diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a7f9cf..09c4d43 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- **Security** in case of vulnerabilities.
## [Unreleased]
-- Added GitHub action to compile executable on release
+### Added
+- Added GitHub action to compile executable on release
+- Added 2023-23397
+- Added 2022-34718
+
+### Removed
+- Removed unused imports
+
+### Changed
+- Updated min .NET version to 4.5
+- Updated CVE-2021-44228 to have a max depth for scanning files
+- Updated Task calls so it works with Empire
## 1.1 - 2024-03-13
### Added
diff --git a/Moriarty/Moriarty.csproj b/Moriarty/Moriarty.csproj
index cf67090..dc35b1e 100644
--- a/Moriarty/Moriarty.csproj
+++ b/Moriarty/Moriarty.csproj
@@ -8,7 +8,7 @@
Exe
Moriarty
Moriarty
- v4.8
+ v4.5
512
true
@@ -50,6 +50,11 @@
false
+
+
+ ..\packages\Microsoft.Office.Interop.Outlook.15.0.4797.1004\lib\net20\Microsoft.Office.Interop.Outlook.dll
+ True
+
@@ -70,7 +75,9 @@
+
+
@@ -109,6 +116,7 @@
+
diff --git a/Moriarty/Msrc/CVE-2017-7199.cs b/Moriarty/Msrc/CVE-2017-7199.cs
index add8c5e..c4f7d15 100644
--- a/Moriarty/Msrc/CVE-2017-7199.cs
+++ b/Moriarty/Msrc/CVE-2017-7199.cs
@@ -1,6 +1,6 @@
using Microsoft.Win32;
-using System.Linq;
using System.Collections.Generic;
+using System.Linq;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/CVE-2021-1675.cs b/Moriarty/Msrc/CVE-2021-1675.cs
index b23c575..e298431 100644
--- a/Moriarty/Msrc/CVE-2021-1675.cs
+++ b/Moriarty/Msrc/CVE-2021-1675.cs
@@ -1,10 +1,8 @@
+using Microsoft.Win32;
using System;
-using System.Diagnostics;
+using System.Collections.Generic;
using System.Management;
-using Microsoft.Win32;
using System.ServiceProcess;
-using System.Linq;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/CVE-2021-26858.cs b/Moriarty/Msrc/CVE-2021-26858.cs
index 92664bd..c8e3f3e 100644
--- a/Moriarty/Msrc/CVE-2021-26858.cs
+++ b/Moriarty/Msrc/CVE-2021-26858.cs
@@ -1,9 +1,7 @@
using System;
-using System.Diagnostics;
+using System.Collections.Generic;
using System.IO;
using System.Linq;
-using System.Collections.Generic;
-using System.Diagnostics.Eventing.Reader;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/CVE-2021-27065.cs b/Moriarty/Msrc/CVE-2021-27065.cs
index 8602728..a08fe08 100644
--- a/Moriarty/Msrc/CVE-2021-27065.cs
+++ b/Moriarty/Msrc/CVE-2021-27065.cs
@@ -1,9 +1,7 @@
using System;
-using System.Diagnostics;
+using System.Collections.Generic;
using System.IO;
using System.Linq;
-using System.Collections.Generic;
-using System.Text.RegularExpressions;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/CVE-2021-44228.cs b/Moriarty/Msrc/CVE-2021-44228.cs
index 2c01f16..cee60b9 100644
--- a/Moriarty/Msrc/CVE-2021-44228.cs
+++ b/Moriarty/Msrc/CVE-2021-44228.cs
@@ -1,10 +1,10 @@
using System;
-using System.Diagnostics;
+using System.Collections.Generic;
using System.IO;
using System.IO.Compression;
using System.Linq;
using System.Text.RegularExpressions;
-using System.Collections.Generic;
