Codebase list powershell-empire / e7900e5 lib / modules / powershell / privesc / privesccheck.py
e7900e5

Tree @e7900e5 (Download .tar.gz)

privesccheck.py @e7900e5raw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
from __future__ import print_function

from builtins import str

from lib.common import helpers


class Module:
    def __init__(self, mainMenu, params=[]):
        self.info = {
            'Name': 'PrivescCheck',
            'Author': ['@itm4n'],
            'Description': ('Find Windows local privilege escalation vulnerabilities.'),
            'Software': '',
            'Techniques': ['T1046'],
            'Background': True,
            'OutputExtension': None,
            'NeedsAdmin': False,
            'OpsecSafe': True,
            'Language': 'powershell',
            'MinLanguageVersion': '2',

            'Comments': [
                'https://github.com/itm4n/PrivescCheck'
            ]
        }
        # any options needed by the module, settable during runtime
        self.options = {
            # format:
            #   value_name : {description, required, default_value}
            'Agent': {
                'Description': 'Agent to run module on.',
                'Required': True,
                'Value': ''
            },
            'Extended': {
                'Description': 'Set this flag to enable extended checks.',
                'Required': True,
                'Value': 'False'
            },
            'Format': {
                'Description': 'Select the format of the output file (e.g.: TXT, HTML or CSV).',
                'Required': True,
                'Value': 'TXT'
            }
        }
        # save off a copy of the mainMenu object to access external functionality
        #   like listeners/agent handlers/etc.
        self.mainMenu = mainMenu
        for param in params:
            # parameter format is [Name, Value]
            option, value = param
            if option in self.options:
                self.options[option]['Value'] = value

    def generate(self, obfuscate=False, obfuscationCommand=""):
        moduleName = self.info["Name"]

        # read in the common powerup.ps1 module source code
        moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PrivescCheck.ps1"
        if obfuscate:
            helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
            moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
        try:
            f = open(moduleSource, 'r')
        except:
            print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
            return ""
        moduleCode = f.read()
        f.close()
        # # get just the code needed for the specified function
        # script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
        script = moduleCode
        scriptEnd = "Invoke-PrivescCheck"

        if obfuscate:
            scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd,
                                          obfuscationCommand=obfuscationCommand)
        script += scriptEnd
        script = helpers.keyword_obfuscation(script)

        return script