Renamed Get-RegistryAutoRun to Get-ModifiableRegistryAutoRun

HarmJ0y · HarmJ0y · commit 491594529205 · 2016-06-04T19:07:28.000-04:00
Renamed Find-PathHijack to Find-PathDLLHijack
Fixed exposed functions in PowerSploit.psd1
diff --git a/PowerSploit.psd1 b/PowerSploit.psd1
@@ -25,34 +25,41 @@ FunctionsToExport = @(
     'Add-NetUser',
     'Add-ObjectAcl',
     'Add-Persistence',
+    'Add-ServiceDacl',
     'Convert-NameToSid',
     'Convert-NT4toCanonical',
     'Convert-SidToName',
     'Copy-ClonedFile',
     'Find-AVSignature',
     'Find-ComputerField',
-    'Find-DLLHijack',
     'Find-ForeignGroup',
     'Find-ForeignUser',
     'Find-GPOComputerAdmin',
     'Find-GPOLocation',
     'Find-InterestingFile',
     'Find-LocalAdminAccess',
+    'Find-PathDLLHijack',
+    'Find-ProcessDLLHijack',
     'Find-ManagedSecurityGroups',
-    'Find-PathHijack',
     'Find-UserField',
     'Get-ADObject',
     'Get-ApplicationHost',
     'Get-CachedRDPConnection',
     'Get-ComputerDetails',
     'Get-ComputerProperty',
+    'Get-CurrentUserTokenGroupSid',
     'Get-DFSshare',
     'Get-DomainPolicy',
     'Get-ExploitableSystem',
     'Get-GPPPassword',
     'Get-HttpStatus',
     'Get-Keystrokes',
     'Get-LastLoggedOn',
+    'Get-ModifiablePath',
+    'Get-ModifiableRegistryAutoRun',
+    'Get-ModifiableScheduledTaskFile',
+    'Get-ModifiableService',
+    'Get-ModifiableServiceFile',
     'Get-NetComputer',
     'Get-NetDomain',
     'Get-NetDomainController',
@@ -79,21 +86,19 @@ FunctionsToExport = @(
     'Get-ObjectAcl',
     'Get-PathAcl',
     'Get-Proxy',
-    'Get-RegAlwaysInstallElevated',
-    'Get-RegAutoLogon',
+    'Get-RegistryAlwaysInstallElevated',
+    'Get-RegistryAutoLogon',
     'Get-SecurityPackages',
     'Get-ServiceDetail',
-    'Get-ServiceFilePermission',
-    'Get-ServicePermission',
     'Get-ServiceUnquoted',
+    'Get-SiteListPassword',
+    'Get-System',
     'Get-TimedScreenshot',
     'Get-UnattendedInstallFile',
     'Get-UserEvent',
     'Get-UserProperty',
     'Get-VaultCredential',
     'Get-VolumeShadowCopy',
-    'Get-VulnAutoRun',
-    'Get-VulnSchTask',
     'Get-Webconfig',
     'Install-ServiceBinary',
     'Install-SSP',
@@ -133,6 +138,8 @@ FunctionsToExport = @(
     'Set-CriticalProcess',
     'Set-MacAttribute',
     'Set-MasterBootRecord',
+    'Set-ServiceBinPath',
+    'Test-ServiceDaclPermission',
     'Write-HijackDll',
     'Write-ServiceBinary',
     'Write-UserAddMSI'
diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
@@ -2361,7 +2361,7 @@ function Find-ProcessDLLHijack {
 }
 
 
-function Find-PathHijack {
+function Find-PathDLLHijack {
 <#
     .SYNOPSIS
 
@@ -2379,7 +2379,7 @@ function Find-PathHijack {
 
     .EXAMPLE
 
-        PS C:\> Find-PathHijack
+        PS C:\> Find-PathDLLHijack
 
         Finds all %PATH% .DLL hijacking opportunities.
 