+using System.Threading.Tasks;
namespace Moriarty.Msrc
{
@@ -13,7 +13,7 @@ public class CVE_2021_44228 : IVulnerabilityCheck
private const string Id = "CVE-2021-44228";
private static readonly string[] Exploits = new[]
{
- "https://github.com/CERTCC/CVE-2021-44228_scanner" // URL for reference
+ "https://github.com/CERTCC/CVE-2021-44228_scanner"
};
public Vulnerability GetVulnerability()
@@ -23,41 +23,101 @@ public Vulnerability GetVulnerability()
public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs)
{
- string topLevel = Directory.GetCurrentDirectory();
- ScanDirectory(topLevel, vulnerabilities);
+ // Define the most likely folders to contain vulnerable files
+ var likelyFolders = new List
+ {
+ @"C:\Program Files\",
+ @"C:\Program Files (x86)\",
+ // Add any specific directories known to contain Java applications or libraries
+ // Examples could include directories for commonly used Java servers or applications
+ };
+ DebugUtility.DebugPrint("Starting targeted scan...");
+
+ foreach (var folder in likelyFolders)
+ {
+ if (Directory.Exists(folder))
+ {
+ DebugUtility.DebugPrint($"Scanning directory: {folder}");
+ ScanDirectory(folder, vulnerabilities);
+ }
+ else
+ {
+ DebugUtility.DebugPrint($"Directory does not exist: {folder}");
+ }
+ }
}
- private static void ScanDirectory(string directoryPath, VulnerabilityCollection vulnerabilities)
+ private static void ScanDirectory(string directoryPath, VulnerabilityCollection vulnerabilities, int currentDepth = 0, int maxDepth = 3)
{
- var fileExtensions = new[] { ".jar", ".war", ".ear", ".zip" };
- var files = Directory.GetFiles(directoryPath, "*.*", SearchOption.AllDirectories)
- .Where(file => fileExtensions.Any(x => file.EndsWith(x, StringComparison.OrdinalIgnoreCase)));
+ if (currentDepth > maxDepth)
+ {
+ return;
+ }
- foreach (var file in files)
+ DebugUtility.DebugPrint($"Scanning directory: {directoryPath} at depth {currentDepth}");
+
+ // Process files in the current directory
+ try
{
- ProcessFile(file, vulnerabilities);
+ var fileExtensions = new[] { ".jar", ".war", ".ear", ".zip" };
+ var files = Directory.EnumerateFiles(directoryPath, "*.*")
+ .Where(file => fileExtensions.Any(x => file.EndsWith(x, StringComparison.OrdinalIgnoreCase)));
+
+ Parallel.ForEach(files, (file) =>
+ {
+ DebugUtility.DebugPrint($"Processing file: {file}");
+ ProcessFile(file, vulnerabilities);
+ });
+
+ // Recursively process subdirectories, limiting the depth
+ var directories = Directory.EnumerateDirectories(directoryPath);
+ foreach (var dir in directories)
+ {
+ ScanDirectory(dir, vulnerabilities, currentDepth + 1, maxDepth);
+ }
+ }
+ catch (UnauthorizedAccessException ex)
+ {
+ DebugUtility.DebugPrint($"Access denied to directory: {directoryPath}. Exception: {ex.Message}");
+ // Optionally, log the exception or handle it as necessary.
+ }
+ catch (Exception ex)
+ {
+ DebugUtility.DebugPrint($"Error processing directory {directoryPath}: {ex.Message}");
+ // Handle other exceptions or log them as necessary.
