Friday, February 6, 2015

Updated Powershell Script to Fix Unquoted Path Vulnerabilities

Here is an updated powershell script to fix unquoted path vulnerabilities:



$VulnServices = gwmi win32_service | ?{$_} | where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | where {-not $_.pathname.StartsWith("`"")} | where {($_.pathname.Substring(0, $_.pathname.IndexOf(".exe") + 4)) -match ".* .*"}

   

    if ($VulnServices) {

        foreach ($service in $VulnServices){

                                                $out = $service.name

                                                $out

                                                $path = $service.pathname

                                                if(Test-Path ("hklm:\SYSTEM\CurrentControlSet\Services\" + $service.name)){

                                                $info = (Get-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $service.name) -Name ImagePath -EA "SilentlyContinue").ImagePath

                                               

                                                #Check for quotes

                                                if ($info -eq "`"$path`""){

                                                                #FOR TESTING: Write-Host "Has quotes!" $service.name $info

                                                }

                                                #Check for no quotes

                                                elseif ($info -eq $path){

                                                                #FOR TESTING: Write-Host "NO QUOTES!" $info

                                                                Set-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\services\" + $service.name) -Name ImagePath -Value "`"$path`""

                                                }

                                                #FOR TESTING: $info = (Get-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $service.name) -Name ImagePath -EA "SilentlyContinue").ImagePath

                                                #FOR TESTING: $info

        }

    }

}

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...