• Stars
    star
    467
  • Rank 93,935 (Top 2 %)
  • Language
    C#
  • License
    GNU General Publi...
  • Created 11 months ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.

Moriarty

Moriarty is a comprehensive .NET tool that extends the functionality of Watson and Sherlock, originally developed by @_RastaMouse. It is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments. Moriarty combines the capabilities of Watson and Sherlock, adding enhanced scanning for newer vulnerabilities and integrating additional checks.

Supported Versions

Windows 10 (Versions: 1507, 1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2, 22H2) Windows 11 (Versions: 21H2, 22H2) Server 2016, 2019, 2022

CVEs and Vulnerabilities

Moriarty scans for a variety of CVEs and vulnerabilities. Below is a table detailing each, along with a more detailed description and links to the CVE database.

CVE/Vulnerability ID Description Link
MS10-015 Vulnerability in Windows Kernel related to privilege elevation, allowing attackers to execute arbitrary code. MS10-015
MS10-092 Vulnerability in Windows Task Scheduler allowing for arbitrary code execution with escalated privileges. MS10-092
MS13-053 Multiple vulnerabilities in Windows Kernel-Mode Drivers that could allow elevation of privilege. MS13-053
MS13-081 Multiple vulnerabilities in Windows Kernel-Mode Drivers that could allow remote code execution. MS13-081
MS14-058 Vulnerabilities in Kernel-Mode Driver that could allow remote code execution through specially crafted TrueType font files. MS14-058
MS15-051 Vulnerability in Windows Kernel-Mode Drivers allowing for elevation of privilege by bypassing the security features of Windows. MS15-051
MS15-078 Vulnerability in Windows Font Driver allowing remote code execution through maliciously crafted OpenType fonts. MS15-078
MS16-016 Vulnerability in WebDAV that could allow elevation of privilege through improper handling of memory. MS16-016
MS16-032 Vulnerability in Secondary Logon process that could allow elevation of privilege by running a specially crafted application. MS16-032
MS16-034 Vulnerabilities in Windows Kernel-Mode Driver that could allow elevation of privilege due to the way kernel-mode drivers handle objects in memory. MS16-034
MS16-135 Vulnerability in Windows Kernel-Mode Drivers that could allow elevation of privilege due to improper handling of certain types of objects in memory. MS16-135
CVE-2017-7199 A privilege escalation vulnerability in Windows due to the way certain applications handle process tokens. CVE-2017-7199
CVE-2019-0836 An elevation of privilege vulnerability in Windows due to the way the Win32k component handles objects in memory. CVE-2019-0836
CVE-2019-0841 Elevation of privilege vulnerability in Windows AppX Deployment Server, allowing attackers to overwrite system files. CVE-2019-0841
CVE-2019-1064 An elevation of privilege vulnerability in Windows due to improper handling of symbolic links. CVE-2019-1064
CVE-2019-1130 An elevation of privilege vulnerability in Windows due to the way the Windows CSRSS handles certain requests. CVE-2019-1130
CVE-2019-1253 Elevation of privilege vulnerability in Windows AppX Deployment Server due to improper permissions settings. CVE-2019-1253
CVE-2019-1315 An elevation of privilege vulnerability in Windows Error Reporting (WER) due to improper handling of hard links. CVE-2019-1315
CVE-2019-1385 Elevation of privilege vulnerability due to improper handling of objects in memory in Windows. CVE-2019-1385
CVE-2019-1388 A vulnerability in Windows UAC that allows bypassing of the UAC dialog, leading to elevation of privilege. CVE-2019-1388
CVE-2019-1405 An elevation of privilege vulnerability in Windows UPnP Service due to improper handling of objects in memory. CVE-2019-1405
CVE-2020-0668 An elevation of privilege vulnerability due to improper handling of symbolic links in Windows. CVE-2020-0668
CVE-2020-0683 Elevation of privilege vulnerability in Windows due to improper handling of file paths. CVE-2020-0683
CVE-2020-0796 A remote code execution vulnerability in SMBv3 known as 'SMBGhost'. CVE-2020-0796
CVE-2020-1013 A local privilege escalation vulnerability in Windows Update Orchestrator Service. CVE-2020-1013
CVE-2023-36664 A command injection vulnerability in Ghostscript. CVE-2023-36664
CVE-2021-1675 PrintNightmare, a remote code execution vulnerability in Windows Print Spooler. CVE-2021-1675
CVE-2021-44228 Log4Shell, a remote code execution vulnerability in Apache Log4j. CVE-2021-44228
CVE-2022-40140 A vulnerability in Microsoft Exchange Server leading to remote code execution. CVE-2022-40140
CVE-2022-22965 Spring4Shell, a remote code execution vulnerability in Spring Framework. CVE-2022-22965