}
}
+
private static void ProcessFile(string filePath, VulnerabilityCollection vulnerabilities)
{
- using (ZipArchive archive = ZipFile.OpenRead(filePath))
+ DebugUtility.DebugPrint($"Opening archive: {filePath}");
+ try
{
- foreach (ZipArchiveEntry entry in archive.Entries)
+ using (ZipArchive archive = ZipFile.OpenRead(filePath))
{
- if (entry.FullName.EndsWith("JndiLookup.class", StringComparison.OrdinalIgnoreCase))
- {
- CheckForVulnerability(entry, filePath, vulnerabilities);
- }
- else if (IsArchive(entry.FullName))
+ foreach (ZipArchiveEntry entry in archive.Entries)
{
- string tempPath = Path.GetTempFileName();
- entry.ExtractToFile(tempPath, true);
- ProcessFile(tempPath, vulnerabilities);
- File.Delete(tempPath);
+ if (entry.FullName.EndsWith("JndiLookup.class", StringComparison.OrdinalIgnoreCase))
+ {
+ CheckForVulnerability(entry, filePath, vulnerabilities);
+ }
+ else if (IsArchive(entry.FullName))
+ {
+ string tempPath = Path.GetTempFileName();
+ DebugUtility.DebugPrint($"Extracting nested archive to temporary file: {tempPath}");
+ entry.ExtractToFile(tempPath, true);
+ ProcessFile(tempPath, vulnerabilities);
+ File.Delete(tempPath);
+ }
}
}
}
+ catch (Exception ex)
+ {
+ DebugUtility.DebugPrint($"Error processing file {filePath}: {ex.Message}");
+ }
+ DebugUtility.DebugPrint($"Finished processing archive: {filePath}");
}
private static bool IsArchive(string fileName)
@@ -69,6 +129,7 @@ private static bool IsArchive(string fileName)
private static void CheckForVulnerability(ZipArchiveEntry entry, string originalFilePath, VulnerabilityCollection vulnerabilities)
{
string tempPath = Path.GetTempFileName();
+ DebugUtility.DebugPrint($"Extracting entry {entry.FullName} to temporary file: {tempPath}");
entry.ExtractToFile(tempPath, true);
string fileContent = File.ReadAllText(tempPath);
@@ -77,8 +138,12 @@ private static void CheckForVulnerability(ZipArchiveEntry entry, string original
DebugUtility.DebugPrint($"Vulnerability found in {originalFilePath} -> {entry.FullName}");
vulnerabilities.SetAsVulnerable(Id);
}
+ else
+ {
+ DebugUtility.DebugPrint($"No vulnerability found in {originalFilePath} -> {entry.FullName}");
+ }
File.Delete(tempPath);
}
}
-}
+}
\ No newline at end of file
diff --git a/Moriarty/Msrc/CVE-2022-22965.cs b/Moriarty/Msrc/CVE-2022-22965.cs
index cd4c856..4c2fad9 100644
--- a/Moriarty/Msrc/CVE-2022-22965.cs
+++ b/Moriarty/Msrc/CVE-2022-22965.cs
@@ -1,7 +1,6 @@
using System;
using System.Collections.Generic;
using System.Net.Http;
-using System.Threading.Tasks;
namespace Moriarty.Msrc
{
@@ -23,7 +22,7 @@ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List
CheckAsync(vulnerabilities, buildNumber, installedKBs).GetAwaiter().GetResult();
}
- private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs)
+ private async System.Threading.Tasks.Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs)
{
DebugUtility.DebugPrint("Running CVE-2022-22965 vulnerability check...");
@@ -53,7 +52,7 @@ private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int build
}
}
- private static async Task InjectVulnerabilityCheck(string targetUrl, string directory)
+ private static async System.Threading.Tasks.Task InjectVulnerabilityCheck(string targetUrl, string directory)
{
var client = new HttpClient();
client.Timeout = TimeSpan.FromSeconds(10);
@@ -72,7 +71,7 @@ private static async Task InjectVulnerabilityCheck(string t
return response;
}
- private static async Task ReadInjectedContent(string targetUrl)
+ private static async System.Threading.Tasks.Task ReadInjectedContent(string targetUrl)
{
var client = new HttpClient();
var fileUrl = $"{targetUrl}/CVE_2022_22965_exploited.txt";
