From 4cf848f86a8477d833bc742290f06a0bb12ff7a7 Mon Sep 17 00:00:00 2001 From: Cx01N Date: Sat, 30 Mar 2024 17:02:13 -0700 Subject: [PATCH 01/10] Updated task calls to work with empire --- CHANGELOG.md | 3 ++- Moriarty/Msrc/CVE-2022-22965.cs | 8 ++++---- Moriarty/Msrc/CVE_2021_26855.cs | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a7f9cf..3110c35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Security** in case of vulnerabilities. ## [Unreleased] -- Added GitHub action to compile executable on release +- Added GitHub action to compile executable on release +- Updated Task calls so it works with Empire ## 1.1 - 2024-03-13 ### Added diff --git a/Moriarty/Msrc/CVE-2022-22965.cs b/Moriarty/Msrc/CVE-2022-22965.cs index cd4c856..d62bb09 100644 --- a/Moriarty/Msrc/CVE-2022-22965.cs +++ b/Moriarty/Msrc/CVE-2022-22965.cs @@ -23,7 +23,7 @@ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List CheckAsync(vulnerabilities, buildNumber, installedKBs).GetAwaiter().GetResult(); } - private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) + private async System.Threading.Tasks.Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) { DebugUtility.DebugPrint("Running CVE-2022-22965 vulnerability check..."); @@ -53,7 +53,7 @@ private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int build } } - private static async Task InjectVulnerabilityCheck(string targetUrl, string directory) + private static async System.Threading.Tasks.Task InjectVulnerabilityCheck(string targetUrl, string directory) { var client = new HttpClient(); client.Timeout = TimeSpan.FromSeconds(10); @@ -72,7 +72,7 @@ private static async Task InjectVulnerabilityCheck(string t return response; } - private static async Task ReadInjectedContent(string targetUrl) + private static async System.Threading.Tasks.Task ReadInjectedContent(string targetUrl) { var client = new HttpClient(); var fileUrl = $"{targetUrl}/CVE_2022_22965_exploited.txt"; @@ -81,7 +81,7 @@ private static async Task ReadInjectedContent(string targetUrl) return content; } - private static async Task ReadInjectedContentAtRoot(string targetUrl) + private static async System.Threading.Tasks.Task ReadInjectedContentAtRoot(string targetUrl) { var client = new HttpClient(); var rootUrl = new Uri(targetUrl).GetLeftPart(UriPartial.Authority) + "/CVE_2022_22965_exploited.txt"; diff --git a/Moriarty/Msrc/CVE_2021_26855.cs b/Moriarty/Msrc/CVE_2021_26855.cs index f3523a8..eb36b3b 100644 --- a/Moriarty/Msrc/CVE_2021_26855.cs +++ b/Moriarty/Msrc/CVE_2021_26855.cs @@ -35,7 +35,7 @@ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List CheckAsync(vulnerabilities, buildNumber, installedKBs).GetAwaiter().GetResult(); } - private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) + private async System.Threading.Tasks.Task CheckAsync(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) { var exchangeInstallPath = Environment.GetEnvironmentVariable("exchangeinstallpath"); if (string.IsNullOrWhiteSpace(exchangeInstallPath)) @@ -74,7 +74,7 @@ private async Task CheckAsync(VulnerabilityCollection vulnerabilities, int build DebugUtility.DebugPrint("No webshells found, but further examination is recommended."); } } - private static async Task ReadFileContentAsync(string filePath) + private static async System.Threading.Tasks.Task ReadFileContentAsync(string filePath) { using (var reader = new StreamReader(filePath)) { From a6be7f3cfea930d1367d2fd8ddd8695a423f1013 Mon Sep 17 00:00:00 2001 From: coin Date: Wed, 3 Apr 2024 16:36:49 -0400 Subject: [PATCH 02/10] Update main to public --- Moriarty/Program.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Moriarty/Program.cs b/Moriarty/Program.cs index b37fe05..3944d26 100644 --- a/Moriarty/Program.cs +++ b/Moriarty/Program.cs @@ -54,7 +54,7 @@ class Program new CVE_2021_26858(), }; - static void Main(string[] args) + public static void Main(string[] args) { Info.PrintLogo(); foreach (var arg in args) From 9028388ca7f4b0accf5ca7a38e208fbe4bf2540c Mon Sep 17 00:00:00 2001 From: coin Date: Wed, 3 Apr 2024 17:03:05 -0400 Subject: [PATCH 03/10] update framework version --- Moriarty/Moriarty.csproj | 2 +- Moriarty/app.config | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Moriarty/Moriarty.csproj b/Moriarty/Moriarty.csproj index cf67090..ae2f127 100644 --- a/Moriarty/Moriarty.csproj +++ b/Moriarty/Moriarty.csproj @@ -8,7 +8,7 @@ Exe Moriarty Moriarty - v4.8 + v4.5 512 true diff --git a/Moriarty/app.config b/Moriarty/app.config index 2c0f559..92ec84f 100644 --- a/Moriarty/app.config +++ b/Moriarty/app.config @@ -1,3 +1,14 @@ - + + + + + + + + + + + + From a05230925f5ddd4bf85a7227c8ef636fb901cc53 Mon Sep 17 00:00:00 2001 From: coin Date: Wed, 3 Apr 2024 18:33:01 -0400 Subject: [PATCH 04/10] Fixed CVE_2021_44228 scan to limit depth --- Moriarty/Msrc/CVE-2021-44228.cs | 108 +++++++++++++++++++++++++------- 1 file