Usage

C:\> Moriarty.exe
β–ˆβ–ˆβ–ˆ    β–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ
β–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ    β–ˆβ–ˆ     β–ˆβ–ˆ  β–ˆβ–ˆ
β–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ     β–ˆβ–ˆ      β–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ–ˆ  β–ˆβ–ˆ  β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ    β–ˆβ–ˆ       β–ˆβ–ˆ
β–ˆβ–ˆ      β–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ    β–ˆβ–ˆ       β–ˆβ–ˆ

                                                 v1.0
                                                 BC Security

 [*] OS Version: 22H2 (22621)
 [*] Enumerating installed KBs...
 [+] CVE-2023-36664 : VULNERABLE
  [>] https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection

 [+] PrintNightmare (CVE-2021-1675, CVE-2021-34527) : VULNERABLE
  [>] https://github.com/xbufu/PrintNightmareCheck/tree/main

 [*] Vulnerabilities found: 2/30
 [+] Scan Complete!

More Repositories

1

Starkiller

Starkiller is a Frontend for PowerShell Empire.
Vue
1,356
star
2

Beginners-Guide-to-Obfuscation

PowerShell
1,009
star
3

Malleable-C2-Profiles

Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike & Empire.
333
star
4

Invoke-ZeroLogon

Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
PowerShell
215
star
5

Invoke-PrintDemon

This is a PowerShell Empire launcher PoC using PrintDemon and Faxhell.
PowerShell
197
star
6

DEFCON27

DEFCON 27 slides and workshop materials.
128
star
7

Offensive-VBA-and-XLS-Entanglement

VBA
124
star
8

IronSharpPack

IronSharpPack is a repo of popular C# projects that have been embedded into IronPython scripts that execute an AMSI bypass and then reflective load the C# project.
Python
104
star
9

Long-Live-The-Empire

A comprehensive workshop aimed to equip participants with an in-depth understanding of modern Command and Control (C2) concepts, focusing on the open-source Empire C2 framework.
97
star
10

ScriptBlock-Smuggling

Example code samples from our ScriptBlock Smuggling Blog post
C#
82
star
11

Empire-Cli

CLI Frontend for PowerShell Empire.
Python
44
star
12

Taming-Offensive-IronPython

This workshop is designed to provide you with a solid understanding of IronPython, its integration with the .NET framework, and how it can be used to interact with other .NET languages.
Python
31
star
13

Red-Team-Village-CTF-2023

Secure Terminal CTF Challenge for DC31 Red Team Village
Python
19
star
14

SocksProxyServer-Plugin

Socks Proxy Server Plugin for Invoke-SocksProxy
17
star
15

DeathStarPlugin

Deathstar is an Empire plugin that automates gaining Domain and/or Enterprise Admin rights in Active Directory environments using common offensive tactics, techniques, and procedures (TTPs).
Python
15
star
16

empire-docs

https://bc-security.gitbook.io/empire-wiki/
12
star
17

DEFCONSafeMode

DEFCON Safe Mode Slides
8
star
18

ChiselServer-Plugin

5
star
19

DEFCON24

DEFCON 24 slides and materials.
4
star
20

intro-ctf

Dockerfile
4
star
21

Empire-Compiler

C#
3
star
22

Twilio-Plugin

Python
2
star
23

Empire-Launcher

Python
1
star
24

denylist-plugin

1
star
25

Report-Generation-Plugin

Plugin for replacing the original reporting functionality in Empire with customizable PDFs.
Python
1
star
26

AutoRun-Plugin

Plugin to automatically execute an agent tasking on checkin
1
star