Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Renamed Get-RegistryAutoRun to Get-ModifiableRegistryAutoRun 

Renamed Find-PathHijack to Find-PathDLLHijack
Fixed exposed functions in PowerSploit.psd1
This commit is contained in:
Harmj0y 2016-06-04 19:07:28 -04:00
parent 1b359e7875
commit 4915945292
5 changed files with 43 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
PowerSploit.psd1
View File

@ -25,27 +25,29 @@ FunctionsToExport = @(
'Add-NetUser', 'Add-NetUser',
'Add-ObjectAcl', 'Add-ObjectAcl',
'Add-Persistence', 'Add-Persistence',
'Add-ServiceDacl',
'Convert-NameToSid', 'Convert-NameToSid',
'Convert-NT4toCanonical', 'Convert-NT4toCanonical',
'Convert-SidToName', 'Convert-SidToName',
'Copy-ClonedFile', 'Copy-ClonedFile',
'Find-AVSignature', 'Find-AVSignature',
'Find-ComputerField', 'Find-ComputerField',
'Find-DLLHijack',
'Find-ForeignGroup', 'Find-ForeignGroup',
'Find-ForeignUser', 'Find-ForeignUser',
'Find-GPOComputerAdmin', 'Find-GPOComputerAdmin',
'Find-GPOLocation', 'Find-GPOLocation',
'Find-InterestingFile', 'Find-InterestingFile',
'Find-LocalAdminAccess', 'Find-LocalAdminAccess',
'Find-PathDLLHijack',
'Find-ProcessDLLHijack',
'Find-ManagedSecurityGroups', 'Find-ManagedSecurityGroups',
'Find-PathHijack',
'Find-UserField', 'Find-UserField',
'Get-ADObject', 'Get-ADObject',
'Get-ApplicationHost', 'Get-ApplicationHost',
'Get-CachedRDPConnection', 'Get-CachedRDPConnection',
'Get-ComputerDetails', 'Get-ComputerDetails',
'Get-ComputerProperty', 'Get-ComputerProperty',
'Get-CurrentUserTokenGroupSid',
'Get-DFSshare', 'Get-DFSshare',
'Get-DomainPolicy', 'Get-DomainPolicy',
'Get-ExploitableSystem', 'Get-ExploitableSystem',
@ -53,6 +55,11 @@ FunctionsToExport = @(
'Get-HttpStatus', 'Get-HttpStatus',
'Get-Keystrokes', 'Get-Keystrokes',
'Get-LastLoggedOn', 'Get-LastLoggedOn',
'Get-ModifiablePath',
'Get-ModifiableRegistryAutoRun',
'Get-ModifiableScheduledTaskFile',
'Get-ModifiableService',
'Get-ModifiableServiceFile',
'Get-NetComputer', 'Get-NetComputer',
'Get-NetDomain', 'Get-NetDomain',
'Get-NetDomainController', 'Get-NetDomainController',
@ -79,21 +86,19 @@ FunctionsToExport = @(
'Get-ObjectAcl', 'Get-ObjectAcl',
'Get-PathAcl', 'Get-PathAcl',
'Get-Proxy', 'Get-Proxy',
'Get-RegAlwaysInstallElevated', 'Get-RegistryAlwaysInstallElevated',
'Get-RegAutoLogon', 'Get-RegistryAutoLogon',
'Get-SecurityPackages', 'Get-SecurityPackages',
'Get-ServiceDetail', 'Get-ServiceDetail',
'Get-ServiceFilePermission',
'Get-ServicePermission',
'Get-ServiceUnquoted', 'Get-ServiceUnquoted',
'Get-SiteListPassword',
'Get-System',
'Get-TimedScreenshot', 'Get-TimedScreenshot',
'Get-UnattendedInstallFile', 'Get-UnattendedInstallFile',
'Get-UserEvent', 'Get-UserEvent',
'Get-UserProperty', 'Get-UserProperty',
'Get-VaultCredential', 'Get-VaultCredential',
'Get-VolumeShadowCopy', 'Get-VolumeShadowCopy',
'Get-VulnAutoRun',
'Get-VulnSchTask',
'Get-Webconfig', 'Get-Webconfig',
'Install-ServiceBinary', 'Install-ServiceBinary',
'Install-SSP', 'Install-SSP',
@ -133,6 +138,8 @@ FunctionsToExport = @(
'Set-CriticalProcess', 'Set-CriticalProcess',
'Set-MacAttribute', 'Set-MacAttribute',
'Set-MasterBootRecord', 'Set-MasterBootRecord',
'Set-ServiceBinPath',
'Test-ServiceDaclPermission',
'Write-HijackDll', 'Write-HijackDll',
'Write-ServiceBinary', 'Write-ServiceBinary',
'Write-UserAddMSI' 'Write-UserAddMSI'

15
Privesc/PowerUp.ps1
View File

@ -2361,7 +2361,7 @@ function Find-ProcessDLLHijack {
} }
function Find-PathHijack { function Find-PathDLLHijack {
<# <#
.SYNOPSIS .SYNOPSIS
@ -2379,7 +2379,7 @@ function Find-PathHijack {
.EXAMPLE .EXAMPLE
PS C:\> Find-PathHijack PS C:\> Find-PathDLLHijack
Finds all %PATH% .DLL hijacking opportunities. Finds all %PATH% .DLL hijacking opportunities.
@ -2720,8 +2720,7 @@ function Get-RegistryAutoLogon {
} }
} }
function Get-ModifiableRegistryAutoRun {
function Get-RegistryAutoRun {
<# <#
.SYNOPSIS .SYNOPSIS
@ -2736,7 +2735,7 @@ function Get-RegistryAutoRun {
.EXAMPLE .EXAMPLE
PS C:\> Get-RegistryAutoRun PS C:\> Get-ModifiableRegistryAutoRun
Return vulneable autorun binaries (or associated configs). Return vulneable autorun binaries (or associated configs).
#> #>
@ -3571,7 +3570,7 @@ function Invoke-AllChecks {
# DLL hijacking # DLL hijacking
"`n`n[*] Checking %PATH% for potentially hijackable DLL locations..." "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
$Results = Find-PathHijack $Results = Find-PathDLLHijack
$Results | Foreach-Object { $Results | Foreach-Object {
$AbuseString = "Write-HijackDll -DllPath '$($_.Path)\wlbsctrl.dll'" $AbuseString = "Write-HijackDll -DllPath '$($_.Path)\wlbsctrl.dll'"
$_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
@ -3604,8 +3603,8 @@ function Invoke-AllChecks {
} }
"`n`n[*] Checking for registry autoruns and configs..." "`n`n[*] Checking for modifidable registry autoruns and configs..."
$Results = Get-RegistryAutoRun $Results = Get-ModifiableRegistryAutoRun
$Results | Format-List $Results | Format-List
if($HTMLReport) { if($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile

4
Privesc/Privesc.psd1
View File

@ -24,17 +24,17 @@ PowerShellVersion = '2.0'
# Functions to export from this module # Functions to export from this module
FunctionsToExport = @( FunctionsToExport = @(
'Add-ServiceDacl', 'Add-ServiceDacl',
'Find-PathHijack', 'Find-PathDLLHijack',
'Find-ProcessDLLHijack', 'Find-ProcessDLLHijack',
'Get-ApplicationHost', 'Get-ApplicationHost',
'Get-CurrentUserTokenGroupSid', 'Get-CurrentUserTokenGroupSid',
'Get-ModifiablePath', 'Get-ModifiablePath',
'Get-ModifiableRegistryAutoRun',
'Get-ModifiableScheduledTaskFile', 'Get-ModifiableScheduledTaskFile',
'Get-ModifiableService', 'Get-ModifiableService',
'Get-ModifiableServiceFile', 'Get-ModifiableServiceFile',
'Get-RegistryAlwaysInstallElevated', 'Get-RegistryAlwaysInstallElevated',
'Get-RegistryAutoLogon', 'Get-RegistryAutoLogon',
'Get-RegistryAutoRun',
'Get-ServiceDetail', 'Get-ServiceDetail',
'Get-ServiceUnquoted', 'Get-ServiceUnquoted',
'Get-SiteListPassword', 'Get-SiteListPassword',

6
Privesc/README.md
View File

@ -41,13 +41,13 @@ Optional Dependencies: None
### DLL Hijacking: ### DLL Hijacking:
Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes
Find-PathHijack - finds service %PATH% .dll hijacking opportunities Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities
Write-HijackDll - writes out a hijackable .dll Write-HijackDll - writes out a hijackable DLL
### Registry Checks: ### Registry Checks:
Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon - checks for Autologon credentials in the registry Get-RegistryAutoLogon - checks for Autologon credentials in the registry
Get-RegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
### Miscellaneous Checks: ### Miscellaneous Checks:
Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files

