batterUp.cmd

1. @echo off
2. REM Batch port of selected modules from PowerUp by harmj0y
3. REM Author: @_wald0
4. SETLOCAL ENABLEDELAYEDEXPANSION
5.  
6. REM ======================================
7. REM = Find unquoted service binary paths =
8. REM ======================================
9. echo(
10. echo Finding unquoted service binary paths...
11. echo(
12.  
13. for /f "tokens=2* delims=:" %%i in ('sc query ^|findstr "SERVICE_NAME"') do (
14. set str=%%i
15. set str=!str:~1!
16. sc qc "!str!" | findstr "BINARY_PATH_NAME" | findstr /iv "c:\windows\\" | findstr /iv """
17. )
18.  
19. REM ========================================================================
20. REM = Check permissions on services =
21. REM = Technique stolen from PowerUp by harmj0y =
22. REM = https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1#L104-L141 =
23. REM ========================================================================
24. echo(
25. echo Finding service binaries your user has write access to...
26. echo(
27.  
28. for /f "tokens=2* delims=:" %%i in ('sc query ^|findstr "SERVICE_NAME"') do (
29. set str=%%i
30. set str=!str:~1!
31. for /f "tokens=4" %%e in ('sc qc "!str!" ^| findstr "ERROR_CONTROL"') do (
32. set errCtrl=%%e
33. sc config "!str!" error= !errCtrl! > nul && (
34. echo Vulnerable service found: !str!
35. )
36. )
37. )
38.  
39. REM =================================================
40. REM = Check for write access to directories in PATH =
41. REM =================================================
42. echo(
43. echo Finding write access in PATH directories...
44. echo(
45.  
46. REM http://stackoverflow.com/a/14879373
47. for %%A in ("%path:;=";"%") do (
48. set filename=%%~A\dll-write-check.txt
49. copy /y nul "!filename!" > nul 2>&1 && (
50. del "!filename!"
51. echo Writable path directory found: %%A
52. )
53. )