changed, 87 insertions(+), 21 deletions(-) diff --git a/Moriarty/Msrc/CVE-2021-44228.cs b/Moriarty/Msrc/CVE-2021-44228.cs index 2c01f16..52bf000 100644 --- a/Moriarty/Msrc/CVE-2021-44228.cs +++ b/Moriarty/Msrc/CVE-2021-44228.cs @@ -5,6 +5,7 @@ using System.Linq; using System.Text.RegularExpressions; using System.Collections.Generic; +using System.Threading.Tasks; namespace Moriarty.Msrc { @@ -13,7 +14,7 @@ public class CVE_2021_44228 : IVulnerabilityCheck private const string Id = "CVE-2021-44228"; private static readonly string[] Exploits = new[] { - "https://github.com/CERTCC/CVE-2021-44228_scanner" // URL for reference + "https://github.com/CERTCC/CVE-2021-44228_scanner" }; public Vulnerability GetVulnerability() @@ -23,41 +24,101 @@ public Vulnerability GetVulnerability() public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) { - string topLevel = Directory.GetCurrentDirectory(); - ScanDirectory(topLevel, vulnerabilities); + // Define the most likely folders to contain vulnerable files + var likelyFolders = new List + { + @"C:\Program Files\", + @"C:\Program Files (x86)\", + // Add any specific directories known to contain Java applications or libraries + // Examples could include directories for commonly used Java servers or applications + }; + DebugUtility.DebugPrint("Starting targeted scan..."); + + foreach (var folder in likelyFolders) + { + if (Directory.Exists(folder)) + { + DebugUtility.DebugPrint($"Scanning directory: {folder}"); + ScanDirectory(folder, vulnerabilities); + } + else + { + DebugUtility.DebugPrint($"Directory does not exist: {folder}"); + } + } } - private static void ScanDirectory(string directoryPath, VulnerabilityCollection vulnerabilities) + private static void ScanDirectory(string directoryPath, VulnerabilityCollection vulnerabilities, int currentDepth = 0, int maxDepth = 3) { - var fileExtensions = new[] { ".jar", ".war", ".ear", ".zip" }; - var files = Directory.GetFiles(directoryPath, "*.*", SearchOption.AllDirectories) - .Where(file => fileExtensions.Any(x => file.EndsWith(x, StringComparison.OrdinalIgnoreCase))); + if (currentDepth > maxDepth) + { + return; + } + + DebugUtility.DebugPrint($"Scanning directory: {directoryPath} at depth {currentDepth}"); - foreach (var file in files) + // Process files in the current directory + try { - ProcessFile(file, vulnerabilities); + var fileExtensions = new[] { ".jar", ".war", ".ear", ".zip" }; + var files = Directory.EnumerateFiles(directoryPath, "*.*") + .Where(file => fileExtensions.Any(x => file.EndsWith(x, StringComparison.OrdinalIgnoreCase))); + + Parallel.ForEach(files, (file) => + { + DebugUtility.DebugPrint($"Processing file: {file}"); + ProcessFile(file, vulnerabilities); + }); + + // Recursively process subdirectories, limiting the depth + var directories = Directory.EnumerateDirectories(directoryPath); + foreach (var dir in directories) + { + ScanDirectory(dir, vulnerabilities, currentDepth + 1, maxDepth); + } + } + catch (UnauthorizedAccessException ex) + { + DebugUtility.DebugPrint($"Access denied to directory: {directoryPath}. Exception: {ex.Message}"); + // Optionally, log the exception or handle it as necessary. + } + catch (Exception ex) + { + DebugUtility.DebugPrint($"Error processing directory {directoryPath}: {ex.Message}"); + // Handle other exceptions or log them as necessary. } } + private static void ProcessFile(string filePath, VulnerabilityCollection vulnerabilities) { - using (ZipArchive archive = ZipFile.OpenRead(filePath)) + DebugUtility.DebugPrint($"Opening archive: {filePath}"); + try { - foreach (ZipArchiveEntry entry in archive.Entries) + using (ZipArchive archive = ZipFile.OpenRead(filePath)) { - if (entry.FullName.EndsWith("JndiLookup.class", StringComparison.OrdinalIgnoreCase)) + foreach (ZipArchiveEntry entry in archive.Entries) { - CheckForVulnerability(entry, filePath, vulnerabilities); - } - else if (IsArchive(entry.FullName)) - { - string tempPath = Path.GetTempFileName(); - entry.ExtractToFile(tempPath, true); - ProcessFile(tempPath, vulnerabilities); - File.Delete(tempPath); + if (entry.FullName.EndsWith("JndiLookup.class", StringComparison.OrdinalIgnoreCase)) + { + CheckForVulnerability(entry, filePath, vulnerabilities); + } + else if (IsArchive(entry.FullName)) + { + string tempPath = Path.GetTempFileName(); + DebugUtility.DebugPrint($"Extracting nested archive to temporary file: {tempPath}"); + entry.ExtractToFile(tempPath, true); + ProcessFile(tempPath, vulnerabilities); + File.Delete(tempPath); + } } } } + catch (Exception ex) + { + DebugUtility.DebugPrint($"Error processing file {filePath}: {ex.Message}"); + } + DebugUtility.DebugPrint($"Finished processing archive: {filePath}"); } private static bool IsArchive(string fileName) @@ -69,6 +130,7 @@ private static bool IsArchive(string fileName) private static void CheckForVulnerability(ZipArchiveEntry