diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php
index d19c6b8..77785b6 100755
--- a/ReportToolz/rep2.php
+++ b/ReportToolz/rep2.php
@@ -88,7 +88,7 @@
$start = 0; $end = 0;
foreach($line as $key => $val){
if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; }
- if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; }
+ if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; }
$line[$key] = trim($val);
}
diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php
index d19c6b8..77785b6 100755
--- a/ReportToolz/rep2.php
+++ b/ReportToolz/rep2.php
@@ -88,7 +88,7 @@
$start = 0; $end = 0;
foreach($line as $key => $val){
if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; }
- if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; }
+ if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; }
$line[$key] = trim($val);
}
diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php
index 91f688b..6b382e2 100755
--- a/ReportToolz/repgen.php
+++ b/ReportToolz/repgen.php
@@ -5,7 +5,7 @@
/***
* Configuration options
*/
-$template = "templates/odt/blank_template_v0.4.odt";
+$template = "templates/odt/blank_template_v0.5.odt";
$CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt";
$vulnTemplate = "templates/odt/vuln_template.xml";
@@ -101,7 +101,7 @@
// squash vulns into one bbig xml
$value = "";
if(!empty($Serious)){
- $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
+ $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
<text:list-item>
<text:list>
<text:list-item>
diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php
index d19c6b8..77785b6 100755
--- a/ReportToolz/rep2.php
+++ b/ReportToolz/rep2.php
@@ -88,7 +88,7 @@
$start = 0; $end = 0;
foreach($line as $key => $val){
if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; }
- if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; }
+ if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; }
$line[$key] = trim($val);
}
diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php
index 91f688b..6b382e2 100755
--- a/ReportToolz/repgen.php
+++ b/ReportToolz/repgen.php
@@ -5,7 +5,7 @@
/***
* Configuration options
*/
-$template = "templates/odt/blank_template_v0.4.odt";
+$template = "templates/odt/blank_template_v0.5.odt";
$CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt";
$vulnTemplate = "templates/odt/vuln_template.xml";
@@ -101,7 +101,7 @@
// squash vulns into one bbig xml
$value = "";
if(!empty($Serious)){
- $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
+ $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
<text:list-item>
<text:list>
<text:list-item>
diff --git a/ReportToolz/templates/odt/blank_template_v0.5.odt b/ReportToolz/templates/odt/blank_template_v0.5.odt
new file mode 100755
index 0000000..a16047b
--- /dev/null
+++ b/ReportToolz/templates/odt/blank_template_v0.5.odt
Binary files differ
diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php
index d19c6b8..77785b6 100755
--- a/ReportToolz/rep2.php
+++ b/ReportToolz/rep2.php
@@ -88,7 +88,7 @@
$start = 0; $end = 0;
foreach($line as $key => $val){
if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; }
- if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; }
+ if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; }
$line[$key] = trim($val);
}
diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php
index 91f688b..6b382e2 100755
--- a/ReportToolz/repgen.php
+++ b/ReportToolz/repgen.php
@@ -5,7 +5,7 @@
/***
* Configuration options
*/
-$template = "templates/odt/blank_template_v0.4.odt";
+$template = "templates/odt/blank_template_v0.5.odt";
$CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt";
$vulnTemplate = "templates/odt/vuln_template.xml";
@@ -101,7 +101,7 @@
// squash vulns into one bbig xml
$value = "";
if(!empty($Serious)){
- $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
+ $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
<text:list-item>
<text:list>
<text:list-item>
diff --git a/ReportToolz/templates/odt/blank_template_v0.5.odt b/ReportToolz/templates/odt/blank_template_v0.5.odt
new file mode 100755
index 0000000..a16047b
--- /dev/null
+++ b/ReportToolz/templates/odt/blank_template_v0.5.odt
Binary files differ
diff --git a/privesc/Sherlock.ps1 b/privesc/Sherlock.ps1
new file mode 100644
index 0000000..a741b9d
--- /dev/null
+++ b/privesc/Sherlock.ps1
@@ -0,0 +1,566 @@
+<#
+
+ File: Sherlock.ps1
+ Author: @_RastaMouse
+ License: GNU General Public License v3.0
+
+#>
+
+<#
+
+RTM build reference, because I'm stupid and forget...
+
+6002: Vista SP2/2008 SP2
+7600: 7/2008 R2
+7601: 7 SP1/2008 R2 SP1
+9200: 8/2012
+9600: 8.1/2012 R2
+10240: 10 Threshold
+10586: 10 Threshold 2
+14393: 10 Redstone/2016
+15063: 10 Redstone 2
+16299: 10 Redstone 3
+17134: 10 Redstone 4
+
+#>
+
+$Global:ExploitTable = $null
+
+function Get-FileVersionInfo ($FilePath) {
+
+ $VersionInfo = (Get-Item $FilePath).VersionInfo
+ $FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart )
+
+ return $FileVersion
+
+}
+
+function Get-InstalledSoftware($SoftwareName) {
+
+ $SoftwareVersion = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -eq $SoftwareName } | Select-Object Version
+ $SoftwareVersion = $SoftwareVersion.Version # I have no idea what I'm doing
+
+ return $SoftwareVersion
+
+}
+
+function Get-Architecture {
+
+ # This is the CPU architecture. Returns "64-bit" or "32-bit".
+ $CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
+
+ # This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86".
+ $ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE
+
+ return $CPUArchitecture, $ProcessArchitecture
+
+}
+
+function Get-CPUCoreCount {
+
+ $CoreCount = (Get-WmiObject Win32_Processor).NumberOfLogicalProcessors
+
+ return $CoreCount
+
+}
+
+function New-ExploitTable {
+
+ # Create the table
+ $Global:ExploitTable = New-Object System.Data.DataTable
+
+ # Create the columns
+ $Global:ExploitTable.Columns.Add("Title")
+ $Global:ExploitTable.Columns.Add("MSBulletin")
+ $Global:ExploitTable.Columns.Add("CVEID")
+ $Global:ExploitTable.Columns.Add("Link")
+ $Global:ExploitTable.Columns.Add("VulnStatus")
+
+ # Add the exploits we are interested in.
+
+ # MS10
+ $Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/")
+ $Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/")
+ # MS13
+ $Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/")
+ $Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/")
+ # MS14
+ $Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/")
+ # MS15
+ $Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/")
+ $Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/")
+ # MS16
+ $Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/")
+ $Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/")
+ $Global:ExploitTable.Rows.Add("Windows Kernel-Mode Drivers EoP","MS16-034","2016-0093/94/95/96","https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?")
+ $Global:ExploitTable.Rows.Add("Win32k Elevation of Privilege","MS16-135","2016-7255","https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135")
+ # Miscs that aren't MS
+ $Global:ExploitTable.Rows.Add("Nessus Agent 6.6.2 - 6.10.3","N/A","2017-7199","https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html")
+
+}
+
+function Set-ExploitTable ($MSBulletin, $VulnStatus) {
+
+ if ( $MSBulletin -like "MS*" ) {
+
+ $Global:ExploitTable | Where-Object { $_.MSBulletin -eq $MSBulletin
+
+ } | ForEach-Object {
+
+ $_.VulnStatus = $VulnStatus
+
+ }
+
+ } else {
+
+
+ $Global:ExploitTable | Where-Object { $_.CVEID -eq $MSBulletin
+
+ } | ForEach-Object {
+
+ $_.VulnStatus = $VulnStatus
+
+ }
+
+ }
+
+}
+
+function Get-Results {
+
+ $Global:ExploitTable
+
+}
+
+function Find-AllVulns {
+
+ if ( !$Global:ExploitTable ) {
+
+ $null = New-ExploitTable
+
+ }
+
+ Find-MS10015
+ Find-MS10092
+ Find-MS13053
+ Find-MS13081
+ Find-MS14058
+ Find-MS15051
+ Find-MS15078
+ Find-MS16016
+ Find-MS16032
+ Find-MS16034
+ Find-MS16135
+ Find-CVE20177199
+
+ Get-Results
+
+}
+
+function Find-MS10015 {
+
+ $MSBulletin = "MS10-015"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\ntoskrnl.exe"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20591" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS10092 {
+
+ $MSBulletin = "MS10-092"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\schedsvc.dll"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\schedsvc.dll"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20830" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS13053 {
+
+ $MSBulletin = "MS13-053"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "17000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22348" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20732" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS13081 {
+
+ $MSBulletin = "MS13-081"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22435" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20807" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS14058 {
+
+ $MSBulletin = "MS14-058"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS15051 {
+
+ $MSBulletin = "MS15-051"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS15078 {
+
+ $MSBulletin = "MS15-078"
+
+ $Path = $env:windir + "\system32\atmfd.dll"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(" ")
+
+ $Revision = $VersionInfo[2]
+
+ switch ( $Revision ) {
+
