Dark Elevator - Privilege Escalation Toolkit for Windows
|
about download news Most people have this idea that privesc on win32 is ludicrously easy. For the most part that is true, but there aren't that many tools that help you do it. Dark Elevator has two main modes, running as a standard user, it tries to find a way to Admin or System access on a box. In audit mode, it runs as admin and tries to find ways for a specific user to privesc. This isn't a clever tool, the original idea was formulated and hacked together in python in an evening at hack-fu. I've worked on it since then adding features and making it more useful but it's essentially the same. It's is just an intelligent, automated python wrapper around tools like depends, autoruns and accesschk. I'm slowly reimplementing the external tools in python as necessary, which should remove the dependencies soon, its pretty trivial to do but I want it to work for 99% of cases as is before I rip apart the code again. It's amazing how many holes this finds for me during work host audits. Most people just never check this stuff because it's too time consuming. Features in the current version: - checks for files that run on startup under high privileges for write access - checks registry entries that start processes at login or boot for write access - checks permissions for currently running processes (helpful in citrix environments where admin always runs something like c:\temp\script.exe) - checks for write permissions to windows services - audit or privesc mode depending on whether you are admin or not - does dependency checking to find vulnerable files that are dependencies for auto run files - automatically does privesc operations for all of the above - attempts to privesc using the most likely successful manner - test for parent path writes, and program.exe attacks - understands SafeDllSearchMode and WindowsFileProtection for finding reliable privesc Additional Tools - window hunter for finding shatter attackable windows Planned Features (in likely order of implementation): - old school at scheduler attack, shouldn't work on post 2k machines, but an easy check to implement - token privilege escalation (generally low priv processes started by high priv processes that give up their rights in a broken manner) - check for old local privesc sploits that have been patched, probably check dll versions etc for classic ntpwn.exe style attacks. This is effectively MBSA crap, but will still make my life easier. Yes, this is in active development, if you need a specific feature, hassle me and maybe buy me a beer. |
|
|||||||
| November 18 2007 | Official alpha release. So I released this tool at kiwicon with a brief lightning talk, which generated a whole lot of interest. But the download link was broken so duh. It's not really production ready, but it is more ready than it used to be. I have a bit of time over the next few weeks and I am now more motivated to finish it. Effectively the audit component feels pretty solid but the privesc component, while all the bits are there, it just doesn't work cleanly enough and often creates errors. If you are trying it, please run it with -vv and -l and send me a log with what breaks and I'll put it at the top of the priority list. |
| November 21 2007 | Cheers to everyone who mailed me, yes, i screwed up the link again, by failing to sync my local copy with the server copy (lrn2rsync). |
| Single Executable: | darkelevator.exe (packed with dependencies using pyinstaller) |
| Binary Zip: | bin |
| Source: (in some state of disrepair, but full dir as I last looked at it. | src |
| Change Log: | changelog.txt |
| Readme: | readme.txt |
Code
| sham_filemanip.py | Utils for manipulating files and PE structures, overwriting files and packing malicious files with others |
| sham_winutils.py | Utils for dealing with Windows from python the way you want to when you're haxing, wrappers around Registry handling, File Handling, Permission Wrangling |
| shatterhunt.py | Tools for hunting out shatter bugs. |