entry, string originalFilePath, VulnerabilityCollection vulnerabilities) { string tempPath = Path.GetTempFileName(); + DebugUtility.DebugPrint($"Extracting entry {entry.FullName} to temporary file: {tempPath}"); entry.ExtractToFile(tempPath, true); string fileContent = File.ReadAllText(tempPath); @@ -77,8 +139,12 @@ private static void CheckForVulnerability(ZipArchiveEntry entry, string original DebugUtility.DebugPrint($"Vulnerability found in {originalFilePath} -> {entry.FullName}"); vulnerabilities.SetAsVulnerable(Id); } + else + { + DebugUtility.DebugPrint($"No vulnerability found in {originalFilePath} -> {entry.FullName}"); + } File.Delete(tempPath); } } -} +} \ No newline at end of file From f52747c5b2aa4c282f99781162ffe8f4c436fd87 Mon Sep 17 00:00:00 2001 From: coin Date: Sun, 21 Apr 2024 19:02:45 -0400 Subject: [PATCH 05/10] updated files --- Moriarty/Moriarty.csproj | 7 + Moriarty/Msrc/CVE-2017-7199.cs | 2 +- Moriarty/Msrc/CVE-2021-1675.cs | 6 +- Moriarty/Msrc/CVE-2021-26858.cs | 4 +- Moriarty/Msrc/CVE-2021-27065.cs | 4 +- Moriarty/Msrc/CVE-2021-44228.cs | 3 +- Moriarty/Msrc/CVE-2022-22965.cs | 1 - Moriarty/Msrc/CVE-2022-34718.cs | 151 ++++++++++++++++++++++ Moriarty/Msrc/CVE-2022-40140.cs | 2 +- Moriarty/Msrc/CVE-2023-21768.cs | 12 ++ Moriarty/Msrc/CVE-2023-23397.cs | 42 ++++++ Moriarty/Msrc/CVE-2023-36664.cs | 2 +- Moriarty/Msrc/CVE_2021_26855.cs | 1 - Moriarty/Msrc/CVE_2021_26857.cs | 3 +- Moriarty/Msrc/MS10-015.cs | 2 +- Moriarty/Msrc/MS10-092.cs | 2 +- Moriarty/Msrc/MS13-053.cs | 2 +- Moriarty/Msrc/MS13-081.cs | 2 +- Moriarty/Msrc/MS14-058.cs | 2 +- Moriarty/Msrc/MS15-051.cs | 2 +- Moriarty/Msrc/MS15-078.cs | 2 +- Moriarty/Msrc/MS16-016.cs | 2 +- Moriarty/Msrc/MS16-032.cs | 2 +- Moriarty/Msrc/MS16-034.cs | 2 +- Moriarty/Msrc/MS16-135.cs | 2 +- Moriarty/Program.cs | 29 ++--- Moriarty/Utils/Info.cs | 2 +- Moriarty/Utils/VulnerabilityCollection.cs | 2 - Moriarty/packages.config | 4 + 29 files changed, 251 insertions(+), 48 deletions(-) create mode 100644 Moriarty/Msrc/CVE-2022-34718.cs create mode 100644 Moriarty/Msrc/CVE-2023-21768.cs create mode 100644 Moriarty/Msrc/CVE-2023-23397.cs create mode 100644 Moriarty/packages.config diff --git a/Moriarty/Moriarty.csproj b/Moriarty/Moriarty.csproj index ae2f127..2a39632 100644 --- a/Moriarty/Moriarty.csproj +++ b/Moriarty/Moriarty.csproj @@ -50,6 +50,10 @@ false + + ..\packages\Microsoft.Office.Interop.Outlook.15.0.4797.1004\lib\net20\Microsoft.Office.Interop.Outlook.dll + True + @@ -70,7 +74,9 @@ + + @@ -109,6 +115,7 @@ + diff --git a/Moriarty/Msrc/CVE-2017-7199.cs b/Moriarty/Msrc/CVE-2017-7199.cs index add8c5e..c4f7d15 100644 --- a/Moriarty/Msrc/CVE-2017-7199.cs +++ b/Moriarty/Msrc/CVE-2017-7199.cs @@ -1,6 +1,6 @@ using Microsoft.Win32; -using System.Linq; using System.Collections.Generic; +using System.Linq; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE-2021-1675.cs b/Moriarty/Msrc/CVE-2021-1675.cs index b23c575..e298431 100644 --- a/Moriarty/Msrc/CVE-2021-1675.cs +++ b/Moriarty/Msrc/CVE-2021-1675.cs @@ -1,10 +1,8 @@ +using Microsoft.Win32; using System; -using System.Diagnostics; +using System.Collections.Generic; using System.Management; -using Microsoft.Win32; using System.ServiceProcess; -using System.Linq; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE-2021-26858.cs b/Moriarty/Msrc/CVE-2021-26858.cs index 92664bd..c8e3f3e 100644 --- a/Moriarty/Msrc/CVE-2021-26858.cs +++ b/Moriarty/Msrc/CVE-2021-26858.cs @@ -1,9 +1,7 @@ using System; -using System.Diagnostics; +using System.Collections.Generic; using System.IO; using System.Linq; -using System.Collections.Generic; -using System.Diagnostics.Eventing.Reader; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE-2021-27065.cs b/Moriarty/Msrc/CVE-2021-27065.cs index 8602728..a08fe08 100644 --- a/Moriarty/Msrc/CVE-2021-27065.cs +++ b/Moriarty/Msrc/CVE-2021-27065.cs @@ -1,9 +1,7 @@ using System; -using System.Diagnostics; +using System.Collections.Generic; using System.IO; using System.Linq; -using System.Collections.Generic; -using System.Text.RegularExpressions; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE-2021-44228.cs b/Moriarty/Msrc/CVE-2021-44228.cs index 52bf000..cee60b9 100644 --- a/Moriarty/Msrc/CVE-2021-44228.cs +++ b/Moriarty/Msrc/CVE-2021-44228.cs @@ -1,10 +1,9 @@ using System; -using System.Diagnostics; +using System.Collections.Generic; using System.IO; using System.IO.Compression; using System.Linq; using System.Text.RegularExpressions; -using System.Collections.Generic; using System.Threading.Tasks; namespace Moriarty.Msrc diff --git a/Moriarty/Msrc/CVE-2022-22965.cs b/Moriarty/Msrc/CVE-2022-22965.cs index d62bb09..4c2fad9 100644 --- a/Moriarty/Msrc/CVE-2022-22965.cs +++ b/Moriarty/Msrc/CVE-2022-22965.cs @@ -1,7 +1,6 @@ using System; using System.Collections.Generic; using System.Net.Http; -using System.Threading.Tasks; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE-2022-34718.cs b/Moriarty/Msrc/CVE-2022-34718.cs new file mode 100644 index 0000000..80047d8 --- /dev/null +++ b/Moriarty/Msrc/CVE-2022-34718.cs @@ -0,0 +1,151 @@ +using System; +using System.Collections.Generic; +using System.Net; +using System.Net.Sockets; + +namespace Moriarty.Msrc +{ + public class CVE_2022_34718 : IVulnerabilityCheck + { + private const string Id = "CVE-2022-34718"; + private static readonly string[] Exploits = new[] + { + "https://github.com/user/CVE-2022-34718_implementation" + }; + + public Vulnerability GetVulnerability() + { + return new Vulnerability(Id, Exploits); + } + + public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) + { + DebugUtility.DebugPrint("Starting CVE-2022-34718 check..."); + string targetAddr = "::1"; + + if (TestConnectivity(targetAddr)) + { + try + { + if (Trigger(targetAddr)) + { + vulnerabilities.SetAsVulnerable(Id); + DebugUtility.DebugPrint("The system is vulnerable to CVE-2022-34718."); + } + else + { + DebugUtility.DebugPrint("The system is NOT vulnerable to CVE-2022-34718."); + } + } + catch (Exception ex) + { + DebugUtility.DebugPrint("Error during vulnerability check execution: " + ex.Message); + } + } + else + { + DebugUtility.DebugPrint("Failed to connect to the target address."); + } + } + + private bool TestConnectivity(string targetAddr) + { + DebugUtility.DebugPrint($"Testing connectivity to {targetAddr}..."); + try + { + using (var client = new TcpClient(AddressFamily.InterNetworkV6)) + { + client.Client.DualMode = true; + client.Connect(IPAddress.Parse(targetAddr), 80); + DebugUtility.DebugPrint("Connection successful."); + return true; + } + } + catch (SocketException ex) + { + DebugUtility.DebugPrint($"Failed to connect: {ex.Message}"); + return false; + } + } + + + private bool Trigger(string targetAddr) + { + DebugUtility.DebugPrint("Triggering the vulnerability..."); + var innerPacketInfo = GetInnerPacket(targetAddr); + var outerPacket = CreateOuterPacket(targetAddr, innerPacketInfo.Packet, innerPacketInfo.FragmentId); + + DebugUtility.DebugPrint("Sending fragments..."); + foreach (var fragment in outerPacket) + { + if (!Send(fragment)) + { + DebugUtility.DebugPrint("Failed to send a fragment."); + return false; + } + } + + DebugUtility.DebugPrint("Now sending the last inner fragment to trigger the bug..."); + return SendLastInnerFragment(targetAddr, innerPacketInfo.FragmentId); + } + + private PacketInfo GetInnerPacket(string targetAddr) + { + var innerFragId = GenerateRandomUint(); + var layer4Packet = GetLayer4(); + + var routes = new List(); // Create proper routing headers and fragments + byte[] firstFragment = { }; // Simulate this + + return new PacketInfo(firstFragment, innerFragId); + } + + private bool SendLastInnerFragment(string targetAddr, uint innerFragId) + { + var layer4Packet = GetLayer4(); + + byte[] lastFragment = { }; // Simulate this + return Send(lastFragment); + } + + private byte[] GetLayer4() + { + // Assume this function returns a byte array representing an ICMPv6 echo request + return new byte[] { }; // Simulate this + } + + private IEnumerable CreateOuterPacket(string targetAddr, byte[] innerPacket, uint innerFragId) + { + var fragments = new List(); + + // Logic to fragment the inner packet into multiple packets + return fragments; + } + + private bool Send(byte[] packet) + { + // Send logic here, possibly using SharpPcap or a raw socket + return true; + } + + private uint GenerateRandomUint() + { + Random rnd = new Random(); + int part1 = rnd.Next(0, 65536); // Get the lower 16 bits + int part2 = rnd.Next(0, 65536); // Get the upper 16 bits + return (uint)((part2 << 16) | part1); // Combine the two parts + } + + public class PacketInfo + { + public byte[] Packet { get; set; } + public uint FragmentId { get; set; } + + public PacketInfo(byte[] packet, uint fragmentId) + { + Packet = packet; + FragmentId = fragmentId; + } + } + } +} diff --git a/Moriarty/Msrc/CVE-2022-40140.cs b/Moriarty/Msrc/CVE-2022-40140.cs index 34efc6f..a1b4d84 100644 --- a/Moriarty/Msrc/CVE-2022-40140.cs +++ b/Moriarty/Msrc/CVE-2022-40140.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Net; using System.Net.Http; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE-2023-21768.cs b/Moriarty/Msrc/CVE-2023-21768.cs new file mode 100644 index 0000000..7ec7bfe --- /dev/null +++ b/Moriarty/Msrc/CVE-2023-21768.cs @@ -0,0 +1,12 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; + +namespace Moriarty.Msrc +{ + internal class Class1 + { + } +} diff --git a/Moriarty/Msrc/CVE-2023-23397.cs b/Moriarty/Msrc/CVE-2023-23397.cs new file mode 100644 index 0000000..ab9fd95 --- /dev/null +++ b/Moriarty/Msrc/CVE-2023-23397.cs @@ -0,0 +1,42 @@ +using Microsoft.Office.Interop.Outlook; +using System.Collections.Generic; + + +namespace Moriarty.Msrc +{ + public class CVE_2023_23397 : IVulnerabilityCheck + { + private const string Id = "CVE-2023-23397"; + private static readonly string[] Exploits = new[] + { + "https://github.com/example/CVE-2023-23397_scanner" + }; + + public Vulnerability GetVulnerability() + { + return new Vulnerability(Id, Exploits); + } + + public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) + { + DebugUtility.DebugPrint("Starting scan for CVE-2023-23397..."); + Microsoft.Office.Interop.Outlook.Application outlookApp = new Microsoft.Office.Interop.Outlook.Application(); + NameSpace outlookNamespace = outlookApp.GetNamespace("MAPI"); + MAPIFolder calendarFolder = outlookNamespace.GetDefaultFolder(OlDefaultFolders.olFolderCalendar); + + Items calendarItems = calendarFolder.Items; + calendarItems.IncludeRecurrences = true; + + foreach (AppointmentItem item in calendarItems) + { + if (!string.IsNullOrEmpty(item.ReminderSoundFile) && item.ReminderSoundFile.StartsWith("\\\\")) + { + DebugUtility.DebugPrint($"Detected potential NTLM leak in calendar item: '{item.Subject}' with remote path: {item.ReminderSoundFile}"); + vulnerabilities.SetAsVulnerable(Id); + } + } + + DebugUtility.DebugPrint("Finished scanning for CVE-2023-23397."); + } + } +} diff --git a/Moriarty/Msrc/CVE-2023-36664.cs b/Moriarty/Msrc/CVE-2023-36664.cs index 7d04db3..4ebe181 100644 --- a/Moriarty/Msrc/CVE-2023-36664.cs +++ b/Moriarty/Msrc/CVE-2023-36664.cs @@ -1,8 +1,8 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Linq; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE_2021_26855.cs b/Moriarty/Msrc/CVE_2021_26855.cs index eb36b3b..b767092 100644 --- a/Moriarty/Msrc/CVE_2021_26855.cs +++ b/Moriarty/Msrc/CVE_2021_26855.cs @@ -3,7 +3,6 @@ using System.IO; using System.Linq; using System.Text.RegularExpressions; -using System.Threading.Tasks; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/CVE_2021_26857.cs b/Moriarty/Msrc/CVE_2021_26857.cs index f49fa61..5bcc33d 100644 --- a/Moriarty/Msrc/CVE_2021_26857.cs +++ b/Moriarty/Msrc/CVE_2021_26857.cs @@ -1,8 +1,7 @@ using System; +using System.Collections.Generic; using System.IO; using System.Linq; -using System.Collections.Generic; -using System.Text.RegularExpressions; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS10-015.cs b/Moriarty/Msrc/MS10-015.cs index 3b0dd66..c3b6145 100644 --- a/Moriarty/Msrc/MS10-015.cs +++ b/Moriarty/Msrc/MS10-015.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS10-092.cs b/Moriarty/Msrc/MS10-092.cs index 5a26797..5a1fb2b 100644 --- a/Moriarty/Msrc/MS10-092.cs +++ b/Moriarty/Msrc/MS10-092.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS13-053.cs b/Moriarty/Msrc/MS13-053.cs index 0fcbb2f..144bf7c 100644 --- a/Moriarty/Msrc/MS13-053.cs +++ b/Moriarty/Msrc/MS13-053.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS13-081.cs b/Moriarty/Msrc/MS13-081.cs index 6b7a8c9..5f8b171 100644 --- a/Moriarty/Msrc/MS13-081.cs +++ b/Moriarty/Msrc/MS13-081.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS14-058.cs b/Moriarty/Msrc/MS14-058.cs index 0b669d6..f4b1d1e 100644 --- a/Moriarty/Msrc/MS14-058.cs +++ b/Moriarty/Msrc/MS14-058.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS15-051.cs b/Moriarty/Msrc/MS15-051.cs index 7b20d07..6c3f29e 100644 --- a/Moriarty/Msrc/MS15-051.cs +++ b/Moriarty/Msrc/MS15-051.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS15-078.cs b/Moriarty/Msrc/MS15-078.cs index 41114e4..054c952 100644 --- a/Moriarty/Msrc/MS15-078.cs +++ b/Moriarty/Msrc/MS15-078.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS16-016.cs b/Moriarty/Msrc/MS16-016.cs index bf8d8e0..ef370a5 100644 --- a/Moriarty/Msrc/MS16-016.cs +++ b/Moriarty/Msrc/MS16-016.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS16-032.cs b/Moriarty/Msrc/MS16-032.cs index 0771000..380ef8b 100644 --- a/Moriarty/Msrc/MS16-032.cs +++ b/Moriarty/Msrc/MS16-032.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS16-034.cs b/Moriarty/Msrc/MS16-034.cs index 3702ddd..06574b2 100644 --- a/Moriarty/Msrc/MS16-034.cs +++ b/Moriarty/Msrc/MS16-034.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Msrc/MS16-135.cs b/Moriarty/Msrc/MS16-135.cs index 7c993a7..6a2de9f 100644 --- a/Moriarty/Msrc/MS16-135.cs +++ b/Moriarty/Msrc/MS16-135.cs @@ -1,7 +1,7 @@ using System; +using System.Collections.Generic; using System.Diagnostics; using System.IO; -using System.Collections.Generic; namespace Moriarty.Msrc { diff --git a/Moriarty/Program.cs b/Moriarty/Program.cs index 3944d26..51f4e55 100644 --- a/Moriarty/Program.cs +++ b/Moriarty/Program.cs @@ -1,9 +1,6 @@ using Moriarty.Msrc; using System; using System.Collections.Generic; -using System.Diagnostics; -using System.Reflection; -using System.Linq; namespace Moriarty { @@ -17,6 +14,17 @@ class Program { static List vulnerabilityChecks = new List { + new MS10_015(), + new MS10_092(), + new MS13_053(), + new MS13_081(), + new