" ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS16032 { + + $MSBulletin = "MS16-032" + + $CPUCount = Get-CPUCoreCount + + if ( $CPUCount -eq "1" ) { + + $VulnStatus = "Not Supported on single-core systems" + + } Else { + + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\seclogon.dll" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\seclogon.dll" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + + $VersionInfo = $VersionInfo.Split(".") + + $Build = [int]$VersionInfo[2] + $Revision = [int]$VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19598 -Or ( $Revision -ge 23000 -And $Revision -le 23909 ) ] } + 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19148 ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19148 -Or ( $Revision -ge 23000 -And $Revision -le 23347 ) ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17649 -Or ( $Revision -ge 21000 -And $Revision -le 21767 ) ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18230 ] } + 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 16724 ] } + 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 161 ] } + default { $VulnStatus = "Not Vulnerable" } + + } + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-MS16034 { + + $MSBulletin = "MS16-034" + + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + + $VersionInfo = $VersionInfo.Split(".") + + $Build = [int]$VersionInfo[2] + $Revision = [int]$VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19597 -Or $Revision -lt 23908 ] } + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19145 -Or $Revision -lt 23346 ] } + 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17647 -Or $Revision -lt 21766 ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18228 ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} + +function Find-CVE20177199 { + + $CVEID = "2017-7199" + $SoftwareVersion = Get-InstalledSoftware "Nessus Agent" + + if ( !$SoftwareVersion ) { + + $VulnStatus = "Not Vulnerable" + + } else { + + $SoftwareVersion = $SoftwareVersion.Split(".") + + $Major = [int]$SoftwareVersion[0] + $Minor = [int]$SoftwareVersion[1] + $Build = [int]$SoftwareVersion[2] + + switch( $Major ) { + + 6 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Minor -eq 10 -and $Build -le 3 -Or ( $Minor -eq 6 -and $Build -le 2 ) -Or ( $Minor -le 9 -and $Minor -ge 7 ) ] } # 6.6.2 - 6.10.3 + default { $VulnStatus = "Not Vulnerable" } + + } + + } + + Set-ExploitTable $CVEID $VulnStatus + +} + +function Find-MS16135 { + + $MSBulletin = "MS16-135" + $Architecture = Get-Architecture + + if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { + + $Path = $env:windir + "\system32\win32k.sys" + + } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { + + $Path = $env:windir + "\sysnative\win32k.sys" + + } + + $VersionInfo = Get-FileVersionInfo($Path) + $VersionInfo = $VersionInfo.Split(".") + + $Build = [int]$VersionInfo[2] + $Revision = [int]$VersionInfo[3].Split(" ")[0] + + switch ( $Build ) { + + 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 23584 ] } + 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 18524 ] } + 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 16384 ] } + 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] } + 14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] } + default { $VulnStatus = "Not Vulnerable" } + + } + + Set-ExploitTable $MSBulletin $VulnStatus + +} \ No newline at end of file diff --git a/search_dump.sh b/search_dump.sh index 70cab9a..560ffc5 100755 --- a/search_dump.sh +++ b/search_dump.sh @@ -14,7 +14,7 @@ mkdir /mnt/$RNDNO echo Mounting NAS -mount -t cifs //192.168.0.13/NAS /mnt/$RNDNO -o username=[username],password=[password],vers=1.0 +mount -t cifs //192.168.0.13/NAS /mnt/$RNDNO -o username=[redacted],password=[redacted],vers=1.0 cd /mnt/$RNDNO/DB_Dumps/bigDB echo Searching for $TERM in $PWD \(Est. 1hr\)...