API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 3rd, 2017
120
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.09 KB | None | 0 0
raw download clone embed print report
  1. '-'
  2. '-' invokeAllChecks.vbs
  3. '-'
  4. '-' VBscript implementation of the Invoke-AllChecks function of PowerUp developed by @harmj0y
  5. '-' by: @ImAnEnabler
  6. '-'
  7. '-' In the environment I work, sc.exe is not allowed for non-admins, so I used WMI instead.
  8. '-' Save the vbs file and run with cscript:
  9. '-' cscript //nologo invokeAllChecks.vbs
  10. '-'
  11.  
  12.  
  13. invokeAllChecks
  14.  
  15. sub invokeAllChecks()
  16. Wscript.Echo vbCrLf
  17. Wscript.Echo "[*] Checking if user is in a local group with administrative privileges..." & vbCrLf
  18. isAdmin
  19.  
  20. Wscript.Echo vbCrLf
  21. Wscript.Echo "[*] Checking for unquoted service paths..." & vbCrLf
  22. getServiceUnquoted
  23.  
  24. Wscript.Echo vbCrLf
  25. Wscript.Echo "[*] Checking service executable permissions..." & vbCrLf
  26. getServiceEXEPerms
  27.  
  28. Wscript.Echo vbCrLf
  29. Wscript.Echo "[*] Checking service permissions..." & vbCrLf
  30. getServicePerms
  31.  
  32. Wscript.Echo vbCrLf
  33. Wscript.Echo "[*] Checking for unattended install files..." & vbCrLf
  34. getUnattendedInstallFiles
  35.  
  36. Wscript.Echo vbCrLf
  37. Wscript.Echo "[*] Checking %PATH% for potentially hijackable .dll locations..." & vbCrLf
  38. invokeFindPathHijack
  39.  
  40. Wscript.Echo vbCrLf
  41. Wscript.Echo "[*] Checking for AlwaysInstallElevated registry key..." & vbCrLf
  42. getRegAlwaysInstallElevated
  43.  
  44. Wscript.Echo vbCrLf
  45. Wscript.Echo "[*] Checking for Autologon credentials in registry..." & vbCrLf
  46. checkAutoAdminLogon
  47.  
  48. '-' TODO:
  49. '"[*] Checking for encrypted web.config strings..." & vbCrLf
  50. '"[*] Checking for encrypted application pool and virtual directory passwords..." & vbCrLf
  51. end sub
  52.  
  53. sub isAdmin()
  54. Set objShell = WScript.CreateObject("WScript.Shell")
  55. '-' Get location of cmd.exe
  56. comspec = objShell.ExpandEnvironmentStrings("%comspec%")
  57. '-' Get groups back from whoami. I tried many ways to get this through WMI,
  58. '-' so that it could be run on XP systems, but was unsuccessful.
  59. set objResults = objShell.Exec(comspec & " /c whoami.exe /groups")
  60. Wscript.Sleep 200 '-' it runs async, so lets give it a few milliseconds to run
  61. strResults = objResults.StdOut.ReadAll
  62.  
  63. if instr(1, strResults, "S-1-5-32-544", vbtextcompare) > 0 Then ' in local administrators group
  64. Wscript.Echo "[+] User is in a local group that grants administrative privileges!"
  65. if instr(1, strResults, "S-1-16-12288", vbtextcompare) > 0 Then ' high-level context = elevated
  66. Wscript.Echo "[*] You're already running elevated!"
  67. elseif instr(1, strResults, "S-1-16-8192", vbtextcompare) > 0 Then ' med-level context = not elevated
  68. Wscript.Echo "[*] Run a BypassUAC attack to elevate privileges to admin."
  69. end if
  70. end if
  71. set objResults = Nothing
  72. Set objShell = Nothing
  73. end sub
  74.  
  75. Sub getServiceUnquoted
  76. strComputer = "."
  77. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  78. '-' Get services with unquoted paths
  79. Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service where NOT PathName LIKE '" & chr(34) & "%'")
  80.  