MS14_058(), + new MS15_051(), + new MS15_078(), + new MS16_016(), + new MS16_032(), + new MS16_034(), + new MS16_135(), new CVE_2019_0836(), new CVE_2019_0841(), new CVE_2019_1064(), @@ -29,20 +37,8 @@ class Program new CVE_2020_0668(), new CVE_2020_0683(), new CVE_2020_1013(), - new MS10_015(), - new MS10_092(), - new MS13_053(), - new MS13_081(), - new MS14_058(), - new MS15_051(), - new MS15_078(), - new MS16_016(), - new MS16_032(), - new MS16_034(), - new MS16_135(), new CVE_2017_7199(), new CVE_2020_0796(), - new CVE_2023_36664(), new CVE_2021_1675(), new CVE_2021_44228(), new CVE_2022_40140(), @@ -52,6 +48,9 @@ class Program new CVE_2021_26857(), new CVE_2021_27065(), new CVE_2021_26858(), + new CVE_2022_34718(), + new CVE_2023_36664(), + new CVE_2023_23397(), }; public static void Main(string[] args) diff --git a/Moriarty/Utils/Info.cs b/Moriarty/Utils/Info.cs index 25f321b..e5b6952 100644 --- a/Moriarty/Utils/Info.cs +++ b/Moriarty/Utils/Info.cs @@ -12,7 +12,7 @@ public static void PrintLogo() Console.WriteLine("██ ████ ██ ██ ██ ██████ ██ ███████ ██████ ██ ████ "); Console.WriteLine("██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ "); Console.WriteLine("██ ██ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ "); - Console.WriteLine(" v1.1"); + Console.WriteLine(" v1.2"); Console.WriteLine(" BC Security\r\n"); } public static void PrintHelp() diff --git a/Moriarty/Utils/VulnerabilityCollection.cs b/Moriarty/Utils/VulnerabilityCollection.cs index 9eed672..dda5fee 100644 --- a/Moriarty/Utils/VulnerabilityCollection.cs +++ b/Moriarty/Utils/VulnerabilityCollection.cs @@ -1,8 +1,6 @@ using System; using System.Collections.Generic; using System.Linq; -using System.Reflection; -using Moriarty.Msrc; namespace Moriarty { diff --git a/Moriarty/packages.config b/Moriarty/packages.config new file mode 100644 index 0000000..378d64d --- /dev/null +++ b/Moriarty/packages.config @@ -0,0 +1,4 @@ + + + + \ No newline at end of file From bf6a6a4b63896737cdcf26bba53998a42400e3e0 Mon Sep 17 00:00:00 2001 From: coin Date: Sun, 21 Apr 2024 19:05:52 -0400 Subject: [PATCH 06/10] Updated changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3110c35..ec6464b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] - Added GitHub action to compile executable on release - Updated Task calls so it works with Empire +- Added 2023-23397 +- Added 2022-34718 +- Removed unused imports +- Updated CVE-2021-44228 to have a max depth for scanning files +- Updated min .NET version to 4.5 ## 1.1 - 2024-03-13 ### Added From c6f9aaac77e0ba40eb3806f6103084bf891198ce Mon Sep 17 00:00:00 2001 From: coin Date: Mon, 22 Apr 2024 09:28:32 -0400 Subject: [PATCH 07/10] Update CVE-2023-23397 to test sound file --- Moriarty/Moriarty.csproj | 1 + Moriarty/Msrc/CVE-2022-34718.cs | 2 +- Moriarty/Msrc/CVE-2023-23397.cs | 59 +++++++++++++++++++++++++-------- 3 files changed, 47 insertions(+), 15 deletions(-) diff --git a/Moriarty/Moriarty.csproj b/Moriarty/Moriarty.csproj index 2a39632..dc35b1e 100644 --- a/Moriarty/Moriarty.csproj +++ b/Moriarty/Moriarty.csproj @@ -50,6 +50,7 @@ false + ..\packages\Microsoft.Office.Interop.Outlook.15.0.4797.1004\lib\net20\Microsoft.Office.Interop.Outlook.dll True diff --git a/Moriarty/Msrc/CVE-2022-34718.cs b/Moriarty/Msrc/CVE-2022-34718.cs index 80047d8..f6f31d2 100644 --- a/Moriarty/Msrc/CVE-2022-34718.cs +++ b/Moriarty/Msrc/CVE-2022-34718.cs @@ -10,7 +10,7 @@ public class CVE_2022_34718 : IVulnerabilityCheck private const string Id = "CVE-2022-34718"; private static readonly string[] Exploits = new[] { - "https://github.com/user/CVE-2022-34718_implementation" + "https://github.com/SecLabResearchBV/CVE-2022-34718-PoC" }; public Vulnerability GetVulnerability() diff --git a/Moriarty/Msrc/CVE-2023-23397.cs b/Moriarty/Msrc/CVE-2023-23397.cs index ab9fd95..cea8c6b 100644 --- a/Moriarty/Msrc/CVE-2023-23397.cs +++ b/Moriarty/Msrc/CVE-2023-23397.cs @@ -1,7 +1,7 @@ using Microsoft.Office.Interop.Outlook; +using System; using System.Collections.Generic; - namespace Moriarty.Msrc { public class CVE_2023_23397 : IVulnerabilityCheck @@ -9,7 +9,7 @@ public class CVE_2023_23397 : IVulnerabilityCheck private const string Id = "CVE-2023-23397"; private static readonly string[] Exploits = new[] { - "https://github.com/example/CVE-2023-23397_scanner" + "https://github.com/api0cradle/CVE-2023-23397-POC-Powershell/tree/main" }; public Vulnerability GetVulnerability() @@ -19,24 +19,55 @@ public Vulnerability GetVulnerability() public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) { - DebugUtility.DebugPrint("Starting scan for CVE-2023-23397..."); - Microsoft.Office.Interop.Outlook.Application outlookApp = new Microsoft.Office.Interop.Outlook.Application(); - NameSpace outlookNamespace = outlookApp.GetNamespace("MAPI"); - MAPIFolder calendarFolder = outlookNamespace.GetDefaultFolder(OlDefaultFolders.olFolderCalendar); - - Items