+ 243 { $VulnStatus = "Appears Vulnerable" }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS16016 {
+
+ $MSBulletin = "MS16-016"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\drivers\mrxdav.sys"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "23317" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21738" ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18189" ] }
+ 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16683" ] }
+ 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "103" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS16032 {
+
+ $MSBulletin = "MS16-032"
+
+ $CPUCount = Get-CPUCoreCount
+
+ if ( $CPUCount -eq "1" ) {
+
+ $VulnStatus = "Not Supported on single-core systems"
+
+ } Else {
+
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\seclogon.dll"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\seclogon.dll"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = [int]$VersionInfo[2]
+ $Revision = [int]$VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19598 -Or ( $Revision -ge 23000 -And $Revision -le 23909 ) ] }
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19148 ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19148 -Or ( $Revision -ge 23000 -And $Revision -le 23347 ) ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17649 -Or ( $Revision -ge 21000 -And $Revision -le 21767 ) ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18230 ] }
+ 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 16724 ] }
+ 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 161 ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS16034 {
+
+ $MSBulletin = "MS16-034"
+
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = [int]$VersionInfo[2]
+ $Revision = [int]$VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19597 -Or $Revision -lt 23908 ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19145 -Or $Revision -lt 23346 ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17647 -Or $Revision -lt 21766 ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18228 ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-CVE20177199 {
+
+ $CVEID = "2017-7199"
+ $SoftwareVersion = Get-InstalledSoftware "Nessus Agent"
+
+ if ( !$SoftwareVersion ) {
+
+ $VulnStatus = "Not Vulnerable"
+
+ } else {
+
+ $SoftwareVersion = $SoftwareVersion.Split(".")
+
+ $Major = [int]$SoftwareVersion[0]
+ $Minor = [int]$SoftwareVersion[1]
+ $Build = [int]$SoftwareVersion[2]
+
+ switch( $Major ) {
+
+ 6 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Minor -eq 10 -and $Build -le 3 -Or ( $Minor -eq 6 -and $Build -le 2 ) -Or ( $Minor -le 9 -and $Minor -ge 7 ) ] } # 6.6.2 - 6.10.3
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $CVEID $VulnStatus
+
+}
+
+function Find-MS16135 {
+
+ $MSBulletin = "MS16-135"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = [int]$VersionInfo[2]
+ $Revision = [int]$VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 23584 ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 18524 ] }
+ 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 16384 ] }
+ 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] }
+ 14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
\ No newline at end of file
diff --git a/ReportToolz/rep2.php b/ReportToolz/rep2.php
index d19c6b8..77785b6 100755
--- a/ReportToolz/rep2.php
+++ b/ReportToolz/rep2.php
@@ -88,7 +88,7 @@
$start = 0; $end = 0;
foreach($line as $key => $val){
if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; }
- if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; }
+ if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; }
$line[$key] = trim($val);
}
diff --git a/ReportToolz/repgen.php b/ReportToolz/repgen.php
index 91f688b..6b382e2 100755
--- a/ReportToolz/repgen.php
+++ b/ReportToolz/repgen.php
@@ -5,7 +5,7 @@
/***
* Configuration options
*/
-$template = "templates/odt/blank_template_v0.4.odt";
+$template = "templates/odt/blank_template_v0.5.odt";
$CHECKtemplate = "templates/odt/blank_template_check_v0.4.odt";
$vulnTemplate = "templates/odt/vuln_template.xml";
@@ -101,7 +101,7 @@
// squash vulns into one bbig xml
$value = "";
if(!empty($Serious)){
- $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
+ $value .= '<text:list text:continue-numbering="true" text:style-name="Outline">
<text:list-item>
<text:list>
<text:list-item>
diff --git a/ReportToolz/templates/odt/blank_template_v0.5.odt b/ReportToolz/templates/odt/blank_template_v0.5.odt
new file mode 100755
index 0000000..a16047b
--- /dev/null
+++ b/ReportToolz/templates/odt/blank_template_v0.5.odt
Binary files differ
diff --git a/privesc/Sherlock.ps1 b/privesc/Sherlock.ps1
new file mode 100644
index 0000000..a741b9d
--- /dev/null
+++ b/privesc/Sherlock.ps1
@@ -0,0 +1,566 @@
+<#
+
+ File: Sherlock.ps1
+ Author: @_RastaMouse
+ License: GNU General Public License v3.0
+
+#>
+
+<#
+
+RTM build reference, because I'm stupid and forget...