  81. For Each objService in colListOfServices
  82. '-' check and see if there's a space before the ".exe"
  83. if (instr(1, objService.PathName, Chr(32), vbTextCompare) > 0) AND _
  84. (instr(1, objService.PathName, Chr(32), vbTextCompare) < instr(1, objService.PathName, ".exe", vbTextCompare)) Then
  85. Wscript.Echo "[+] Unquoted service path: " & objService.Name & " - " & objService.PathName
  86. end if
  87. Next
  88. Set colListOfServices = Nothing
  89. Set objWMIService = Nothing
  90. end sub
  91.  
  92. sub getServiceEXEPerms
  93. Const FILE_WRITE_DATA = &h000002
  94. Const FILE_APPEND_DATA = &h000004
  95. strComputer = "."
  96. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  97. '-' Get paths to service executables which aren't in system32 folder
  98. Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service where NOT pathname like '%system32%'")
  99.  
  100. For Each objService in colListOfServices
  101. '-' Get the path through to the ".exe"; if it starts with a quote, drop that off as well
  102. if (Left(objService.PathName, 1) = """") then
  103. objServicePath = mid(objService.PathName, 2, instr(1,objService.PathName, ".exe", vbTextCompare)+2)
  104. else
  105. objServicePath = mid(objService.PathName, 1, instr(1,objService.PathName, ".exe", vbTextCompare)+3)
  106. end if
  107. '-' Get an instance of
  108. Set objShare = objWMIService.Get("CIM_DataFile.Name='" & objServicePath & "'")
  109.  
  110. '-' See if the effective permissions say we have write permissions
  111. isWritable = objShare.GetEffectivePermission(FILE_WRITE_DATA)
  112. '-' See if the effective permissions say we have append privileges
  113. isAppendable = objShare.GetEffectivePermission(FILE_APPEND_DATA)
  114.  
  115. if isWritable then
  116. wscript.echo "[+] Vulnerable service executable: " & objServicePath
  117. end if
  118. '-' If the file is in use, the write check may fail; if we can append to it, we may still be in luck
  119. if NOT isWritable AND isAppendable then
  120. wscript.echo "[+] Possible vulnerable service executable: " & objServicePath
  121. wscript.echo objService.State
  122. end if
  123. next
  124. Set objShare = Nothing
  125. Set colListOfServices = Nothing
  126. Set objWMIService = Nothing
  127. end sub
  128.  
  129. sub getServicePerms
  130. '-' Possible ErrorControl Values to try and set to
  131. Set dErrCtl = CreateObject("Scripting.Dictionary")
  132. dErrCtl.Add "Ignore", 0
  133. dErrCtl.Add "Normal", 1
  134. dErrCtl.Add "Severe", 2
  135. dErrCtl.Add "Critical", 3
  136. dErrCtl.Add "Unknown", 4
  137.  
  138. strComputer = "."
  139. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  140. '-' Get list of services
  141. Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service")
  142.  
  143. For Each objService in colListOfServices
  144. '-' Try to set the ErrorControl value to the same as it currently is; a return value of 0 is SUCCESS
  145. If objService.Change( , , , dErrCtl(objService.ErrorControl)) = 0 Then
  146. Wscript.Echo "[+] Vulnerable service: " & objService.Name & " - " & objService.PathName
  147. End If
  148. next
  149. Set objShare = Nothing
  150. Set colListOfServices = Nothing
  151. Set objWMIService = Nothing
  152. Set dErrCtl = Nothing
  153. end sub
  154.  
  155. sub getUnattendedInstallFiles
  156. Set objShell = CreateObject("WScript.Shell")
  157. windir = objShell.ExpandEnvironmentStrings("%windir%")
  158. set objShell = Nothing
  159. '-' List of file locations to check
  160. arrFiles = array("c:\sysprep\sysprep.xml", _
  161. "c:\sysprep\sysprep.inf", _
  162. "c:\sysprep.inf", _
  163. windir & "\Panther\Unattended.xml", _
  164. windir & "\Panther\Unattend\Unattended.xml", _
  165. windir & "\Panther\Unattend.xml", _
  166. windir & "\Panther\Unattend\Unattend.xml", _
  167. windir & "\System32\Sysprep\unattend.xml", _
  168. windir & "\System32\Sysprep\Panther\unattend.xml")
  169.  
  170. Set objFSO = CreateObject("Scripting.FileSystemObject")
  171. for i = 0 to ubound(arrFiles)
  172. if objFSO.FileExists(arrFiles(i)) then
  173. wscript.echo "[+] Unattended install file: " & arrFiles(i)
  174. end if
  175. next
  176. Set objFSO = Nothing
  177. end sub
  178.  
  179. sub invokeFindPathHijack()
  180. Const FILE_ADD_FILE = &h000002
  181.  
  182. Set objFSO = CreateObject("Scripting.FileSystemObject")
  183.  
  184. Set objShell = CreateObject("WScript.Shell")
  185. strPath = objShell.ExpandEnvironmentStrings("%path%")
  186. set objShell = Nothing
  187.  
  188. arrPaths = Split(strPath, ";")
  189. strComputer = "."
  190. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  191.  
  192. For i = 0 to ubound(arrPaths)
  193. '-' If the path ends in a backslash, strip it; the FolderExists() check doesn't like that
  194. if (Right(arrPaths(i), 1) = "\") then
  195. arrPaths(i) = mid(arrPaths(i), 1, Len(arrPaths(i))-1)
  196. end if
  197.  
  198. if objFSO.FolderExists(arrPaths(i)) Then
  199. Set objShare = objWMIService.Get("Win32_Directory.Name='" & arrPaths(i) & "'")
  200.  
  201. '-' See if the effective permissions say we have write permissions
  202. isWritable = objShare.GetEffectivePermission(FILE_ADD_FILE)
  203. if isWritable then
  204. wscript.echo "[+] Hijackable .dll path: " & arrPaths(i)
  205. end if
  206. Else
  207. Wscript.Echo "[+] Path does not exist - " & arrPaths(i)
  208. End if
  209. next
  210. Set objShare = Nothing
  211. Set colListOfServices = Nothing
  212. Set objWMIService = Nothing
  213. end sub
  214.  
  215. sub getRegAlwaysInstallElevated
  216. on error resume next
  217. Set objShell = CreateObject("Wscript.Shell")
  218. instValue = objShell.RegRead("HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\")
  219. if err.number = 0 then
  220. LMAIEvalue = objShell.RegRead("HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated")
  221. if err.number = 0 and LMAIEvalue <> 0 then
  222. CUAIEvalue = objShell.RegRead("HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated")
  223. if err.number = 0 and CUAIEvalue <> 0 then
  224. wscript.echo "AlwaysInstallElevated enabled on this machine!"
  225. else
  226. wscript.echo "AlwaysInstallElevated not enabled on this machine."
  227. end if
  228. else
  229. wscript.echo "AlwaysInstallElevated not enabled on this machine."
  230. end if
  231. end if
  232. Set objShell = Nothing
  233. on error goto 0
  234. end sub
  235.  
  236. sub checkAutoAdminLogon()
  237. on error resume next
  238.  
  239. Set objShell = CreateObject("Wscript.Shell")
  240. AALvalue = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon")
  241. if err.number = 0 and AALvalue <> 0 then
  242.  
  243. defaultDomainName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName")
  244. defaultUserName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName")
  245. defaultPassword = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword")
  246.  
  247. if NOT isEmpty(defaultUserName) Then
  248. Wscript.Echo "[+] Autologon default credentials: " & defaultDomainName & ", " & defaultUserName & ", " & defaultPassword
  249. end if
  250.  
  251. altDefaultDomainName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName")
  252. altDefaultUserName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName")
  253. altDefaultPassword = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultPassword")
  254.  
  255. if NOT isEmpty(altDefaultUserName) Then
  256. Wscript.Echo "[+] Autologon alt credentials: " & altDefaultDomainName & ", " & altDefaultUserName & ", " & altDefaultPassword
  257. end if
  258.  
  259. end if
  260. Set objShell = Nothing
  261. on error goto 0
  262. end sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!