Land #3388 - Post mod to check Win32_QuickFixEngineering

2014-09-16 16:18:04 -05:00 · 2014-09-16 16:18:04 -05:00 · 07c14f5ee8
parent a846d084ca 36a3abe036
commit 07c14f5ee8
1 changed files with 93 additions and 0 deletions
--- a/modules/post/windows/gather/enum_patches.rb
+++ b/modules/post/windows/gather/enum_patches.rb
@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/extapi'
+
+class Metasploit3 < Msf::Post
+  include Msf::Post::Common
+  include Msf::Post::Windows::ExtAPI
+
+  MSF_MODULES = {
+    'KB977165'  => "KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)",
+    'KB2305420' => "KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008",
+    'KB2592799' => "KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2",
+    'KB2778930' => "KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity",
+    'KB2850851' => "KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1",
+    'KB2870008' => "KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1"
+  }
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'            => "Windows Gather Applied Patches",
+      'Description'     => %q{
+          This module will attempt to enumerate which patches are applied to a windows system
+          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering
+        },
+      'License'         => MSF_LICENSE,
+      'Platform'        => ['win'],
+      'SessionTypes'    => ['meterpreter'],
+      'Author'          =>
+        [
+          'zeroSteiner', # Original idea
+          'mubix' # Post module
+        ],
+      'References'      =>
+        [
+          ['URL', 'http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx']
+        ]
+    ))
+
+    register_options(
+      [
+        OptBool.new('MSFLOCALS', [ true, 'Search for missing patchs for which there is a MSF local module', true]),
+        OptString.new('KB',  [ true, 'A comma separated list of KB patches to search for', 'KB2871997, KB2928120'])
+      ], self.class)
+  end
+
+  # The sauce starts here
+  def run
+    patches = []
+
+    datastore['KB'].split(',').each do |kb|
+      patches << kb.strip
+    end
+
+    if datastore['MSFLOCALS']
+      patches = patches + MSF_MODULES.keys
+    end
+
+    extapi_loaded = load_extapi
+    if extapi_loaded
+      begin
+        objects = session.extapi.wmi.query("SELECT HotFixID FROM Win32_QuickFixEngineering")
+      rescue RuntimeError
+        print_error "Known bug in WMI query, try migrating to another process"
+        return
+      end
+      kb_ids = objects[:values].map { |kb| kb[0] }
+      print_debug(kb_ids.inspect)
+      report_info(patches, kb_ids)
+    else
+      print_error "ExtAPI failed to load"
+    end
+  end
+
+  def report_info(patches, kb_ids)
+    patches.each do |kb|
+      if kb_ids.include?(kb)
+        print_status("#{kb} applied")
+      else
+        if MSF_MODULES.include?(kb)
+          print_good(MSF_MODULES[kb])
+        else
+          print_good("#{kb} is missing")
+        end
+      end
+    end
+  end
+end