+
+6002: Vista SP2/2008 SP2
+7600: 7/2008 R2
+7601: 7 SP1/2008 R2 SP1
+9200: 8/2012
+9600: 8.1/2012 R2
+10240: 10 Threshold
+10586: 10 Threshold 2
+14393: 10 Redstone/2016
+15063: 10 Redstone 2
+16299: 10 Redstone 3
+17134: 10 Redstone 4
+
+#>
+
+$Global:ExploitTable = $null
+
+function Get-FileVersionInfo ($FilePath) {
+
+ $VersionInfo = (Get-Item $FilePath).VersionInfo
+ $FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart )
+
+ return $FileVersion
+
+}
+
+function Get-InstalledSoftware($SoftwareName) {
+
+ $SoftwareVersion = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -eq $SoftwareName } | Select-Object Version
+ $SoftwareVersion = $SoftwareVersion.Version # I have no idea what I'm doing
+
+ return $SoftwareVersion
+
+}
+
+function Get-Architecture {
+
+ # This is the CPU architecture. Returns "64-bit" or "32-bit".
+ $CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
+
+ # This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86".
+ $ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE
+
+ return $CPUArchitecture, $ProcessArchitecture
+
+}
+
+function Get-CPUCoreCount {
+
+ $CoreCount = (Get-WmiObject Win32_Processor).NumberOfLogicalProcessors
+
+ return $CoreCount
+
+}
+
+function New-ExploitTable {
+
+ # Create the table
+ $Global:ExploitTable = New-Object System.Data.DataTable
+
+ # Create the columns
+ $Global:ExploitTable.Columns.Add("Title")
+ $Global:ExploitTable.Columns.Add("MSBulletin")
+ $Global:ExploitTable.Columns.Add("CVEID")
+ $Global:ExploitTable.Columns.Add("Link")
+ $Global:ExploitTable.Columns.Add("VulnStatus")
+
+ # Add the exploits we are interested in.
+
+ # MS10
+ $Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/")
+ $Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/")
+ # MS13
+ $Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/")
+ $Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/")
+ # MS14
+ $Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/")
+ # MS15
+ $Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/")
+ $Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/")
+ # MS16
+ $Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/")
+ $Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/")
+ $Global:ExploitTable.Rows.Add("Windows Kernel-Mode Drivers EoP","MS16-034","2016-0093/94/95/96","https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?")
+ $Global:ExploitTable.Rows.Add("Win32k Elevation of Privilege","MS16-135","2016-7255","https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135")
+ # Miscs that aren't MS
+ $Global:ExploitTable.Rows.Add("Nessus Agent 6.6.2 - 6.10.3","N/A","2017-7199","https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html")
+
+}
+
+function Set-ExploitTable ($MSBulletin, $VulnStatus) {
+
+ if ( $MSBulletin -like "MS*" ) {
+
+ $Global:ExploitTable | Where-Object { $_.MSBulletin -eq $MSBulletin
+
+ } | ForEach-Object {
+
+ $_.VulnStatus = $VulnStatus
+
+ }
+
+ } else {
+
+
+ $Global:ExploitTable | Where-Object { $_.CVEID -eq $MSBulletin
+
+ } | ForEach-Object {
+
+ $_.VulnStatus = $VulnStatus
+
+ }
+
+ }
+
+}
+
+function Get-Results {
+
+ $Global:ExploitTable
+
+}
+
+function Find-AllVulns {
+
+ if ( !$Global:ExploitTable ) {
+
+ $null = New-ExploitTable
+
+ }
+
+ Find-MS10015
+ Find-MS10092
+ Find-MS13053
+ Find-MS13081
+ Find-MS14058
+ Find-MS15051
+ Find-MS15078
+ Find-MS16016
+ Find-MS16032
+ Find-MS16034
+ Find-MS16135
+ Find-CVE20177199
+
+ Get-Results
+
+}
+
+function Find-MS10015 {
+
+ $MSBulletin = "MS10-015"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\ntoskrnl.exe"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20591" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS10092 {
+
+ $MSBulletin = "MS10-092"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\schedsvc.dll"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\schedsvc.dll"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20830" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS13053 {
+
+ $MSBulletin = "MS13-053"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "17000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22348" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20732" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS13081 {
+
+ $MSBulletin = "MS13-081"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22435" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20807" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS14058 {
+
+ $MSBulletin = "MS14-058"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS15051 {
+
+ $MSBulletin = "MS15-051"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS15078 {
+
+ $MSBulletin = "MS15-078"