@@ -2720,8 +2720,7 @@ function Get-RegistryAutoLogon {
     }
 }
 
-
-function Get-RegistryAutoRun {
+function Get-ModifiableRegistryAutoRun {
 <#
     .SYNOPSIS
 
@@ -2736,7 +2735,7 @@ function Get-RegistryAutoRun {
 
     .EXAMPLE
 
-        PS C:\> Get-RegistryAutoRun
+        PS C:\> Get-ModifiableRegistryAutoRun
 
         Return vulneable autorun binaries (or associated configs).
 #>
@@ -3571,7 +3570,7 @@ function Invoke-AllChecks {
     # DLL hijacking
 
     "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
-    $Results = Find-PathHijack
+    $Results = Find-PathDLLHijack
     $Results | Foreach-Object {
         $AbuseString = "Write-HijackDll -DllPath '$($_.Path)\wlbsctrl.dll'"
         $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
@@ -3604,8 +3603,8 @@ function Invoke-AllChecks {
     }
 
 
-    "`n`n[*] Checking for registry autoruns and configs..."
-    $Results = Get-RegistryAutoRun
+    "`n`n[*] Checking for modifidable registry autoruns and configs..."
+    $Results = Get-ModifiableRegistryAutoRun
     $Results | Format-List
     if($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1
@@ -24,17 +24,17 @@ PowerShellVersion = '2.0'
 # Functions to export from this module
 FunctionsToExport = @(
     'Add-ServiceDacl',
-    'Find-PathHijack',
+    'Find-PathDLLHijack',
     'Find-ProcessDLLHijack',
     'Get-ApplicationHost',
     'Get-CurrentUserTokenGroupSid',
     'Get-ModifiablePath',
+    'Get-ModifiableRegistryAutoRun',
     'Get-ModifiableScheduledTaskFile',
     'Get-ModifiableService',
     'Get-ModifiableServiceFile',
     'Get-RegistryAlwaysInstallElevated',
     'Get-RegistryAutoLogon',
-    'Get-RegistryAutoRun',
     'Get-ServiceDetail',
     'Get-ServiceUnquoted',
     'Get-SiteListPassword',
diff --git a/Privesc/README.md b/Privesc/README.md
@@ -41,13 +41,13 @@ Optional Dependencies: None
 
 ### DLL Hijacking:
     Find-ProcessDLLHijack               -   finds potential DLL hijacking opportunities for currently running processes
-    Find-PathHijack                     -   finds service %PATH% .dll hijacking opportunities
-    Write-HijackDll                     -   writes out a hijackable .dll
+    Find-PathDLLHijack                  -   finds service %PATH% DLL hijacking opportunities
+    Write-HijackDll                     -   writes out a hijackable DLL
     
 ### Registry Checks:
     Get-RegistryAlwaysInstallElevated   -  checks if the AlwaysInstallElevated registry key is set
     Get-RegistryAutoLogon               -   checks for Autologon credentials in the registry
-    Get-RegistryAutoRun                 -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
+    Get-ModifiableRegistryAutoRun       -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
 
 ### Miscellaneous Checks:
     Get-ModifiableScheduledTaskFile     -   find schtasks with modifiable target files
diff --git a/Tests/Privesc.tests.ps1 b/Tests/Privesc.tests.ps1
@@ -873,10 +873,10 @@ Describe 'Find-ProcessDLLHijack' {
 }
 
 
-Describe 'Find-PathHijack' {
+Describe 'Find-PathDLLHijack' {
 
     if(-not $(Test-IsAdmin)) { 
-        Throw "'Find-PathHijack' Pester test needs local administrator privileges."
+        Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges."
     }
 
     It 'Should find a hijackable %PATH% folder.' {
@@ -887,22 +887,22 @@ Describe 'Find-PathHijack' {
             $OldPath = $Env:PATH
             $Env:PATH += ';C:\PowerUpTest\'
 
-            $Output = Find-PathHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1
+            $Output = Find-PathDLLHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1
 