calendarItems = calendarFolder.Items; - calendarItems.IncludeRecurrences = true; + Application outlookApp = null; + AppointmentItem newAppointment = null; - foreach (AppointmentItem item in calendarItems) + try { - if (!string.IsNullOrEmpty(item.ReminderSoundFile) && item.ReminderSoundFile.StartsWith("\\\\")) + DebugUtility.DebugPrint("Starting proactive scan for CVE-2023-23397..."); + outlookApp = new Application(); + NameSpace outlookNamespace = outlookApp.GetNamespace("MAPI"); + MAPIFolder calendarFolder = outlookNamespace.GetDefaultFolder(OlDefaultFolders.olFolderCalendar); + + newAppointment = (AppointmentItem)calendarFolder.Items.Add(OlItemType.olAppointmentItem); + newAppointment.Subject = "Proactive Vulnerability Test"; + newAppointment.Start = System.DateTime.Now.AddHours(2); + newAppointment.End = System.DateTime.Now.AddHours(3); + newAppointment.ReminderSet = true; + newAppointment.ReminderMinutesBeforeStart = 15; + newAppointment.ReminderSoundFile = @"\\fakepath\sound.wav"; + newAppointment.Save(); + + Console.WriteLine(newAppointment.ReminderSoundFile); + if (newAppointment.ReminderSoundFile.Equals(@"\\fakepath\sound.wav")) { - DebugUtility.DebugPrint($"Detected potential NTLM leak in calendar item: '{item.Subject}' with remote path: {item.ReminderSoundFile}"); + DebugUtility.DebugPrint("Successfully validated the UNC path in the reminder sound file."); vulnerabilities.SetAsVulnerable(Id); } - } + else + { + DebugUtility.DebugPrint("The UNC path in the reminder sound file was not set as expected."); + } - DebugUtility.DebugPrint("Finished scanning for CVE-2023-23397."); + // Clean up the test appointment + newAppointment.Delete(); + DebugUtility.DebugPrint("Successfully cleaned up the test appointment."); + } + catch (System.Runtime.InteropServices.COMException comEx) + { + DebugUtility.DebugPrint("Failed to create or delete the appointment - COM Exception: " + comEx.Message); + DebugUtility.DebugPrint("Outlook may be properly secured against this type of vulnerability."); + } + catch (System.Exception ex) + { + DebugUtility.DebugPrint("Failed to create or delete the appointment - Exception: " + ex.Message); + DebugUtility.DebugPrint("This could indicate that proactive security measures are in place."); + } + finally + { + if (newAppointment != null) System.Runtime.InteropServices.Marshal.ReleaseComObject(newAppointment); + if (outlookApp != null) System.Runtime.InteropServices.Marshal.ReleaseComObject(outlookApp); + } } } } From 0a517e1543e3c1a5ba079427f7127d812117556d Mon Sep 17 00:00:00 2001 From: Anthony Rose <20302208+Cx01N@users.noreply.github.com> Date: Tue, 23 Apr 2024 09:15:27 -0400 Subject: [PATCH 08/10] Update CHANGELOG.md --- CHANGELOG.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ec6464b..09c4d43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,13 +13,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Security** in case of vulnerabilities. ## [Unreleased] -- Added GitHub action to compile executable on release -- Updated Task calls so it works with Empire +### Added +- Added GitHub action to compile executable on release - Added 2023-23397 -- Added 2022-34718 +- Added 2022-34718 + +### Removed - Removed unused imports -- Updated CVE-2021-44228 to have a max depth for scanning files + +### Changed - Updated min .NET version to 4.5 +- Updated CVE-2021-44228 to have a max depth for scanning files +- Updated Task calls so it works with Empire ## 1.1 - 2024-03-13 ### Added From 516d9a309be67ebeebaa9e3459eebc8715350e2a Mon Sep 17 00:00:00 2001 From: coin Date: Tue, 23 Apr 2024 12:23:50 -0400 Subject: [PATCH 09/10] Fixed outlook scan to not throw error if not installed --- Moriarty/Msrc/CVE-2023-23397.cs | 62 +++++++++++++++++++++++++++++++-- README.md | 31 +++++++++++++++-- 2 files changed, 88 insertions(+), 5 deletions(-) diff --git a/Moriarty/Msrc/CVE-2023-23397.cs b/Moriarty/Msrc/CVE-2023-23397.cs index cea8c6b..58c6723 100644 --- a/Moriarty/Msrc/CVE-2023-23397.cs +++ b/Moriarty/Msrc/CVE-2023-23397.cs @@ -1,4 +1,5 @@ using Microsoft.Office.Interop.Outlook; +using Microsoft.Win32; using System; using System.Collections.Generic; @@ -19,12 +20,18 @@ public Vulnerability GetVulnerability() public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List installedKBs) { + DebugUtility.DebugPrint("Starting scan for CVE-2023-23397..."); Application outlookApp = null; AppointmentItem newAppointment = null; + if (!IsOutlookConfigured()) + { + DebugUtility.DebugPrint("Outlook is not installed or not configured. Skipping CVE-2023-23397 check."); + return; + } + try { - DebugUtility.DebugPrint("Starting proactive scan for CVE-2023-23397..."); outlookApp = new Application(); NameSpace outlookNamespace = outlookApp.GetNamespace("MAPI"); MAPIFolder calendarFolder = outlookNamespace.GetDefaultFolder(OlDefaultFolders.olFolderCalendar); @@ -48,8 +55,6 @@ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List { DebugUtility.DebugPrint("The UNC path in the reminder sound file was not set as expected."); } - - // Clean up the test appointment newAppointment.Delete(); DebugUtility.DebugPrint("Successfully cleaned up the test appointment."); } @@ -69,5 +74,56 @@ public void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List if (outlookApp != null) System.Runtime.InteropServices.Marshal.ReleaseComObject(outlookApp); } } + + private bool IsOutlookConfigured() + { + try + { + string outlookProfileRegKey = @"Software\Microsoft\Office\16.0\Outlook\Profiles"; + using (RegistryKey key = Registry.CurrentUser.OpenSubKey(outlookProfileRegKey)) + { + if (key != null) + { + string[] profileNames = key.GetSubKeyNames(); + if (profileNames.Length == 0) + { + DebugUtility.DebugPrint("No profiles are configured."); + return false; + } + } + + else + { + DebugUtility.DebugPrint("Outlook profile registry key not found."); + return false; + } + } + + Application outlookApp = new Application(); + if (outlookApp != null) + { + System.Runtime.InteropServices.Marshal.ReleaseComObject(outlookApp); + return true; + } + else + { + DebugUtility.DebugPrint("Outlook application object could not be created."); + return false; + } + } + catch (System.Security.SecurityException secEx) + { + DebugUtility.DebugPrint("Security Exception (access to the registry might be denied): " + secEx.Message); + } + catch (System.Runtime.InteropServices.COMException comEx) + { + DebugUtility.DebugPrint("COM Exception (Outlook may not be installed/configured): " + comEx.Message); + } + catch (System.Exception ex) + { + DebugUtility.DebugPrint("General Exception: " + ex.Message); + } + return false; + } } } diff --git a/README.md b/README.md index e15a96b..48094e1 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,32 @@ After cloning the repository, you can build the Moriarty executable using Visual 4. Build the solution by selecting "Build > Build Solution" from the menu. ## Usage + +### Help Menu +``` +C:\> Moriarty.exe --help + +███ ███ ██████ ██████ ██ █████ ██████ ████████ ██ ██ +████ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ +██ ████ ██ ██ ██ ██████ ██ ███████ ██████ ██ ████ +██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ +██ ██ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ + v1.2 + BC Security + +Usage: Moriarty.exe [options] +Options: + -h, --help Display this help message. + -d, --debug Run in debug mode for additional output. + -l, --list-vulns List all vulnerabilities that are scanned for. + +Examples: + Moriarty.exe -d + Moriarty.exe --list-vulns + +``` + +### Scan ``` C:\> Moriarty.exe ███ ███ ██████ ██████ ██ █████ ██████ ████████ ██ ██ @@ -33,7 +59,7 @@ C:\> Moriarty.exe ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ - v1.0 + v1.2 BC Security [*] OS Version: 22H2 (22621) @@ -44,8 +70,9 @@ C:\> Moriarty.exe [+] PrintNightmare (CVE-2021-1675, CVE-2021-34527) : VULNERABLE [>] https://github.com/xbufu/PrintNightmareCheck/tree/main - [*] Vulnerabilities found: 2/30 + [*] Vulnerabilities found: 2/37 [+] Scan Complete! + ``` ## CVEs and Vulnerabilities From 39e64023eca083ed26310bdcc7b08495ff656fde Mon Sep 17 00:00:00 2001 From: coin Date: Tue, 23 Apr 2024 12:26:29 -0400 Subject: [PATCH 10/10] changelog update --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 48094e1..8840f8b 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,8 @@ Moriarty scans for a variety of CVEs and vulnerabilities. Below is a table detai | [CVE-2021-27065](https://www.cve.org/CVERecord?id=CVE-2021-27065) | A post-authentication arbitrary file write vulnerability in Exchange Server could lead to remote code execution. | | [CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228) | Log4Shell, a remote code execution vulnerability in Apache Log4j. | | [CVE-2021-36934](https://www.cve.org/CVERecord?id=CVE-2021-36934) | HiveNightmare - A vulnerability that allows for local privilege escalation due to overly permissive Access Control Lists (ACLs) on system files, including the Security Accounts Manager (SAM). | +| [CVE-2022-34718](https://www.cve.org/CVERecord?id=CVE-2022-34718) | Windows TCP/IP Remote Code Execution Vulnerability. | | [CVE-2022-40140](https://www.cve.org/CVERecord?id=CVE-2022-40140) | A vulnerability in Microsoft Exchange Server leading to remote code execution. | | [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965) | Spring4Shell, a remote code execution vulnerability in Spring Framework. | | [CVE-2023-36664](https://www.cve.org/CVERecord?id=CVE-2023-36664) | Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the pipe character prefix). | +| [CVE-2023-23397](https://www.cve.org/CVERecord?id=CVE-2023-23397) | Microsoft Outlook Elevation of Privilege Vulnerability. | \ No newline at end of file