Update test.ps1
This commit is contained in:
106
test.ps1
106
test.ps1
@@ -158,79 +158,73 @@ function Invoke-ServiceImagePathAudit {
|
|||||||
param($Obj)
|
param($Obj)
|
||||||
|
|
||||||
$outObj = $Obj | Select-Object *
|
$outObj = $Obj | Select-Object *
|
||||||
$badpath = $false
|
$img = [string]$outObj.ImagePath
|
||||||
$examine = $outObj.ImagePath
|
|
||||||
|
|
||||||
if ($ShowProgress) {
|
if ($ShowProgress) {
|
||||||
Write-Progress -Activity "Analyzing ImagePath" -Status "Checking $($outObj.ComputerName)\$($outObj.Key)"
|
Write-Progress -Activity "Analyzing ImagePath" -Status "Checking $($outObj.ComputerName)\$($outObj.Key)"
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($outObj.Key -eq "Unavailable" -or $examine -eq "Unavailable" -or [string]::IsNullOrWhiteSpace($examine)) {
|
# Default outputs
|
||||||
$outObj | Add-Member NoteProperty BadKey "Unknown" -Force
|
$badKey = "No"
|
||||||
|
$fixed = "N/A"
|
||||||
|
|
||||||
|
# Can't analyze
|
||||||
|
if ($outObj.Key -eq "Unavailable" -or $img -eq "Unavailable" -or [string]::IsNullOrWhiteSpace($img)) {
|
||||||
|
$outObj | Add-Member NoteProperty BadKey "Unknown" -Force
|
||||||
$outObj | Add-Member NoteProperty FixedKey "Can't Fix" -Force
|
$outObj | Add-Member NoteProperty FixedKey "Can't Fix" -Force
|
||||||
return $outObj
|
return $outObj
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ignore already-quoted or special \?? prefixes
|
$trim = $img.Trim()
|
||||||
if (-not $examine.StartsWith('"') -and -not $examine.StartsWith("\??")) {
|
|
||||||
|
|
||||||
if ($examine.Contains(" ")) {
|
# Already quoted or special prefix we don't touch
|
||||||
|
if ($trim.StartsWith('"') -or $trim.StartsWith('\??')) {
|
||||||
# If we see flagged args, try to isolate a path portion
|
$outObj | Add-Member NoteProperty BadKey $badKey -Force
|
||||||
if ($examine.Contains("-") -or $examine.Contains("/")) {
|
$outObj | Add-Member NoteProperty FixedKey $fixed -Force
|
||||||
|
|
||||||
$split = $examine -split " -", 0, "simplematch"
|
|
||||||
$split = $split[0] -split " /", 0, "simplematch"
|
|
||||||
$newpath = $split[0].Trim()
|
|
||||||
|
|
||||||
if ($newpath.Contains(" ")) {
|
|
||||||
$eval = $newpath -Replace '".*"', ''
|
|
||||||
$detunflagged = $eval -split "\\", 0, "simplematch"
|
|
||||||
|
|
||||||
if ($detunflagged[-1].Contains(" ")) {
|
|
||||||
$fixarg = $detunflagged[-1] -split " ", 0, "simplematch"
|
|
||||||
$quoteexe = $fixarg[0] + '"'
|
|
||||||
$examine = $examine.Replace($fixarg[0], $quoteexe)
|
|
||||||
$examine = '"' + $examine.Trim('"') + '"'
|
|
||||||
$badpath = $true
|
|
||||||
}
|
|
||||||
|
|
||||||
$examine = $examine.Replace($newpath, '"' + $newpath + '"')
|
|
||||||
$badpath = $true
|
|
||||||
}
|
|
||||||
|
|
||||||
} else {
|
|
||||||
# No flagged args, either just a bad path or an unflagged argument scenario
|
|
||||||
$eval = $examine -Replace '".*"', ''
|
|
||||||
$detunflagged = $eval -split "\\", 0, "simplematch"
|
|
||||||
|
|
||||||
if ($detunflagged[-1].Contains(" ")) {
|
|
||||||
$fixarg = $detunflagged[-1] -split " ", 0, "simplematch"
|
|
||||||
$quoteexe = $fixarg[0] + '"'
|
|
||||||
$examine = $examine.Replace($fixarg[0], $quoteexe)
|
|
||||||
$examine = '"' + $examine.Trim('"') + '"'
|
|
||||||
$badpath = $true
|
|
||||||
} else {
|
|
||||||
$examine = '"' + $examine.Trim('"') + '"'
|
|
||||||
$badpath = $true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (-not $badpath) {
|
|
||||||
$outObj | Add-Member NoteProperty BadKey "No" -Force
|
|
||||||
$outObj | Add-Member NoteProperty FixedKey "N/A" -Force
|
|
||||||
return $outObj
|
return $outObj
|
||||||
}
|
}
|
||||||
|
|
||||||
while ($examine.EndsWith('""')) { $examine = $examine.Substring(0, $examine.Length - 1) }
|
# If no spaces, not vulnerable in the classic sense
|
||||||
|
if ($trim -notmatch '\s') {
|
||||||
|
$outObj | Add-Member NoteProperty BadKey $badKey -Force
|
||||||
|
$outObj | Add-Member NoteProperty FixedKey $fixed -Force
|
||||||
|
return $outObj
|
||||||
|
}
|
||||||
|
|
||||||
$outObj | Add-Member NoteProperty BadKey "Yes" -Force
|
# Quote only the executable portion (best practice for service ImagePath)
|
||||||
$outObj | Add-Member NoteProperty FixedKey $examine -Force
|
# Matches:
|
||||||
|
# C:\Path With Spaces\app.exe <args>
|
||||||
|
# \\server\share\Path With Spaces\app.exe <args>
|
||||||
|
# Also tolerates env-var rooted paths like:
|
||||||
|
# %ProgramFiles%\App\app.exe <args>
|
||||||
|
$exeRegex = '^(?<exe>(?:(?:[A-Za-z]:\\)|(?:\\\\[^\\]+\\[^\\]+\\)|(?:%[^%]+%\\))[^"]*?\.(?:exe|com|bat|cmd))(?<args>\s+.*)?$'
|
||||||
|
|
||||||
|
if ($trim -match $exeRegex) {
|
||||||
|
$exe = $Matches['exe']
|
||||||
|
$args = $Matches['args']
|
||||||
|
|
||||||
|
# Only "bad" if the exe path contains whitespace and is unquoted (it is)
|
||||||
|
if ($exe -match '\s') {
|
||||||
|
$badKey = "Yes"
|
||||||
|
$fixed = '"' + $exe + '"' + ($args ?? '')
|
||||||
|
} else {
|
||||||
|
$badKey = "No"
|
||||||
|
$fixed = "N/A"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
# Fallback: if we can't confidently isolate an exe, quote the whole string
|
||||||
|
# (better than producing broken quotes)
|
||||||
|
$badKey = "Yes"
|
||||||
|
$fixed = '"' + $trim.Trim('"') + '"'
|
||||||
|
}
|
||||||
|
|
||||||
|
$outObj | Add-Member NoteProperty BadKey $badKey -Force
|
||||||
|
$outObj | Add-Member NoteProperty FixedKey $fixed -Force
|
||||||
return $outObj
|
return $outObj
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function _RepairOne {
|
function _RepairOne {
|
||||||
param($Obj)
|
param($Obj)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user