             $Env:PATH = $OldPath
 
             $Output.Path | Should Be 'C:\PowerUpTest\'
 
             if ($Output.PSObject.Properties.Name -notcontains 'Path') {
-                Throw "Find-PathHijack result doesn't contain 'Path' field."
+                Throw "Find-PathDLLHijack result doesn't contain 'Path' field."
             }
 
             if ($Output.PSObject.Properties.Name -notcontains 'Permissions') {
-                Throw "Find-PathHijack result doesn't contain 'Permissions' field."
+                Throw "Find-PathDLLHijack result doesn't contain 'Permissions' field."
             }
 
             if ($Output.PSObject.Properties.Name -notcontains 'IdentityReference') {
-                Throw "Find-PathHijack result doesn't contain 'IdentityReference' field."
+                Throw "Find-PathDLLHijack result doesn't contain 'IdentityReference' field."
             }
         }
         catch {
@@ -952,14 +952,14 @@ Describe 'Get-RegistryAutoLogon' {
 }
 
 
-Describe 'Get-RegistryAutoRun' {
+Describe 'Get-ModifiableRegistryAutoRun' {
 
     if(-not $(Test-IsAdmin)) { 
-        Throw "'Get-RegistryAutoRun' Pester test needs local administrator privileges."
+        Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges."
     }
 
     It 'Should not throw.' {
-        {Get-RegistryAutoRun} | Should Not Throw
+        {Get-ModifiableRegistryAutoRun} | Should Not Throw
     }
 
     It 'Should find a vulnerable autorun.' {
@@ -968,28 +968,28 @@ Describe 'Get-RegistryAutoRun' {
             $Null | Out-File -FilePath $FilePath -Force
             $Null = Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -Value "vuln.exe -i '$FilePath'"
 
-            $Output = Get-RegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1
+            $Output = Get-ModifiableRegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1
 
             $Output.ModifiableFile.Path | Should Be $FilePath
 
             if ($Output.PSObject.Properties.Name -notcontains 'Key') {
-                Throw "Get-RegistryAutoRun result doesn't contain 'Key' field."
+                Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Key' field."
             }
             if ($Output.PSObject.Properties.Name -notcontains 'Path') {
-                Throw "Get-RegistryAutoRun result doesn't contain 'Path' field."
+                Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Path' field."
             }
             if ($Output.PSObject.Properties.Name -notcontains 'ModifiableFile') {
-                Throw "Get-RegistryAutoRun result doesn't contain 'ModifiableFile' field."
+                Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'ModifiableFile' field."
             }
 
             if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Path') {
-                Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Path' field."
+                Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Path' field."
             }
             if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Permissions') {
-                Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field."
+                Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field."
             }
             if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'IdentityReference') {
-                Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field."
+                Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field."
             }
 
             $Null = Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp

Original file line number	Diff line number	Diff line change
`@@ -873,10 +873,10 @@ Describe 'Find-ProcessDLLHijack' {`
`873`	`873`	`}`
`874`	`874`
`875`	`875`
`876`		`-Describe 'Find-PathHijack' {`
	`876`	`+Describe 'Find-PathDLLHijack' {`
`877`	`877`
`878`	`878`	`if(-not $(Test-IsAdmin)) {`
`879`		`- Throw "'Find-PathHijack' Pester test needs local administrator privileges."`
	`879`	`+ Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges."`
`880`	`880`	`}`
`881`	`881`
`882`	`882`	`It 'Should find a hijackable %PATH% folder.' {`
`@@ -887,22 +887,22 @@ Describe 'Find-PathHijack' {`
`887`	`887`	`$OldPath = $Env:PATH`
`888`	`888`	`$Env:PATH += ';C:\PowerUpTest\'`
`889`	`889`
`890`		`- $Output = Find-PathHijack \| Where-Object {$_.Path -like "PowerUpTest"} \| Select-Object -First 1`
	`890`	`+ $Output = Find-PathDLLHijack \| Where-Object {$_.Path -like "PowerUpTest"} \| Select-Object -First 1`
`891`	`891`
`892`	`892`	`$Env:PATH = $OldPath`
`893`	`893`
`894`	`894`	`$Output.Path \| Should Be 'C:\PowerUpTest\'`
`895`	`895`
`896`	`896`	`if ($Output.PSObject.Properties.Name -notcontains 'Path') {`
`897`		`- Throw "Find-PathHijack result doesn't contain 'Path' field."`
	`897`	`+ Throw "Find-PathDLLHijack result doesn't contain 'Path' field."`
`898`	`898`	`}`
`899`	`899`
`900`	`900`	`if ($Output.PSObject.Properties.Name -notcontains 'Permissions') {`
`901`		`- Throw "Find-PathHijack result doesn't contain 'Permissions' field."`
	`901`	`+ Throw "Find-PathDLLHijack result doesn't contain 'Permissions' field."`
`902`	`902`	`}`
`903`	`903`
`904`	`904`	`if ($Output.PSObject.Properties.Name -notcontains 'IdentityReference') {`
`905`		`- Throw "Find-PathHijack result doesn't contain 'IdentityReference' field."`
	`905`	`+ Throw "Find-PathDLLHijack result doesn't contain 'IdentityReference' field."`
`906`	`906`	`}`
`907`	`907`	`}`
`908`	`908`	`catch {`
`@@ -952,14 +952,14 @@ Describe 'Get-RegistryAutoLogon' {`
`952`	`952`	`}`
`953`	`953`
`954`	`954`
`955`		`-Describe 'Get-RegistryAutoRun' {`
	`955`	`+Describe 'Get-ModifiableRegistryAutoRun' {`
`956`	`956`
`957`	`957`	`if(-not $(Test-IsAdmin)) {`
`958`		`- Throw "'Get-RegistryAutoRun' Pester test needs local administrator privileges."`
	`958`	`+ Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges."`
`959`	`959`	`}`
`960`	`960`
`961`	`961`	`It 'Should not throw.' {`
`962`		`- {Get-RegistryAutoRun} \| Should Not Throw`
	`962`	`+ {Get-ModifiableRegistryAutoRun} \| Should Not Throw`
`963`	`963`	`}`
`964`	`964`
`965`	`965`	`It 'Should find a vulnerable autorun.' {`
`@@ -968,28 +968,28 @@ Describe 'Get-RegistryAutoRun' {`
`968`	`968`	`$Null \| Out-File -FilePath $FilePath -Force`
`969`	`969`	`$Null = Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -Value "vuln.exe -i '$FilePath'"`
`970`	`970`
`971`		`- $Output = Get-RegistryAutoRun \| Where-Object {$_.Path -like "$FilePath"} \| Select-Object -First 1`
	`971`	`+ $Output = Get-ModifiableRegistryAutoRun \| Where-Object {$_.Path -like "$FilePath"} \| Select-Object -First 1`
`972`	`972`
`973`	`973`	`$Output.ModifiableFile.Path \| Should Be $FilePath`
`974`	`974`
`975`	`975`	`if ($Output.PSObject.Properties.Name -notcontains 'Key') {`
`976`		`- Throw "Get-RegistryAutoRun result doesn't contain 'Key' field."`
	`976`	`+ Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Key' field."`
`977`	`977`	`}`
`978`	`978`	`if ($Output.PSObject.Properties.Name -notcontains 'Path') {`
`979`		`- Throw "Get-RegistryAutoRun result doesn't contain 'Path' field."`
	`979`	`+ Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Path' field."`
`980`	`980`	`}`
`981`	`981`	`if ($Output.PSObject.Properties.Name -notcontains 'ModifiableFile') {`
`982`		`- Throw "Get-RegistryAutoRun result doesn't contain 'ModifiableFile' field."`
	`982`	`+ Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'ModifiableFile' field."`
`983`	`983`	`}`
`984`	`984`
`985`	`985`	`if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Path') {`
`986`		`- Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Path' field."`
	`986`	`+ Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Path' field."`
`987`	`987`	`}`
`988`	`988`	`if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Permissions') {`
`989`		`- Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field."`
	`989`	`+ Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field."`
`990`	`990`	`}`
`991`	`991`	`if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'IdentityReference') {`
`992`		`- Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field."`
	`992`	`+ Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field."`
`993`	`993`	`}`
`994`	`994`
`995`	`995`	`$Null = Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp`