Merge pull request #17 from BC-SECURITY/dev

Moriarty v1.2 release

CHANGELOG.md

@@ -13,7 +13,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   **Security** in case of vulnerabilities.
 
 ## [Unreleased]
--  Added GitHub action to compile executable on release
+### Added
+-   Added GitHub action to compile executable on release
+-   Added 2023-23397
+-   Added 2022-34718
+
+### Removed
+-   Removed unused imports
+
+### Changed
+-   Updated min .NET version to 4.5
+-   Updated CVE-2021-44228 to have a max depth for scanning files
+-   Updated Task calls so it works with Empire
 
 ## 1.1 - 2024-03-13
 ### Added

Moriarty/Moriarty.csproj

@@ -8,7 +8,7 @@
     <OutputType>Exe</OutputType>
     <RootNamespace>Moriarty</RootNamespace>
     <AssemblyName>Moriarty</AssemblyName>
-    <TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
     <FileAlignment>512</FileAlignment>
     <Deterministic>true</Deterministic>
     <TargetFrameworkProfile />
@@ -50,6 +50,11 @@
     <Prefer32Bit>false</Prefer32Bit>
   </PropertyGroup>
   <ItemGroup>
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="Microsoft.Office.Interop.Outlook, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c, processorArchitecture=MSIL">
+      <HintPath>..\packages\Microsoft.Office.Interop.Outlook.15.0.4797.1004\lib\net20\Microsoft.Office.Interop.Outlook.dll</HintPath>
+      <EmbedInteropTypes>True</EmbedInteropTypes>
+    </Reference>
     <Reference Include="System" />
     <Reference Include="System.Core" />
     <Reference Include="System.IO.Compression" />
@@ -70,7 +75,9 @@
     <Compile Include="Msrc\CVE-2021-27065.cs" />
     <Compile Include="Msrc\CVE-2021-44228.cs" />
     <Compile Include="Msrc\CVE-2022-22965.cs" />
+    <Compile Include="Msrc\CVE-2022-34718.cs" />
     <Compile Include="Msrc\CVE-2022-40140.cs" />
+    <Compile Include="Msrc\CVE-2023-23397.cs" />
     <Compile Include="Msrc\CVE_2021_26855.cs" />
     <Compile Include="Msrc\CVE_2021_26857.cs" />
     <Compile Include="Utils\Debug.cs" />
@@ -109,6 +116,7 @@
   </ItemGroup>
   <ItemGroup>
     <None Include="app.config" />
+    <None Include="packages.config" />
   </ItemGroup>
   <ItemGroup>
     <BootstrapperPackage Include=".NETFramework,Version=v4.8">

Moriarty/Msrc/CVE-2017-7199.cs

@@ -1,6 +1,6 @@
 using Microsoft.Win32;
-using System.Linq;
 using System.Collections.Generic;
+using System.Linq;
 
 namespace Moriarty.Msrc
 {

Moriarty/Msrc/CVE-2021-1675.cs

@@ -1,10 +1,8 @@
+using Microsoft.Win32;
 using System;
-using System.Diagnostics;
+using System.Collections.Generic;
 using System.Management;
-using Microsoft.Win32;
 using System.ServiceProcess;
-using System.Linq;
-using System.Collections.Generic;
 
 namespace Moriarty.Msrc
 {

Moriarty/Msrc/CVE-2021-26858.cs

@@ -1,9 +1,7 @@
 using System;
-using System.Diagnostics;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-using System.Collections.Generic;
-using System.Diagnostics.Eventing.Reader;
 
 namespace Moriarty.Msrc
 {

Moriarty/Msrc/CVE-2021-27065.cs

@@ -1,9 +1,7 @@
 using System;
-using System.Diagnostics;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-using System.Collections.Generic;
-using System.Text.RegularExpressions;
 
 namespace Moriarty.Msrc
 {

Moriarty/Msrc/CVE-2021-44228.cs

@@ -1,10 +1,10 @@
 using System;
-using System.Diagnostics;
+using System.Collections.Generic;
 using System.IO;
 using System.IO.Compression;
 using System.Linq;
 using System.Text.RegularExpressions;
-using System.Collections.Generic;
+using System.Threading.Tasks;
 
 namespace Moriarty.Msrc
 {
@@ -13,7 +13,7 @@ public class CVE_2021_44228 : IVulnerabilityCheck
         private const string Id = "CVE-2021-44228";
         private static readonly string[] Exploits = new[]
         {
-            "https://github.com/CERTCC/CVE-2021-44228_scanner"  // URL for reference
+            "https://github.com/CERTCC/CVE-2021-44228_scanner"
         };
 
         public Vulnerability GetVulnerability()
@@ -23,41 +23,101 @@ public Vulnerability GetVulnerability()
 
         public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
         {
-            string topLevel = Directory.GetCurrentDirectory();
-            ScanDirectory(topLevel, vulnerabilities);
+            // Define the most likely folders to contain vulnerable files
+            var likelyFolders = new List<string>
+            {
+                @"C:\Program Files\",
+                @"C:\Program Files (x86)\",
+                // Add any specific directories known to contain Java applications or libraries
+                // Examples could include directories for commonly used Java servers or applications
+            };
+            DebugUtility.DebugPrint("Starting targeted scan...");
+
+            foreach (var folder in likelyFolders)
+            {
+                if (Directory.Exists(folder))
+                {
+                    DebugUtility.DebugPrint($"Scanning directory: {folder}");
+                    ScanDirectory(folder, vulnerabilities);
+                }
+                else
+                {
+                    DebugUtility.DebugPrint($"Directory does not exist: {folder}");
+                }
+            }
         }
 
-        private static void ScanDirectory(string directoryPath, VulnerabilityCollection vulnerabilities)
+        private static void ScanDirectory(string directoryPath, VulnerabilityCollection vulnerabilities, int currentDepth = 0, int maxDepth = 3)
         {
-            var fileExtensions = new[] { ".jar", ".war", ".ear", ".zip" };
-            var files = Directory.GetFiles(directoryPath, "*.*", SearchOption.AllDirectories)
-                                 .Where(file => fileExtensions.Any(x => file.EndsWith(x, StringComparison.OrdinalIgnoreCase)));
+            if (currentDepth > maxDepth)
+            {
+                return;
+            }
 
-            foreach (var file in files)
+            DebugUtility.DebugPrint($"Scanning directory: {directoryPath} at depth {currentDepth}");
+
+            // Process files in the current directory
+            try
             {
-                ProcessFile(file, vulnerabilities);
+                var fileExtensions = new[] { ".jar", ".war", ".ear", ".zip" };
+                var files = Directory.EnumerateFiles(directoryPath, "*.*")
+                                     .Where(file => fileExtensions.Any(x => file.EndsWith(x, StringComparison.OrdinalIgnoreCase)));
+
+                Parallel.ForEach(files, (file) =>
+                {
+                    DebugUtility.DebugPrint($"Processing file: {file}");
+                    ProcessFile(file, vulnerabilities);
+                });
+
+                // Recursively process subdirectories, limiting the depth
+                var directories = Directory.EnumerateDirectories(directoryPath);
+                foreach (var dir in directories)
+                {
+                    ScanDirectory(dir, vulnerabilities, currentDepth + 1, maxDepth);
+                }
+            }
+            catch (UnauthorizedAccessException ex)
+            {
+                DebugUtility.DebugPrint($"Access denied to directory: {directoryPath}. Exception: {ex.Message}");
+                // Optionally, log the exception or handle it as necessary.
+            }
+            catch (Exception ex)
+            {
+                DebugUtility.DebugPrint($"Error processing directory {directoryPath}: {ex.Message}");
+                // Handle other exceptions or log them as necessary.
             }
         }
 
