Skip to content

Instantly share code, notes, and snippets.

@et0x
Last active May 31, 2022 09:09
Show Gist options
  • Save et0x/7e34a10eb0fe00feb6191abed32a52d9 to your computer and use it in GitHub Desktop.
Save et0x/7e34a10eb0fe00feb6191abed32a52d9 to your computer and use it in GitHub Desktop.
Use Get-WorldOpenDirectories to find open directories recursively, with specifics on exec/list/read permissions as well
#> Get-WorldOpenDirectories -Path C:\Windows
#
# Directory : C:\Windows\Tasks
# Group : NT Authority\Authenticated Users
# Write : True
# Read : True
# ExecuteFile : True
# List : True
#
# ...
function Test-IsDirectoryWorldWriteable {
Param(
[String]$Path
)
$accessRights = Get-Item -Path $Path | Get-Acl | Select-Object -ExpandProperty Access
foreach ($accessRight in $accessRights) {
if ($accessRight.IdentityReference -notin @('BUILTIN\Users','NT AUTHORITY\Authenticated Users', 'Everyone')) {
continue
}
$SYNCHRONIZE = 1048576
$WRITE = 2 -bor $SYNCHRONIZE
$rights = $accessRight.FileSystemRights
if (($rights -band $WRITE) -eq $WRITE) {
return $true
}
}
return $false
}
function Get-ControlPermissions {
Param(
[String]$Path
)
$accessRights = Get-Item -Path $Path | Get-Acl | Select-Object -ExpandProperty Access
foreach ($accessRight in $accessRights) {
if ($accessRight.IdentityReference -notin @('BUILTIN\Users','NT AUTHORITY\Authenticated Users', 'Everyone')) {
continue
}
$READ = 131072
$EXECUTEFILE = 32
$SYNCHRONIZE = 1048576
$WRITE = 2 -bor $SYNCHRONIZE
$LISTDIR = 1
$rights = $accessRight.FileSystemRights
$canExec = ($rights -band $EXECUTEFILE) -eq $EXECUTEFILE
$canList = ($rights -band $LISTDIR) -eq $LISTDIR
[psobject] | Select @{N='Directory';E={$Path};},
@{N='Group';E={$accessRight.IdentityReference};},
@{N='Write';E={($rights -band $WRITE) -eq $WRITE};},
@{N='Read';E={($rights -band $READ) -eq $READ};},
@{N='ExecuteFile';E={($rights -band $EXECUTEFILE) -eq $EXECUTEFILE};},
@{N='List';E={($rights -band $LISTDIR) -eq $LISTDIR};}
}
}
function Get-WorldOpenDirectories {
[CmdletBinding()]
Param (
[Parameter(Mandatory=$true)]
[String]$Path
)
Get-ChildItem -Directory -Path $Path -Recurse | select -ExpandProperty FullName | % {
$dirPath = $_
if (Test-IsDirectoryWorldWriteable $dirPath) {
Get-ControlPermissions -Path $dirPath
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment