From 491594529205b66937c718b38cb4e7909935e6ec Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Sat, 4 Jun 2016 19:07:28 -0400 Subject: Renamed Get-RegistryAutoRun to Get-ModifiableRegistryAutoRun Renamed Find-PathHijack to Find-PathDLLHijack Fixed exposed functions in PowerSploit.psd1 --- PowerSploit.psd1 | 23 +++++++++++++++-------- Privesc/PowerUp.ps1 | 15 +++++++-------- Privesc/Privesc.psd1 | 4 ++-- Privesc/README.md | 6 +++--- Tests/Privesc.tests.ps1 | 32 ++++++++++++++++---------------- 5 files changed, 43 insertions(+), 37 deletions(-) diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 492b846..065ea68 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -25,27 +25,29 @@ FunctionsToExport = @( 'Add-NetUser', 'Add-ObjectAcl', 'Add-Persistence', + 'Add-ServiceDacl', 'Convert-NameToSid', 'Convert-NT4toCanonical', 'Convert-SidToName', 'Copy-ClonedFile', 'Find-AVSignature', 'Find-ComputerField', - 'Find-DLLHijack', 'Find-ForeignGroup', 'Find-ForeignUser', 'Find-GPOComputerAdmin', 'Find-GPOLocation', 'Find-InterestingFile', 'Find-LocalAdminAccess', + 'Find-PathDLLHijack', + 'Find-ProcessDLLHijack', 'Find-ManagedSecurityGroups', - 'Find-PathHijack', 'Find-UserField', 'Get-ADObject', 'Get-ApplicationHost', 'Get-CachedRDPConnection', 'Get-ComputerDetails', 'Get-ComputerProperty', + 'Get-CurrentUserTokenGroupSid', 'Get-DFSshare', 'Get-DomainPolicy', 'Get-ExploitableSystem', @@ -53,6 +55,11 @@ FunctionsToExport = @( 'Get-HttpStatus', 'Get-Keystrokes', 'Get-LastLoggedOn', + 'Get-ModifiablePath', + 'Get-ModifiableRegistryAutoRun', + 'Get-ModifiableScheduledTaskFile', + 'Get-ModifiableService', + 'Get-ModifiableServiceFile', 'Get-NetComputer', 'Get-NetDomain', 'Get-NetDomainController', @@ -79,21 +86,19 @@ FunctionsToExport = @( 'Get-ObjectAcl', 'Get-PathAcl', 'Get-Proxy', - 'Get-RegAlwaysInstallElevated', - 'Get-RegAutoLogon', + 'Get-RegistryAlwaysInstallElevated', + 'Get-RegistryAutoLogon', 'Get-SecurityPackages', 'Get-ServiceDetail', - 'Get-ServiceFilePermission', - 'Get-ServicePermission', 'Get-ServiceUnquoted', + 'Get-SiteListPassword', + 'Get-System', 'Get-TimedScreenshot', 'Get-UnattendedInstallFile', 'Get-UserEvent', 'Get-UserProperty', 'Get-VaultCredential', 'Get-VolumeShadowCopy', - 'Get-VulnAutoRun', - 'Get-VulnSchTask', 'Get-Webconfig', 'Install-ServiceBinary', 'Install-SSP', @@ -133,6 +138,8 @@ FunctionsToExport = @( 'Set-CriticalProcess', 'Set-MacAttribute', 'Set-MasterBootRecord', + 'Set-ServiceBinPath', + 'Test-ServiceDaclPermission', 'Write-HijackDll', 'Write-ServiceBinary', 'Write-UserAddMSI' diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 6e473d6..4071f6a 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -2361,7 +2361,7 @@ function Find-ProcessDLLHijack { } -function Find-PathHijack { +function Find-PathDLLHijack { <# .SYNOPSIS @@ -2379,7 +2379,7 @@ function Find-PathHijack { .EXAMPLE - PS C:\> Find-PathHijack + PS C:\> Find-PathDLLHijack Finds all %PATH% .DLL hijacking opportunities. @@ -2720,8 +2720,7 @@ function Get-RegistryAutoLogon { } } - -function Get-RegistryAutoRun { +function Get-ModifiableRegistryAutoRun { <# .SYNOPSIS @@ -2736,7 +2735,7 @@ function Get-RegistryAutoRun { .EXAMPLE - PS C:\> Get-RegistryAutoRun + PS C:\> Get-ModifiableRegistryAutoRun Return vulneable autorun binaries (or associated configs). #> @@ -3571,7 +3570,7 @@ function Invoke-AllChecks { # DLL hijacking "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..." - $Results = Find-PathHijack + $Results = Find-PathDLLHijack $Results | Foreach-Object { $AbuseString = "Write-HijackDll -DllPath '$($_.Path)\wlbsctrl.dll'" $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString @@ -3604,8 +3603,8 @@ function Invoke-AllChecks { } - "`n`n[*] Checking for registry autoruns and configs..." - $Results = Get-RegistryAutoRun + "`n`n[*] Checking for modifidable registry autoruns and configs..." + $Results = Get-ModifiableRegistryAutoRun $Results | Format-List if($HTMLReport) { $Results | ConvertTo-HTML -Head $Header -Body "

Registry Autoruns

" | Out-File -Append $HtmlReportFile diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index e4222bf..97b7652 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -24,17 +24,17 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( 'Add-ServiceDacl', - 'Find-PathHijack', + 'Find-PathDLLHijack', 'Find-ProcessDLLHijack', 'Get-ApplicationHost', 'Get-CurrentUserTokenGroupSid', 'Get-ModifiablePath', + 'Get-ModifiableRegistryAutoRun', 'Get-ModifiableScheduledTaskFile', 'Get-ModifiableService', 'Get-ModifiableServiceFile', 'Get-RegistryAlwaysInstallElevated', 'Get-RegistryAutoLogon', - 'Get-RegistryAutoRun', 'Get-ServiceDetail', 'Get-ServiceUnquoted', 'Get-SiteListPassword', diff --git a/Privesc/README.md b/Privesc/README.md index 8e4b75d..7f57768 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -41,13 +41,13 @@ Optional Dependencies: None ### DLL Hijacking: Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes - Find-PathHijack - finds service %PATH% .dll hijacking opportunities - Write-HijackDll - writes out a hijackable .dll + Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities + Write-HijackDll - writes out a hijackable DLL ### Registry Checks: Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegistryAutoLogon - checks for Autologon credentials in the registry - Get-RegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns ### Miscellaneous Checks: Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files diff --git a/Tests/Privesc.tests.ps1 b/Tests/Privesc.tests.ps1 index 3641ece..62aad67 100644 --- a/Tests/Privesc.tests.ps1 +++ b/Tests/Privesc.tests.ps1 @@ -873,10 +873,10 @@ Describe 'Find-ProcessDLLHijack' { } -Describe 'Find-PathHijack' { +Describe 'Find-PathDLLHijack' { if(-not $(Test-IsAdmin)) { - Throw "'Find-PathHijack' Pester test needs local administrator privileges." + Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges." } It 'Should find a hijackable %PATH% folder.' { @@ -887,22 +887,22 @@ Describe 'Find-PathHijack' { $OldPath = $Env:PATH $Env:PATH += ';C:\PowerUpTest\' - $Output = Find-PathHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1 + $Output = Find-PathDLLHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1 $Env:PATH = $OldPath $Output.Path | Should Be 'C:\PowerUpTest\' if ($Output.PSObject.Properties.Name -notcontains 'Path') { - Throw "Find-PathHijack result doesn't contain 'Path' field." + Throw "Find-PathDLLHijack result doesn't contain 'Path' field." } if ($Output.PSObject.Properties.Name -notcontains 'Permissions') { - Throw "Find-PathHijack result doesn't contain 'Permissions' field." + Throw "Find-PathDLLHijack result doesn't contain 'Permissions' field." } if ($Output.PSObject.Properties.Name -notcontains 'IdentityReference') { - Throw "Find-PathHijack result doesn't contain 'IdentityReference' field." + Throw "Find-PathDLLHijack result doesn't contain 'IdentityReference' field." } } catch { @@ -952,14 +952,14 @@ Describe 'Get-RegistryAutoLogon' { } -Describe 'Get-RegistryAutoRun' { +Describe 'Get-ModifiableRegistryAutoRun' { if(-not $(Test-IsAdmin)) { - Throw "'Get-RegistryAutoRun' Pester test needs local administrator privileges." + Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges." } It 'Should not throw.' { - {Get-RegistryAutoRun} | Should Not Throw + {Get-ModifiableRegistryAutoRun} | Should Not Throw } It 'Should find a vulnerable autorun.' { @@ -968,28 +968,28 @@ Describe 'Get-RegistryAutoRun' { $Null | Out-File -FilePath $FilePath -Force $Null = Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -Value "vuln.exe -i '$FilePath'" - $Output = Get-RegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1 + $Output = Get-ModifiableRegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1 $Output.ModifiableFile.Path | Should Be $FilePath if ($Output.PSObject.Properties.Name -notcontains 'Key') { - Throw "Get-RegistryAutoRun result doesn't contain 'Key' field." + Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Key' field." } if ($Output.PSObject.Properties.Name -notcontains 'Path') { - Throw "Get-RegistryAutoRun result doesn't contain 'Path' field." + Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Path' field." } if ($Output.PSObject.Properties.Name -notcontains 'ModifiableFile') { - Throw "Get-RegistryAutoRun result doesn't contain 'ModifiableFile' field." + Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'ModifiableFile' field." } if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Path') { - Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Path' field." + Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Path' field." } if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Permissions') { - Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field." + Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field." } if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'IdentityReference') { - Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field." + Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field." } $Null = Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -- cgit v1.2.3