@@ -81,7 +80,7 @@ private static async Task ReadInjectedContent(string targetUrl)
return content;
}
- private static async Task ReadInjectedContentAtRoot(string targetUrl)
+ private static async System.Threading.Tasks.Task ReadInjectedContentAtRoot(string targetUrl)
{
var client = new HttpClient();
var rootUrl = new Uri(targetUrl).GetLeftPart(UriPartial.Authority) + "/CVE_2022_22965_exploited.txt";
diff --git a/Moriarty/Msrc/CVE-2022-34718.cs b/Moriarty/Msrc/CVE-2022-34718.cs
new file mode 100644
index 0000000..f6f31d2
--- /dev/null
+++ b/Moriarty/Msrc/CVE-2022-34718.cs
@@ -0,0 +1,151 @@
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Net.Sockets;
+
+namespace Moriarty.Msrc
+{
+ public class CVE_2022_34718 : IVulnerabilityCheck
+ {
+ private const string Id = "CVE-2022-34718";
+ private static readonly string[] Exploits = new[]
+ {
+ "https://github.com/SecLabResearchBV/CVE-2022-34718-PoC"
+ };
+
+ public Vulnerability GetVulnerability()
+ {
+ return new Vulnerability(Id, Exploits);
+ }
+
+ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs)
+ {
+ DebugUtility.DebugPrint("Starting CVE-2022-34718 check...");
+ string targetAddr = "::1";
+
+ if (TestConnectivity(targetAddr))
+ {
+ try
+ {
+ if (Trigger(targetAddr))
+ {
+ vulnerabilities.SetAsVulnerable(Id);
+ DebugUtility.DebugPrint("The system is vulnerable to CVE-2022-34718.");
+ }
+ else
+ {
+ DebugUtility.DebugPrint("The system is NOT vulnerable to CVE-2022-34718.");
+ }
+ }
+ catch (Exception ex)
+ {
+ DebugUtility.DebugPrint("Error during vulnerability check execution: " + ex.Message);
+ }
+ }
+ else
+ {
+ DebugUtility.DebugPrint("Failed to connect to the target address.");
+ }
+ }
+
+ private bool TestConnectivity(string targetAddr)
+ {
+ DebugUtility.DebugPrint($"Testing connectivity to {targetAddr}...");
+ try
+ {
+ using (var client = new TcpClient(AddressFamily.InterNetworkV6))
+ {
+ client.Client.DualMode = true;
+ client.Connect(IPAddress.Parse(targetAddr), 80);
+ DebugUtility.DebugPrint("Connection successful.");
+ return true;
+ }
+ }
+ catch (SocketException ex)
+ {
+ DebugUtility.DebugPrint($"Failed to connect: {ex.Message}");
+ return false;
+ }
+ }
+
+
+ private bool Trigger(string targetAddr)
+ {
+ DebugUtility.DebugPrint("Triggering the vulnerability...");
+ var innerPacketInfo = GetInnerPacket(targetAddr);
+ var outerPacket = CreateOuterPacket(targetAddr, innerPacketInfo.Packet, innerPacketInfo.FragmentId);
+
+ DebugUtility.DebugPrint("Sending fragments...");
+ foreach (var fragment in outerPacket)
+ {
+ if (!Send(fragment))
+ {
+ DebugUtility.DebugPrint("Failed to send a fragment.");
+ return false;
+ }
+ }
+
+ DebugUtility.DebugPrint("Now sending the last inner fragment to trigger the bug...");
+ return SendLastInnerFragment(targetAddr, innerPacketInfo.FragmentId);
+ }
+
+ private PacketInfo GetInnerPacket(string targetAddr)
+ {
+ var innerFragId = GenerateRandomUint();
+ var layer4Packet = GetLayer4();
+
+ var routes = new List(); // Create proper routing headers and fragments
+ byte[] firstFragment = { }; // Simulate this
+
+ return new PacketInfo(firstFragment, innerFragId);
+ }
+
+ private bool SendLastInnerFragment(string targetAddr, uint innerFragId)
+ {
+ var layer4Packet = GetLayer4();
+
+ byte[] lastFragment = { }; // Simulate this
+ return Send(lastFragment);
+ }
+
+ private byte[] GetLayer4()
+ {
+ // Assume this function returns a byte array representing an ICMPv6 echo request
+ return new byte[] { }; // Simulate this
+ }
+
+ private IEnumerable CreateOuterPacket(string targetAddr, byte[] innerPacket, uint innerFragId)
+ {
+ var fragments = new List();
+
+ // Logic to fragment the inner packet into multiple packets
+ return fragments;
+ }
+
+ private bool Send(byte[] packet)