32
Tests/Privesc.tests.ps1
View File

@ -873,10 +873,10 @@ Describe 'Find-ProcessDLLHijack' {
} }
Describe 'Find-PathHijack' { Describe 'Find-PathDLLHijack' {
if(-not $(Test-IsAdmin)) { if(-not $(Test-IsAdmin)) {
Throw "'Find-PathHijack' Pester test needs local administrator privileges." Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges."
} }
It 'Should find a hijackable %PATH% folder.' { It 'Should find a hijackable %PATH% folder.' {
@ -887,22 +887,22 @@ Describe 'Find-PathHijack' {
$OldPath = $Env:PATH $OldPath = $Env:PATH
$Env:PATH += ';C:\PowerUpTest\' $Env:PATH += ';C:\PowerUpTest\'
$Output = Find-PathHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1 $Output = Find-PathDLLHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1
$Env:PATH = $OldPath $Env:PATH = $OldPath
$Output.Path | Should Be 'C:\PowerUpTest\' $Output.Path | Should Be 'C:\PowerUpTest\'
if ($Output.PSObject.Properties.Name -notcontains 'Path') { if ($Output.PSObject.Properties.Name -notcontains 'Path') {
Throw "Find-PathHijack result doesn't contain 'Path' field." Throw "Find-PathDLLHijack result doesn't contain 'Path' field."
} }
if ($Output.PSObject.Properties.Name -notcontains 'Permissions') { if ($Output.PSObject.Properties.Name -notcontains 'Permissions') {
Throw "Find-PathHijack result doesn't contain 'Permissions' field." Throw "Find-PathDLLHijack result doesn't contain 'Permissions' field."
} }
if ($Output.PSObject.Properties.Name -notcontains 'IdentityReference') { if ($Output.PSObject.Properties.Name -notcontains 'IdentityReference') {
Throw "Find-PathHijack result doesn't contain 'IdentityReference' field." Throw "Find-PathDLLHijack result doesn't contain 'IdentityReference' field."
} }
} }
catch { catch {
@ -952,14 +952,14 @@ Describe 'Get-RegistryAutoLogon' {
} }
Describe 'Get-RegistryAutoRun' { Describe 'Get-ModifiableRegistryAutoRun' {
if(-not $(Test-IsAdmin)) { if(-not $(Test-IsAdmin)) {
Throw "'Get-RegistryAutoRun' Pester test needs local administrator privileges." Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges."
} }
It 'Should not throw.' { It 'Should not throw.' {
{Get-RegistryAutoRun} | Should Not Throw {Get-ModifiableRegistryAutoRun} | Should Not Throw
} }
It 'Should find a vulnerable autorun.' { It 'Should find a vulnerable autorun.' {
@ -968,28 +968,28 @@ Describe 'Get-RegistryAutoRun' {
$Null | Out-File -FilePath $FilePath -Force $Null | Out-File -FilePath $FilePath -Force
$Null = Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -Value "vuln.exe -i '$FilePath'" $Null = Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -Value "vuln.exe -i '$FilePath'"
$Output = Get-RegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1 $Output = Get-ModifiableRegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1
$Output.ModifiableFile.Path | Should Be $FilePath $Output.ModifiableFile.Path | Should Be $FilePath
if ($Output.PSObject.Properties.Name -notcontains 'Key') { if ($Output.PSObject.Properties.Name -notcontains 'Key') {
Throw "Get-RegistryAutoRun result doesn't contain 'Key' field." Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Key' field."
} }
if ($Output.PSObject.Properties.Name -notcontains 'Path') { if ($Output.PSObject.Properties.Name -notcontains 'Path') {
Throw "Get-RegistryAutoRun result doesn't contain 'Path' field." Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Path' field."
} }
if ($Output.PSObject.Properties.Name -notcontains 'ModifiableFile') { if ($Output.PSObject.Properties.Name -notcontains 'ModifiableFile') {
Throw "Get-RegistryAutoRun result doesn't contain 'ModifiableFile' field." Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'ModifiableFile' field."
} }
if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Path') { if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Path') {
Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Path' field." Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Path' field."
} }
if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Permissions') { if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Permissions') {
Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field." Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field."
} }
if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'IdentityReference') { if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'IdentityReference') {
Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field." Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field."
} }
$Null = Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp $Null = Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp