├── README.md └── escalate.py /README.md: -------------------------------------------------------------------------------- 1 | # Windows privilege escalation 2 | This is a Python based module for fast checking of common vulnerabilities affecting windows which lead to privilege escalation 3 | 4 | ## How to use? 5 | The usage is trivial 6 | ``` 7 | C:\> python escalate.py all 8 | [INFO] Found named pipe //./pipe\lsass 9 | [INFO] Found named pipe //./pipe\protected_storage 10 | [INFO] Found named pipe //./pipe\ntsvcs 11 | [INFO] Found named pipe //./pipe\scerpc 12 | [INFO] Found named pipe //./pipe\plugplay 13 | [INFO] Found named pipe //./pipe\Winsock2\CatalogChangeListener-2f8-0 14 | [INFO] Found named pipe //./pipe\epmapper 15 | [INFO] Found named pipe //./pipe\Winsock2\CatalogChangeListener-190-0 16 | [INFO] Found named pipe //./pipe\LSM_API_service 17 | [INFO] Found named pipe //./pipe\eventlog 18 | [INFO] Found named pipe //./pipe\Winsock2\CatalogChangeListener-34c-0 19 | [INFO] Found named pipe //./pipe\atsvc 20 | [INFO] Found named pipe //./pipe\Winsock2\CatalogChangeListener-3f0-0 21 | [INFO] Found named pipe //./pipe\wkssvc 22 | [INFO] Found named pipe //./pipe\keysvc 23 | [INFO] Found named pipe //./pipe\trkwks 24 | [INFO] Found named pipe //./pipe\vgauth-service 25 | [INFO] Found named pipe //./pipe\srvsvc 26 | [INFO] Found named pipe //./pipe\Winsock2\CatalogChangeListener-200-0 27 | [INFO] Found named pipe //./pipe\TermSrv_API_service 28 | [INFO] Found named pipe //./pipe\Winsock2\CatalogChangeListener-86c-0 29 | [INFO] Found named pipe //./pipe\Winsock2\CatalogChangeListener-210-0 30 | [INFO] Found named pipe //./pipe\browser 31 | [INFO] Found named pipe //./pipe\MsFteWds 32 | [INFO] Found named pipe //./pipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER 33 | [INFO] Found named pipe //./pipe\W32TIME_ALT 34 | [INFO] Found elevated process System Idle Process 35 | [INFO] Found elevated process smss.exe 36 | [INFO] Found elevated process csrss.exe 37 | [INFO] Found elevated process csrss.exe 38 | [INFO] Found elevated process winlogon.exe 39 | [INFO] Found elevated process lsm.exe 40 | [INFO] Found elevated process vmacthlp.exe 41 | [INFO] Found elevated process viritsvc.exe 42 | [INFO] Found elevated process spoolsv.exe 43 | [INFO] Found elevated process WVSScheduler.exe 44 | [INFO] Found elevated process sqlwriter.exe 45 | [INFO] Found elevated process VGAuthService.exe 46 | [INFO] Found elevated process vmtoolsd.exe 47 | [INFO] Found elevated process sppsvc.exe 48 | [INFO] Found elevated process WmiPrvSE.exe 49 | [INFO] Found elevated process dllhost.exe 50 | [INFO] Found elevated process msdtc.exe 51 | [INFO] Found elevated process SearchIndexer.exe 52 | [VULN] Environment path C:\Program Files\EasyPHP-DevServer-14.1VC9\binaries\php\php_runningversion is WRITEABLE 53 | [VULN] Service viritsvclite is VULNERABLE C:\VEXPLite\ 54 | [VULN] Elevated process WVSScheduler.exe with pid 1740 on port 8183 TCP 55 | > [INFO] Port 8183 (WVSScheduler.exe) won't answer to dummy packet 56 | [VULN] Process viritsvc.exe may be VULNERABLE we have write permission on C:\VEXPLite 57 | ``` 58 | ## Additional features? 59 | 60 | Plese make a pull request if you want to add additional features! 61 | 62 | ### The End 63 | 64 | Bye! 65 | \#dzonerzy 66 | -------------------------------------------------------------------------------- /escalate.py: -------------------------------------------------------------------------------- 1 | """ 2 | Windows Privilege Checker - Daniele Linguaglossa 3 | """ 4 | from win32com.client import GetObject 5 | from win32com.client.gencache import EnsureDispatch 6 | import win32com 7 | import win32api 8 | import win32serviceutil 9 | import os 10 | import random 11 | import subprocess 12 | import re 13 | import glob 14 | import socket 15 | import sys 16 | 17 | 18 | def open_process_allaccess(pid): 19 | try: 20 | handle = win32api.OpenProcess(0x000F0000L | 0x00100000L | 0xFFF, False, pid) 21 | except Exception as e: 22 | if e[0] in [5, 87]: # return access denied or bad pid 23 | return False 24 | return True 25 | 26 | 27 | def random_name(length=10): 28 | charset = "abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVXYZ0123456789" 29 | return "%s.txt" % "".join(charset[random.randint(0, len(charset)-1)] for x in range(0, length)) 30 | 31 | def find_paths(executables): 32 | path = 'C:\\' 33 | path = os.path.normpath(path) 34 | for root, dirs, files in os.walk(path, topdown=True): 35 | depth = root[len(path) + len(os.path.sep):].count(os.path.sep) 36 | if depth in [0, 1, 2, 3]: 37 | for d in dirs: 38 | for executable in executables: 39 | if os.path.isfile(os.path.join(root, d)+"\\%s" % executable): 40 | yield [os.path.join(root, d), executable] 41 | if depth == 3: 42 | dirs[:] = [] 43 | 44 | def check_list_pipes(): 45 | pipes = glob.glob("//./pipe/*") 46 | for pipe in pipes: 47 | print "[INFO] Found named pipe %s" % pipe 48 | 49 | def check_process_injection(): 50 | WMI = GetObject('winmgmts:') 51 | WMI = EnsureDispatch(WMI._oleobj_) 52 | processes = WMI.ExecQuery('select * from Win32_Process') 53 | for process in processes: 54 | if process.Properties_("Name").Value not in ["svchost.exe","lsass.exe","wininit.exe", "System", "services.exe"]: 55 | try: 56 | if process.ExecMethod_('GetOwner').Properties_("User").Value == None: 57 | proc_name = process.Properties_("Name").Value 58 | proc_pid = process.Properties_("ProcessId").Value 59 | if open_process_allaccess(int(process.Properties_("ProcessId").Value)): 60 | print "[VULN] Process with pid %s(%s) is vulnerable to DLL Injection" % (proc_name, proc_pid) 61 | except: 62 | pass 63 | 64 | def check_elevate_process_permission(): 65 | WMI = GetObject('winmgmts:') 66 | WMI = EnsureDispatch(WMI._oleobj_) 67 | elevated = [] 68 | processes = WMI.ExecQuery('select * from Win32_Process') 69 | for process in processes: 70 | if process.Properties_("Name").Value not in ["svchost.exe","lsass.exe","wininit.exe", "System", "services.exe"]: 71 | try: 72 | if process.ExecMethod_('GetOwner').Properties_("User").Value == None: 73 | elevated.append(process.Properties_("Name").Value) 74 | except: 75 | pass 76 | for path in find_paths(elevated): 77 | try: 78 | name = random_name() 79 | check = open(path[0] + "\\%s" % name,"wb") 80 | check.close() 81 | os.remove(path[0] + "\\%s" % name) 82 | print "[VULN] Process %s may be VULNERABLE we have write permission on %s" % (path[1], path[0]) 83 | except Exception as e: 84 | pass 85 | 86 | def check_elevated_processes(): 87 | WMI = GetObject('winmgmts:') 88 | WMI = EnsureDispatch(WMI._oleobj_) 89 | processes = WMI.ExecQuery('select * from Win32_Process') 90 | for process in processes: 91 | if process.Properties_("Name").Value not in ["svchost.exe","lsass.exe","wininit.exe", "System", "services.exe"]: 92 | try: 93 | if process.ExecMethod_('GetOwner').Properties_("User").Value == None: 94 | print "[INFO] Found elevated process %s" % process.Properties_("Name").Value 95 | except: 96 | pass 97 | 98 | 99 | def check_path_write(): 100 | paths = os.environ["PATH"].split(";") 101 | for path in paths: 102 | try: 103 | name = random_name() 104 | check = open(path + "\\%s" % name,"wb") 105 | check.close() 106 | os.remove(path + "\\%s" % name) 107 | print "[VULN] Environment path %s is WRITEABLE" % path 108 | except Exception as e: 109 | pass 110 | 111 | 112 | def check_port_pids(): 113 | pids = [] 114 | WMI = GetObject('winmgmts:') 115 | WMI = EnsureDispatch(WMI._oleobj_) 116 | nestat_regex = re.compile("\s+(?PTCP|UDP)\s+(0.0.0.0|127.0.0.1):(?P[0-9]+)\s+[0-9.:]+\s+(?PLISTENING)\s+(?P[0-9]+)") 117 | proc = subprocess.Popen(['netstat', '-ano'],creationflags=0x08000000, stdout=subprocess.PIPE) 118 | output = proc.communicate()[0] 119 | proc.stdout.close() 120 | for port in output.split("\r\n"): 121 | if nestat_regex.search(port): 122 | pids.append(nestat_regex.search(port).groupdict()) 123 | for pid in pids: 124 | processes = WMI.ExecQuery('select * from Win32_Process where ProcessId = %s' % pid["pid"]) 125 | for process in processes: 126 | if process.Properties_("Name").Value not in ["svchost.exe","lsass.exe","wininit.exe", "System", "services.exe"]: 127 | if process.ExecMethod_('GetOwner').Properties_("User").Value == None: 128 | print "[VULN] Elevated process %s with pid %s on port %s %s" % (process.Properties_("Name").Value, 129 | pid["pid"], pid["port"], pid["type"]) 130 | if pid["type"] == "TCP": 131 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 132 | else: 133 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 134 | s.setblocking(1) 135 | s.settimeout(0.5) 136 | try: 137 | s.connect(("127.0.0.1", int(pid["port"]))) 138 | s.send("GET / HTTP/1.1\r\n\r\n") 139 | print "> [INFO] Port %s (%s) answer with banner \"%s\"" % (pid["port"], process.Properties_("Name").Value, s.recv(50).replace("\r\n"," ")) 140 | except Exception as e: 141 | print "> [INFO] Port %s (%s) won't answer to dummy packet" % (pid["port"], process.Properties_("Name").Value) 142 | 143 | 144 | def check_services(): 145 | paths = [] 146 | wmi=win32com.client.GetObject('winmgmts:') 147 | for p in wmi.InstancesOf('Win32_Service'): 148 | path = os.path.dirname(str(p.Properties_("PathName").Value).replace("\"","").split(".exe ")[0]) 149 | stop = False 150 | try: 151 | win32serviceutil.StopService(p.Properties_("Name").Value) 152 | win32serviceutil.StartService(p.Properties_("Name").Value) 153 | stop = True 154 | except Exception as e: 155 | if e[0] == 5: # Access denied 156 | stop = False 157 | else: 158 | stop = True 159 | paths.append({"Name": p.Properties_("Name").Value, "Path": path, "startStop": stop}) 160 | for path in paths: 161 | try: 162 | name = random_name() 163 | check = open(path["Path"] + "\\%s" % name,"wb") 164 | check.close() 165 | os.remove(path["Path"] + "\\%s" % name) 166 | print "[VULN] Service %s is VULNERABLE %s\\" % (path["Name"], path["Path"]) 167 | except Exception as e: 168 | pass 169 | if path["startStop"]: 170 | print "[VULN] Service %s may be VULNERABLE 'cause you can start/stop it" % path["Name"] 171 | 172 | if len(sys.argv) > 1: 173 | if sys.argv[1] == "info": 174 | check_list_pipes() 175 | check_elevated_processes() 176 | elif sys.argv[1] == "vuln": 177 | check_path_write() 178 | check_services() 179 | check_port_pids() 180 | check_elevate_process_permission() 181 | check_process_injection() 182 | elif sys.argv[1] == "all": 183 | check_list_pipes() 184 | check_elevated_processes() 185 | check_path_write() 186 | check_services() 187 | check_port_pids() 188 | check_elevate_process_permission() 189 | check_process_injection() 190 | else: 191 | print "\nUsage: %s " % sys.argv[0] 192 | else: 193 | print "\nUsage: %s " % sys.argv[0] 194 | --------------------------------------------------------------------------------