+
         private static void ProcessFile(string filePath, VulnerabilityCollection vulnerabilities)
         {
-            using (ZipArchive archive = ZipFile.OpenRead(filePath))
+            DebugUtility.DebugPrint($"Opening archive: {filePath}");
+            try
             {
-                foreach (ZipArchiveEntry entry in archive.Entries)
+                using (ZipArchive archive = ZipFile.OpenRead(filePath))
                 {
-                    if (entry.FullName.EndsWith("JndiLookup.class", StringComparison.OrdinalIgnoreCase))
-                    {
-                        CheckForVulnerability(entry, filePath, vulnerabilities);
-                    }
-                    else if (IsArchive(entry.FullName))
+                    foreach (ZipArchiveEntry entry in archive.Entries)
                     {
-                        string tempPath = Path.GetTempFileName();
-                        entry.ExtractToFile(tempPath, true);
-                        ProcessFile(tempPath, vulnerabilities);
-                        File.Delete(tempPath);
+                        if (entry.FullName.EndsWith("JndiLookup.class", StringComparison.OrdinalIgnoreCase))
+                        {
+                            CheckForVulnerability(entry, filePath, vulnerabilities);
+                        }
+                        else if (IsArchive(entry.FullName))
+                        {
+                            string tempPath = Path.GetTempFileName();
+                            DebugUtility.DebugPrint($"Extracting nested archive to temporary file: {tempPath}");
+                            entry.ExtractToFile(tempPath, true);
+                            ProcessFile(tempPath, vulnerabilities);
+                            File.Delete(tempPath);
+                        }
                     }
                 }
             }
+            catch (Exception ex)
+            {
+                DebugUtility.DebugPrint($"Error processing file {filePath}: {ex.Message}");
+            }
+            DebugUtility.DebugPrint($"Finished processing archive: {filePath}");
         }
 
         private static bool IsArchive(string fileName)
@@ -69,6 +129,7 @@ private static bool IsArchive(string fileName)
         private static void CheckForVulnerability(ZipArchiveEntry entry, string originalFilePath, VulnerabilityCollection vulnerabilities)
         {
             string tempPath = Path.GetTempFileName();
+            DebugUtility.DebugPrint($"Extracting entry {entry.FullName} to temporary file: {tempPath}");
             entry.ExtractToFile(tempPath, true);
             string fileContent = File.ReadAllText(tempPath);
 
@@ -77,8 +138,12 @@ private static void CheckForVulnerability(ZipArchiveEntry entry, string original
                 DebugUtility.DebugPrint($"Vulnerability found in {originalFilePath} -> {entry.FullName}");
                 vulnerabilities.SetAsVulnerable(Id);
             }
+            else
+            {
+                DebugUtility.DebugPrint($"No vulnerability found in {originalFilePath} -> {entry.FullName}");
+            }
 
             File.Delete(tempPath);
         }
     }
-}
+}

Moriarty/Msrc/CVE-2022-22965.cs

@@ -1,7 +1,6 @@
 using System;
 using System.Collections.Generic;
 using System.Net.Http;
-using System.Threading.Tasks;
 
 namespace Moriarty.Msrc
 {
@@ -23,7 +22,7 @@ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List
             CheckAsync(vulnerabilities, buildNumber, installedKBs).GetAwaiter().GetResult();
         }
 
-        private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
+        private async System.Threading.Tasks.Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
         {
             DebugUtility.DebugPrint("Running CVE-2022-22965 vulnerability check...");
 
@@ -53,7 +52,7 @@ private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int build
             }
         }
 
-        private static async Task<HttpResponseMessage> InjectVulnerabilityCheck(string targetUrl, string directory)
+        private static async System.Threading.Tasks.Task<HttpResponseMessage> InjectVulnerabilityCheck(string targetUrl, string directory)
         {
             var client = new HttpClient();
             client.Timeout = TimeSpan.FromSeconds(10);
@@ -72,7 +71,7 @@ private static async Task<HttpResponseMessage> InjectVulnerabilityCheck(string t
             return response;
         }
 
-        private static async Task<string> ReadInjectedContent(string targetUrl)
+        private static async System.Threading.Tasks.Task<string> ReadInjectedContent(string targetUrl)
         {
             var client = new HttpClient();
             var fileUrl = $"{targetUrl}/CVE_2022_22965_exploited.txt";
@@ -81,7 +80,7 @@ private static async Task<string> ReadInjectedContent(string targetUrl)
             return content;
         }
 
-        private static async Task<string> ReadInjectedContentAtRoot(string targetUrl)
+        private static async System.Threading.Tasks.Task<string> ReadInjectedContentAtRoot(string targetUrl)
         {
             var client = new HttpClient();
             var rootUrl = new Uri(targetUrl).GetLeftPart(UriPartial.Authority) + "/CVE_2022_22965_exploited.txt";