2014-05-25 03:37:17 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2014-05-25 03:37:17 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core/post/common'
|
2014-05-25 14:45:09 +00:00
|
|
|
require 'msf/core/post/windows/extapi'
|
2014-05-25 03:37:17 +00:00
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2014-05-25 03:37:17 +00:00
|
|
|
include Msf::Post::Common
|
2014-05-25 14:40:23 +00:00
|
|
|
include Msf::Post::Windows::ExtAPI
|
2014-05-25 03:37:17 +00:00
|
|
|
|
2014-05-26 00:36:40 +00:00
|
|
|
MSF_MODULES = {
|
|
|
|
'KB977165' => "KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)",
|
|
|
|
'KB2305420' => "KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008",
|
|
|
|
'KB2592799' => "KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2",
|
|
|
|
'KB2778930' => "KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity",
|
|
|
|
'KB2850851' => "KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1",
|
|
|
|
'KB2870008' => "KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1"
|
|
|
|
}
|
|
|
|
|
2014-05-25 03:37:17 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2014-09-16 21:17:22 +00:00
|
|
|
'Name' => "Windows Gather Applied Patches",
|
2014-05-25 03:37:17 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module will attempt to enumerate which patches are applied to a windows system
|
|
|
|
based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Platform' => ['win'],
|
|
|
|
'SessionTypes' => ['meterpreter'],
|
2014-09-16 21:17:22 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
2014-05-25 03:37:17 +00:00
|
|
|
'zeroSteiner', # Original idea
|
|
|
|
'mubix' # Post module
|
2014-09-16 21:17:22 +00:00
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['URL', 'http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx']
|
2014-05-25 03:37:17 +00:00
|
|
|
]
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2014-05-25 14:40:23 +00:00
|
|
|
OptBool.new('MSFLOCALS', [ true, 'Search for missing patchs for which there is a MSF local module', true]),
|
2014-05-25 03:37:17 +00:00
|
|
|
OptString.new('KB', [ true, 'A comma separated list of KB patches to search for', 'KB2871997, KB2928120'])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2014-05-25 03:37:17 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# The sauce starts here
|
|
|
|
def run
|
|
|
|
patches = []
|
|
|
|
|
|
|
|
datastore['KB'].split(',').each do |kb|
|
|
|
|
patches << kb.strip
|
|
|
|
end
|
|
|
|
|
|
|
|
if datastore['MSFLOCALS']
|
2014-05-26 00:36:40 +00:00
|
|
|
patches = patches + MSF_MODULES.keys
|
2014-05-25 03:37:17 +00:00
|
|
|
end
|
|
|
|
|
2014-05-25 14:40:23 +00:00
|
|
|
extapi_loaded = load_extapi
|
|
|
|
if extapi_loaded
|
|
|
|
begin
|
|
|
|
objects = session.extapi.wmi.query("SELECT HotFixID FROM Win32_QuickFixEngineering")
|
|
|
|
rescue RuntimeError
|
|
|
|
print_error "Known bug in WMI query, try migrating to another process"
|
|
|
|
return
|
|
|
|
end
|
|
|
|
kb_ids = objects[:values].map { |kb| kb[0] }
|
2014-05-26 00:36:40 +00:00
|
|
|
report_info(patches, kb_ids)
|
|
|
|
else
|
|
|
|
print_error "ExtAPI failed to load"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def report_info(patches, kb_ids)
|
|
|
|
patches.each do |kb|
|
|
|
|
if kb_ids.include?(kb)
|
|
|
|
print_status("#{kb} applied")
|
|
|
|
else
|
|
|
|
if MSF_MODULES.include?(kb)
|
|
|
|
print_good(MSF_MODULES[kb])
|
2014-05-25 03:37:17 +00:00
|
|
|
else
|
2014-05-26 00:36:40 +00:00
|
|
|
print_good("#{kb} is missing")
|
2014-05-25 03:37:17 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|