API tools faq
paste
Guest User

Untitled

a guest
Nov 19th, 2018
116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.13 KB | None | 0 0
raw download clone embed print report
  1. '-'
  2. '-' invokeAllChecks.vbs
  3. '-'
  4. '-' VBscript implementation of the Invoke-AllChecks function of PowerUp developed by @harmj0y
  5. '-' by: @ImAnEnabler
  6. '-'
  7. '-' In the environment I work, sc.exe is not allowed for non-admins, so I used WMI instead.
  8. '-' Save the vbs file and run with cscript:
  9. '-' cscript //nologo invokeAllChecks.vbs
  10. '-'
  11.  
  12.  
  13. invokeAllChecks
  14.  
  15. sub invokeAllChecks()
  16. Wscript.Echo vbCrLf
  17. Wscript.Echo "[*] Checking if user is in a local group with administrative privileges..." & vbCrLf
  18. isAdmin
  19.  
  20. Wscript.Echo vbCrLf
  21. Wscript.Echo "[*] Checking for unquoted service paths..." & vbCrLf
  22. getServiceUnquoted
  23.  
  24. Wscript.Echo vbCrLf
  25. Wscript.Echo "[*] Checking service executable permissions..." & vbCrLf
  26. getServiceEXEPerms
  27.  
  28. Wscript.Echo vbCrLf
  29. Wscript.Echo "[*] Checking service permissions..." & vbCrLf
  30. getServicePerms
  31.  
  32. Wscript.Echo vbCrLf
  33. Wscript.Echo "[*] Checking for unattended install files..." & vbCrLf
  34. getUnattendedInstallFiles
  35.  
  36. Wscript.Echo vbCrLf
  37. Wscript.Echo "[*] Checking %PATH% for potentially hijackable .dll locations..." & vbCrLf
  38. invokeFindPathHijack
  39.  
  40. Wscript.Echo vbCrLf
  41. Wscript.Echo "[*] Checking for AlwaysInstallElevated registry key..." & vbCrLf
  42. getRegAlwaysInstallElevated
  43.  
  44. Wscript.Echo vbCrLf
  45. Wscript.Echo "[*] Checking for Autologon credentials in registry..." & vbCrLf
  46. checkAutoAdminLogon
  47.  
  48. '-' TODO:
  49. '"[*] Checking for encrypted web.config strings..." & vbCrLf
  50. '"[*] Checking for encrypted application pool and virtual directory passwords..." & vbCrLf
  51. end sub
  52.  
  53. sub isAdmin()
  54. Set objShell = WScript.CreateObject("WScript.Shell")
  55. '-' Get location of cmd.exe
  56. comspec = objShell.ExpandEnvironmentStrings("%comspec%")
  57. '-' Get groups back from whoami. I tried many ways to get this through WMI,
  58. '-' so that it could be run on XP systems, but was unsuccessful.
  59. set objResults = objShell.Exec(comspec & " /c whoami.exe /groups")
  60. Wscript.Sleep 200 '-' it runs async, so lets give it a few milliseconds to run
  61. strResults = objResults.StdOut.ReadAll
  62.  
  63. if instr(1, strResults, "S-1-5-32-544", vbtextcompare) > 0 Then ' in local administrators group
  64. Wscript.Echo "[+] User is in a local group that grants administrative privileges!"
  65. if instr(1, strResults, "S-1-16-12288", vbtextcompare) > 0 Then ' high-level context = elevated
  66. Wscript.Echo "[*] You're already running elevated!"
  67. elseif instr(1, strResults, "S-1-16-8192", vbtextcompare) > 0 Then ' med-level context = not elevated
  68. Wscript.Echo "[*] Run a BypassUAC attack to elevate privileges to admin."
  69. end if
  70. end if
  71. set objResults = Nothing
  72. Set objShell = Nothing
  73. end sub
  74.  
  75. Sub getServiceUnquoted
  76. strComputer = "."
  77. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  78. '-' Get services with unquoted paths
  79. Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service where NOT PathName LIKE '" & chr(34) & "%'")
  80.  
  81. For Each objService in colListOfServices
  82. '-' check and see if there's a space before the ".exe"
  83. if (instr(1, objService.PathName, Chr(32), vbTextCompare) > 0) AND _
  84. (instr(1, objService.PathName, Chr(32), vbTextCompare) < instr(1, objService.PathName, ".exe", vbTextCompare)) Then
  85. Wscript.Echo "[+] Unquoted service path: " & objService.Name & " - " & objService.PathName
  86. end if
  87. Next
  88. Set colListOfServices = Nothing
  89. Set objWMIService = Nothing
  90. end sub
  91.  
  92. sub getServiceEXEPerms
  93. Const FILE_WRITE_DATA = &h000002
  94. Const FILE_APPEND_DATA = &h000004
  95. strComputer = "."
  96. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  97. '-' Get paths to service executables which aren't in system32 folder
  98. Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service where NOT pathname like '%system32%'")
  99.  
  100. For Each objService in colListOfServices
  101. '-' Get the path through to the ".exe"; if it starts with a quote, drop that off as well
  102. if (Left(objService.PathName, 1) = """") then
  103. objServicePath = mid(objService.PathName, 2, instr(1,objService.PathName, ".exe", vbTextCompare)+2)
  104. else
  105. objServicePath = mid(objService.PathName, 1, instr(1,objService.PathName, ".exe", vbTextCompare)+3)
  106. end if
  107. '-' Get an instance of
  108. Set objShare = objWMIService.Get("CIM_DataFile.Name='" & objServicePath & "'")
  109.  
  110. '-' See if the effective permissions say we have write permissions
  111. isWritable = objShare.GetEffectivePermission(FILE_WRITE_DATA)
  112. '-' See if the effective permissions say we have append privileges
  113. isAppendable = objShare.GetEffectivePermission(FILE_APPEND_DATA)
  114.  
  115. if isWritable then
  116. wscript.echo "[+] Vulnerable service executable: " & objServicePath
  117. end if
  118. '-' If the file is in use, the write check may fail; if we can append to it, we may still be in luck
  119. if NOT isWritable AND isAppendable then
  120. wscript.echo "[+] Possible vulnerable service executable: " & objServicePath
  121. wscript.echo objService.State
  122. end if
  123. next
  124. Set objShare = Nothing
  125. Set colListOfServices = Nothing
  126. Set objWMIService = Nothing
  127. end sub
  128.  
  129. sub getServicePerms
  130. '-' Possible ErrorControl Values to try and set to
  131. Set dErrCtl = CreateObject("Scripting.Dictionary")
  132. dErrCtl.Add "Ignore", 0
  133. dErrCtl.Add "Normal", 1
  134. dErrCtl.Add "Severe", 2
  135. dErrCtl.Add "Critical", 3
  136. dErrCtl.Add "Unknown", 4
  137.  
  138. strComputer = "."
  139. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  140. '-' Get list of services
  141. Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service")
  142.  
  143. For Each objService in colListOfServices
  144. on error goto next
  145. '-' Try to set the ErrorControl value to the same as it currently is; a return value of 0 is SUCCESS
  146. If objService.Change( , , , dErrCtl(objService.ErrorControl)) = 0 Then
  147. Wscript.Echo "[+] Vulnerable service: " & objService.Name & " - " & objService.PathName
  148. End If
  149. on error goto 0
  150. next
  151. Set objShare = Nothing
  152. Set colListOfServices = Nothing
  153. Set objWMIService = Nothing
  154. Set dErrCtl = Nothing
  155. end sub
  156.  
  157. sub getUnattendedInstallFiles
  158. Set objShell = CreateObject("WScript.Shell")
  159. windir = objShell.ExpandEnvironmentStrings("%windir%")
  160. set objShell = Nothing
  161. '-' List of file locations to check
  162. arrFiles = array("c:\sysprep\sysprep.xml", _
  163. "c:\sysprep\sysprep.inf", _
  164. "c:\sysprep.inf", _
  165. windir & "\Panther\Unattended.xml", _
  166. windir & "\Panther\Unattend\Unattended.xml", _
  167. windir & "\Panther\Unattend.xml", _
  168. windir & "\Panther\Unattend\Unattend.xml", _
  169. windir & "\System32\Sysprep\unattend.xml", _
  170. windir & "\System32\Sysprep\Panther\unattend.xml")
  171.  
  172. Set objFSO = CreateObject("Scripting.FileSystemObject")
  173. for i = 0 to ubound(arrFiles)
  174. if objFSO.FileExists(arrFiles(i)) then
  175. wscript.echo "[+] Unattended install file: " & arrFiles(i)
  176. end if
  177. next
  178. Set objFSO = Nothing
  179. end sub
  180.  
  181. sub invokeFindPathHijack()
  182. Const FILE_ADD_FILE = &h000002
  183.  
  184. Set objFSO = CreateObject("Scripting.FileSystemObject")
  185.  
  186. Set objShell = CreateObject("WScript.Shell")
  187. strPath = objShell.ExpandEnvironmentStrings("%path%")
  188. set objShell = Nothing
  189.  
  190. arrPaths = Split(strPath, ";")
  191. strComputer = "."
  192. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  193.  
  194. For i = 0 to ubound(arrPaths)
  195. '-' If the path ends in a backslash, strip it; the FolderExists() check doesn't like that
  196. if (Right(arrPaths(i), 1) = "\") then
  197. arrPaths(i) = mid(arrPaths(i), 1, Len(arrPaths(i))-1)
  198. end if
  199.  
  200. if objFSO.FolderExists(arrPaths(i)) Then
  201. Set objShare = objWMIService.Get("Win32_Directory.Name='" & arrPaths(i) & "'")
  202.  
  203. '-' See if the effective permissions say we have write permissions
  204. isWritable = objShare.GetEffectivePermission(FILE_ADD_FILE)
  205. if isWritable then
  206. wscript.echo "[+] Hijackable .dll path: " & arrPaths(i)
  207. end if
  208. Else
  209. Wscript.Echo "[+] Path does not exist - " & arrPaths(i)
  210. End if
  211. next
  212. Set objShare = Nothing
  213. Set colListOfServices = Nothing
  214. Set objWMIService = Nothing
  215. end sub
  216.  
  217. sub getRegAlwaysInstallElevated
  218. on error resume next
  219. Set objShell = CreateObject("Wscript.Shell")
  220. instValue = objShell.RegRead("HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\")
  221. if err.number = 0 then
  222. LMAIEvalue = objShell.RegRead("HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated")
  223. if err.number = 0 and LMAIEvalue <> 0 then
  224. CUAIEvalue = objShell.RegRead("HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated")
  225. if err.number = 0 and CUAIEvalue <> 0 then
  226. wscript.echo "AlwaysInstallElevated enabled on this machine!"
  227. else
  228. wscript.echo "AlwaysInstallElevated not enabled on this machine."
  229. end if
  230. else
  231. wscript.echo "AlwaysInstallElevated not enabled on this machine."
  232. end if
  233. end if
  234. Set objShell = Nothing
  235. on error goto 0
  236. end sub
  237.  
  238. sub checkAutoAdminLogon()
  239. on error resume next
  240.  
  241. Set objShell = CreateObject("Wscript.Shell")
  242. AALvalue = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon")
  243. if err.number = 0 and AALvalue <> 0 then
  244.  
  245. defaultDomainName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName")
  246. defaultUserName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName")
  247. defaultPassword = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword")
  248.  
  249. if NOT isEmpty(defaultUserName) Then
  250. Wscript.Echo "[+] Autologon default credentials: " & defaultDomainName & ", " & defaultUserName & ", " & defaultPassword
  251. end if
  252.  
  253. altDefaultDomainName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName")
  254. altDefaultUserName = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName")
  255. altDefaultPassword = objShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultPassword")
  256.  
  257. if NOT isEmpty(altDefaultUserName) Then
  258. Wscript.Echo "[+] Autologon alt credentials: " & altDefaultDomainName & ", " & altDefaultUserName & ", " & altDefaultPassword
  259. end if
  260.  
  261. end if
  262. Set objShell = Nothing
  263. on error goto 0
  264. end sub
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!