+ {
+ // Send logic here, possibly using SharpPcap or a raw socket
+ return true;
+ }
+
+ private uint GenerateRandomUint()
+ {
+ Random rnd = new Random();
+ int part1 = rnd.Next(0, 65536); // Get the lower 16 bits
+ int part2 = rnd.Next(0, 65536); // Get the upper 16 bits
+ return (uint)((part2 << 16) | part1); // Combine the two parts
+ }
+
+ public class PacketInfo
+ {
+ public byte[] Packet { get; set; }
+ public uint FragmentId { get; set; }
+
+ public PacketInfo(byte[] packet, uint fragmentId)
+ {
+ Packet = packet;
+ FragmentId = fragmentId;
+ }
+ }
+ }
+}
diff --git a/Moriarty/Msrc/CVE-2022-40140.cs b/Moriarty/Msrc/CVE-2022-40140.cs
index 34efc6f..a1b4d84 100644
--- a/Moriarty/Msrc/CVE-2022-40140.cs
+++ b/Moriarty/Msrc/CVE-2022-40140.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Net;
using System.Net.Http;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/CVE-2023-21768.cs b/Moriarty/Msrc/CVE-2023-21768.cs
new file mode 100644
index 0000000..7ec7bfe
--- /dev/null
+++ b/Moriarty/Msrc/CVE-2023-21768.cs
@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Moriarty.Msrc
+{
+ internal class Class1
+ {
+ }
+}
diff --git a/Moriarty/Msrc/CVE-2023-23397.cs b/Moriarty/Msrc/CVE-2023-23397.cs
new file mode 100644
index 0000000..58c6723
--- /dev/null
+++ b/Moriarty/Msrc/CVE-2023-23397.cs
@@ -0,0 +1,129 @@
+using Microsoft.Office.Interop.Outlook;
+using Microsoft.Win32;
+using System;
+using System.Collections.Generic;
+
+namespace Moriarty.Msrc
+{
+ public class CVE_2023_23397 : IVulnerabilityCheck
+ {
+ private const string Id = "CVE-2023-23397";
+ private static readonly string[] Exploits = new[]
+ {
+ "https://github.com/api0cradle/CVE-2023-23397-POC-Powershell/tree/main"
+ };
+
+ public Vulnerability GetVulnerability()
+ {
+ return new Vulnerability(Id, Exploits);
+ }
+
+ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs)
+ {
+ DebugUtility.DebugPrint("Starting scan for CVE-2023-23397...");
+ Application outlookApp = null;
+ AppointmentItem newAppointment = null;
+
+ if (!IsOutlookConfigured())
+ {
+ DebugUtility.DebugPrint("Outlook is not installed or not configured. Skipping CVE-2023-23397 check.");
+ return;
+ }
+
+ try
+ {
+ outlookApp = new Application();
+ NameSpace outlookNamespace = outlookApp.GetNamespace("MAPI");
+ MAPIFolder calendarFolder = outlookNamespace.GetDefaultFolder(OlDefaultFolders.olFolderCalendar);
+
+ newAppointment = (AppointmentItem)calendarFolder.Items.Add(OlItemType.olAppointmentItem);
+ newAppointment.Subject = "Proactive Vulnerability Test";
+ newAppointment.Start = System.DateTime.Now.AddHours(2);
+ newAppointment.End = System.DateTime.Now.AddHours(3);
+ newAppointment.ReminderSet = true;
+ newAppointment.ReminderMinutesBeforeStart = 15;
+ newAppointment.ReminderSoundFile = @"\\fakepath\sound.wav";
+ newAppointment.Save();
+
+ Console.WriteLine(newAppointment.ReminderSoundFile);
+ if (newAppointment.ReminderSoundFile.Equals(@"\\fakepath\sound.wav"))
+ {
+ DebugUtility.DebugPrint("Successfully validated the UNC path in the reminder sound file.");
+ vulnerabilities.SetAsVulnerable(Id);
+ }
+ else
+ {
+ DebugUtility.DebugPrint("The UNC path in the reminder sound file was not set as expected.");
+ }
+ newAppointment.Delete();
+ DebugUtility.DebugPrint("Successfully cleaned up the test appointment.");
+ }
+ catch (System.Runtime.InteropServices.COMException comEx)
+ {
+ DebugUtility.DebugPrint("Failed to create or delete the appointment - COM Exception: " + comEx.Message);
+ DebugUtility.DebugPrint("Outlook may be properly secured against this type of vulnerability.");
+ }
+ catch (System.Exception ex)
+ {
+ DebugUtility.DebugPrint("Failed to create or delete the appointment - Exception: " + ex.Message);
+ DebugUtility.DebugPrint("This could indicate that proactive security measures are in place.");
+ }
+ finally
+ {
+ if (newAppointment != null) System.Runtime.InteropServices.Marshal.ReleaseComObject(newAppointment);
+ if (outlookApp != null) System.Runtime.InteropServices.Marshal.ReleaseComObject(outlookApp);
+ }
+ }
+
+ private bool IsOutlookConfigured()
+ {
+ try
+ {
+ string outlookProfileRegKey = @"Software\Microsoft\Office\16.0\Outlook\Profiles";
+ using (RegistryKey key = Registry.CurrentUser.OpenSubKey(outlookProfileRegKey))
+ {
+ if (key != null)
+ {
+ string[] profileNames = key.GetSubKeyNames();
+ if (profileNames.Length == 0)
+ {
+ DebugUtility.DebugPrint("No profiles are configured.");
+ return false;
+ }
+ }
+
+ else
+ {
+ DebugUtility.DebugPrint("Outlook profile registry key not found.");
+ return false;
+ }
+ }
+
+ Application outlookApp = new Application();
+ if (outlookApp != null)
+ {
+ System.Runtime.InteropServices.Marshal.ReleaseComObject(outlookApp);
+ return true;
+ }
+ else
+ {
+ DebugUtility.DebugPrint("Outlook application object could not be created.");
+ return false;
+ }
+ }
+ catch (System.Security.SecurityException secEx)
+ {
+ DebugUtility.DebugPrint("Security Exception (access to the registry might be denied): " + secEx.Message);
+ }
+ catch (System.Runtime.InteropServices.COMException comEx)
+ {
+ DebugUtility.DebugPrint("COM Exception (Outlook may not be installed/configured): " + comEx.Message);
+ }
+ catch (System.Exception ex)
+ {
+ DebugUtility.DebugPrint("General Exception: " + ex.Message);
+ }
+ return false;
+ }
+ }
+}
diff --git a/Moriarty/Msrc/CVE-2023-36664.cs b/Moriarty/Msrc/CVE-2023-36664.cs
index 7d04db3..4ebe181 100644
--- a/Moriarty/Msrc/CVE-2023-36664.cs
+++ b/Moriarty/Msrc/CVE-2023-36664.cs
@@ -1,8 +1,8 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/CVE_2021_26855.cs b/Moriarty/Msrc/CVE_2021_26855.cs
index f3523a8..b767092 100644
--- a/Moriarty/Msrc/CVE_2021_26855.cs
+++ b/Moriarty/Msrc/CVE_2021_26855.cs
@@ -3,7 +3,6 @@
using System.IO;
using System.Linq;
using System.Text.RegularExpressions;
-using System.Threading.Tasks;
namespace Moriarty.Msrc
{
@@ -35,7 +34,7 @@ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List
CheckAsync(vulnerabilities, buildNumber, installedKBs).GetAwaiter().GetResult();
}
- private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs)
+ private async System.Threading.Tasks.Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs)
{
var exchangeInstallPath = Environment.GetEnvironmentVariable("exchangeinstallpath");
if (string.IsNullOrWhiteSpace(exchangeInstallPath))
@@ -74,7 +73,7 @@ private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int build
DebugUtility.DebugPrint("No webshells found, but further examination is recommended.");
}
}
- private static async Task ReadFileContentAsync(string filePath)
+ private static async System.Threading.Tasks.Task ReadFileContentAsync(string filePath)
{
using (var reader = new StreamReader(filePath))
{
diff --git a/Moriarty/Msrc/CVE_2021_26857.cs b/Moriarty/Msrc/CVE_2021_26857.cs
index f49fa61..5bcc33d 100644
--- a/Moriarty/Msrc/CVE_2021_26857.cs
+++ b/Moriarty/Msrc/CVE_2021_26857.cs
@@ -1,8 +1,7 @@
using System;
+using System.Collections.Generic;
using System.IO;
using System.Linq;
-using System.Collections.Generic;
-using System.Text.RegularExpressions;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS10-015.cs b/Moriarty/Msrc/MS10-015.cs
index 3b0dd66..c3b6145 100644
--- a/Moriarty/Msrc/MS10-015.cs
+++ b/Moriarty/Msrc/MS10-015.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS10-092.cs b/Moriarty/Msrc/MS10-092.cs
index 5a26797..5a1fb2b 100644
--- a/Moriarty/Msrc/MS10-092.cs
+++ b/Moriarty/Msrc/MS10-092.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS13-053.cs b/Moriarty/Msrc/MS13-053.cs
index 0fcbb2f..144bf7c 100644
--- a/Moriarty/Msrc/MS13-053.cs
+++ b/Moriarty/Msrc/MS13-053.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS13-081.cs b/Moriarty/Msrc/MS13-081.cs
index 6b7a8c9..5f8b171 100644
--- a/Moriarty/Msrc/MS13-081.cs
+++ b/Moriarty/Msrc/MS13-081.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS14-058.cs b/Moriarty/Msrc/MS14-058.cs
index 0b669d6..f4b1d1e 100644
--- a/Moriarty/Msrc/MS14-058.cs
+++ b/Moriarty/Msrc/MS14-058.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS15-051.cs b/Moriarty/Msrc/MS15-051.cs
index 7b20d07..6c3f29e 100644
--- a/Moriarty/Msrc/MS15-051.cs
+++ b/Moriarty/Msrc/MS15-051.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS15-078.cs b/Moriarty/Msrc/MS15-078.cs
index 41114e4..054c952 100644
--- a/Moriarty/Msrc/MS15-078.cs
+++ b/Moriarty/Msrc/MS15-078.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS16-016.cs b/Moriarty/Msrc/MS16-016.cs
index bf8d8e0..ef370a5 100644
--- a/Moriarty/Msrc/MS16-016.cs
+++ b/Moriarty/Msrc/MS16-016.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS16-032.cs b/Moriarty/Msrc/MS16-032.cs
index 0771000..380ef8b 100644
--- a/Moriarty/Msrc/MS16-032.cs
+++ b/Moriarty/Msrc/MS16-032.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS16-034.cs b/Moriarty/Msrc/MS16-034.cs
index 3702ddd..06574b2 100644
--- a/Moriarty/Msrc/MS16-034.cs
+++ b/Moriarty/Msrc/MS16-034.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Msrc/MS16-135.cs b/Moriarty/Msrc/MS16-135.cs
index 7c993a7..6a2de9f 100644
--- a/Moriarty/Msrc/MS16-135.cs
+++ b/Moriarty/Msrc/MS16-135.cs
@@ -1,7 +1,7 @@
using System;
+using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
-using System.Collections.Generic;
namespace Moriarty.Msrc
{
diff --git a/Moriarty/Program.cs b/Moriarty/Program.cs
index b37fe05..51f4e55 100644
--- a/Moriarty/Program.cs
+++ b/Moriarty/Program.cs
@@ -1,9 +1,6 @@
using Moriarty.Msrc;
using System;
using System.Collections.Generic;
-using System.Diagnostics;
-using System.Reflection;
-using System.Linq;
namespace Moriarty
{
@@ -17,6 +14,17 @@ class Program
{
static List vulnerabilityChecks = new List
{
+ new MS10_015(),
+ new MS10_092(),
+ new MS13_053(),
+ new MS13_081(),
+ new MS14_058(),
+ new MS15_051(),
+ new MS15_078(),
+ new MS16_016(),
+ new MS16_032(),
+ new MS16_034(),
+ new MS16_135(),
new CVE_2019_0836(),
new CVE_2019_0841(),
new CVE_2019_1064(),
@@ -29,20 +37,8 @@ class Program
new CVE_2020_0668(),
new CVE_2020_0683(),
new CVE_2020_1013(),
- new MS10_015(),
- new MS10_092(),
- new MS13_053(),
- new MS13_081(),
- new MS14_058(),
- new MS15_051(),
- new MS15_078(),
- new MS16_016(),
- new MS16_032(),
- new MS16_034(),
- new MS16_135(),
new CVE_2017_7199(),
new CVE_2020_0796(),
- new CVE_2023_36664(),
new CVE_2021_1675(),
new CVE_2021_44228(),
new CVE_2022_40140(),
@@ -52,9 +48,12 @@ class Program
new CVE_2021_26857(),
new CVE_2021_27065(),
new CVE_2021_26858(),
+ new CVE_2022_34718(),
+ new CVE_2023_36664(),
+ new CVE_2023_23397(),
};
- static void Main(string[] args)
+ public static void Main(string[] args)
{
Info.PrintLogo();
foreach (var arg in args)
diff --git a/Moriarty/Utils/Info.cs b/Moriarty/Utils/Info.cs
index 25f321b..e5b6952 100644
--- a/Moriarty/Utils/Info.cs
+++ b/Moriarty/Utils/Info.cs
@@ -12,7 +12,7 @@ public static void PrintLogo()
Console.WriteLine("██ ████ ██ ██ ██ ██████ ██ ███████ ██████ ██ ████ ");
Console.WriteLine("██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ");
Console.WriteLine("██ ██ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ");
- Console.WriteLine(" v1.1");