+
+ $Path = $env:windir + "\system32\atmfd.dll"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(" ")
+
+ $Revision = $VersionInfo[2]
+
+ switch ( $Revision ) {
+
+ 243 { $VulnStatus = "Appears Vulnerable" }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS16016 {
+
+ $MSBulletin = "MS16-016"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[0] -eq "64-bit" ) {
+
+ $VulnStatus = "Not supported on 64-bit systems"
+
+ } Else {
+
+ $Path = $env:windir + "\system32\drivers\mrxdav.sys"
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = $VersionInfo[2]
+ $Revision = $VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16000" ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "23317" ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21738" ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18189" ] }
+ 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16683" ] }
+ 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "103" ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS16032 {
+
+ $MSBulletin = "MS16-032"
+
+ $CPUCount = Get-CPUCoreCount
+
+ if ( $CPUCount -eq "1" ) {
+
+ $VulnStatus = "Not Supported on single-core systems"
+
+ } Else {
+
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\seclogon.dll"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\seclogon.dll"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = [int]$VersionInfo[2]
+ $Revision = [int]$VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19598 -Or ( $Revision -ge 23000 -And $Revision -le 23909 ) ] }
+ 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19148 ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19148 -Or ( $Revision -ge 23000 -And $Revision -le 23347 ) ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17649 -Or ( $Revision -ge 21000 -And $Revision -le 21767 ) ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18230 ] }
+ 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 16724 ] }
+ 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 161 ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-MS16034 {
+
+ $MSBulletin = "MS16-034"
+
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = [int]$VersionInfo[2]
+ $Revision = [int]$VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19597 -Or $Revision -lt 23908 ] }
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19145 -Or $Revision -lt 23346 ] }
+ 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17647 -Or $Revision -lt 21766 ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18228 ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
+
+function Find-CVE20177199 {
+
+ $CVEID = "2017-7199"
+ $SoftwareVersion = Get-InstalledSoftware "Nessus Agent"
+
+ if ( !$SoftwareVersion ) {
+
+ $VulnStatus = "Not Vulnerable"
+
+ } else {
+
+ $SoftwareVersion = $SoftwareVersion.Split(".")
+
+ $Major = [int]$SoftwareVersion[0]
+ $Minor = [int]$SoftwareVersion[1]
+ $Build = [int]$SoftwareVersion[2]
+
+ switch( $Major ) {
+
+ 6 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Minor -eq 10 -and $Build -le 3 -Or ( $Minor -eq 6 -and $Build -le 2 ) -Or ( $Minor -le 9 -and $Minor -ge 7 ) ] } # 6.6.2 - 6.10.3
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ }
+
+ Set-ExploitTable $CVEID $VulnStatus
+
+}
+
+function Find-MS16135 {
+
+ $MSBulletin = "MS16-135"
+ $Architecture = Get-Architecture
+
+ if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
+
+ $Path = $env:windir + "\system32\win32k.sys"
+
+ } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
+
+ $Path = $env:windir + "\sysnative\win32k.sys"
+
+ }
+
+ $VersionInfo = Get-FileVersionInfo($Path)
+ $VersionInfo = $VersionInfo.Split(".")
+
+ $Build = [int]$VersionInfo[2]
+ $Revision = [int]$VersionInfo[3].Split(" ")[0]
+
+ switch ( $Build ) {
+
+ 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 23584 ] }
+ 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 18524 ] }
+ 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 16384 ] }
+ 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] }
+ 14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] }
+ default { $VulnStatus = "Not Vulnerable" }
+
+ }
+
+ Set-ExploitTable $MSBulletin $VulnStatus
+
+}
\ No newline at end of file
diff --git a/search_dump.sh b/search_dump.sh
index 70cab9a..560ffc5 100755
--- a/search_dump.sh
+++ b/search_dump.sh
@@ -14,7 +14,7 @@
mkdir /mnt/$RNDNO
echo Mounting NAS
-mount -t cifs //192.168.0.13/NAS /mnt/$RNDNO -o username=[username],password=[password],vers=1.0
+mount -t cifs //192.168.0.13/NAS /mnt/$RNDNO -o username=[redacted],password=[redacted],vers=1.0
cd /mnt/$RNDNO/DB_Dumps/bigDB
echo Searching for $TERM in $PWD \(Est. 1hr\)...