+ Console.WriteLine(" v1.2");
Console.WriteLine(" BC Security\r\n");
}
public static void PrintHelp()
diff --git a/Moriarty/Utils/VulnerabilityCollection.cs b/Moriarty/Utils/VulnerabilityCollection.cs
index 9eed672..dda5fee 100644
--- a/Moriarty/Utils/VulnerabilityCollection.cs
+++ b/Moriarty/Utils/VulnerabilityCollection.cs
@@ -1,8 +1,6 @@
using System;
using System.Collections.Generic;
using System.Linq;
-using System.Reflection;
-using Moriarty.Msrc;
namespace Moriarty
{
diff --git a/Moriarty/app.config b/Moriarty/app.config
index 2c0f559..92ec84f 100644
--- a/Moriarty/app.config
+++ b/Moriarty/app.config
@@ -1,3 +1,14 @@
-
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Moriarty/packages.config b/Moriarty/packages.config
new file mode 100644
index 0000000..378d64d
--- /dev/null
+++ b/Moriarty/packages.config
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/README.md b/README.md
index e15a96b..8840f8b 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,32 @@ After cloning the repository, you can build the Moriarty executable using Visual
4. Build the solution by selecting "Build > Build Solution" from the menu.
## Usage
+
+### Help Menu
+```
+C:\> Moriarty.exe --help
+
+███ ███ ██████ ██████ ██ █████ ██████ ████████ ██ ██
+████ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+██ ████ ██ ██ ██ ██████ ██ ███████ ██████ ██ ████
+██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+██ ██ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██
+ v1.2
+ BC Security
+
+Usage: Moriarty.exe [options]
+Options:
+ -h, --help Display this help message.
+ -d, --debug Run in debug mode for additional output.
+ -l, --list-vulns List all vulnerabilities that are scanned for.
+
+Examples:
+ Moriarty.exe -d
+ Moriarty.exe --list-vulns
+
+```
+
+### Scan
```
C:\> Moriarty.exe
███ ███ ██████ ██████ ██ █████ ██████ ████████ ██ ██
@@ -33,7 +59,7 @@ C:\> Moriarty.exe
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██
- v1.0
+ v1.2
BC Security
[*] OS Version: 22H2 (22621)
@@ -44,8 +70,9 @@ C:\> Moriarty.exe
[+] PrintNightmare (CVE-2021-1675, CVE-2021-34527) : VULNERABLE
[>] https://github.com/xbufu/PrintNightmareCheck/tree/main
- [*] Vulnerabilities found: 2/30
+ [*] Vulnerabilities found: 2/37
[+] Scan Complete!
+
```
## CVEs and Vulnerabilities
@@ -85,6 +112,8 @@ Moriarty scans for a variety of CVEs and vulnerabilities. Below is a table detai
| [CVE-2021-27065](https://www.cve.org/CVERecord?id=CVE-2021-27065) | A post-authentication arbitrary file write vulnerability in Exchange Server could lead to remote code execution. |
| [CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228) | Log4Shell, a remote code execution vulnerability in Apache Log4j. |
| [CVE-2021-36934](https://www.cve.org/CVERecord?id=CVE-2021-36934) | HiveNightmare - A vulnerability that allows for local privilege escalation due to overly permissive Access Control Lists (ACLs) on system files, including the Security Accounts Manager (SAM). |
+| [CVE-2022-34718](https://www.cve.org/CVERecord?id=CVE-2022-34718) | Windows TCP/IP Remote Code Execution Vulnerability. |
| [CVE-2022-40140](https://www.cve.org/CVERecord?id=CVE-2022-40140) | A vulnerability in Microsoft Exchange Server leading to remote code execution. |
| [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965) | Spring4Shell, a remote code execution vulnerability in Spring Framework. |
| [CVE-2023-36664](https://www.cve.org/CVERecord?id=CVE-2023-36664) | Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the pipe character prefix). |
+| [CVE-2023-23397](https://www.cve.org/CVERecord?id=CVE-2023-23397) | Microsoft Outlook Elevation of Privilege Vulnerability. |
\ No newline at end of file