## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/common' require 'msf/core/post/windows/extapi' class Metasploit3 < Msf::Post include Msf::Post::Common include Msf::Post::Windows::ExtAPI MSF_MODULES = { 'KB977165' => "KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)", 'KB2305420' => "KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008", 'KB2592799' => "KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2", 'KB2778930' => "KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity", 'KB2850851' => "KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1", 'KB2870008' => "KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1" } def initialize(info={}) super(update_info(info, 'Name' => "Windows Gather Applied Patches", 'Description' => %q{ This module will attempt to enumerate which patches are applied to a windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering }, 'License' => MSF_LICENSE, 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Author' => [ 'zeroSteiner', # Original idea 'mubix' # Post module ], 'References' => [ ['URL', 'http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx'] ] )) register_options( [ OptBool.new('MSFLOCALS', [ true, 'Search for missing patchs for which there is a MSF local module', true]), OptString.new('KB', [ true, 'A comma separated list of KB patches to search for', 'KB2871997, KB2928120']) ], self.class) end # The sauce starts here def run patches = [] datastore['KB'].split(',').each do |kb| patches << kb.strip end if datastore['MSFLOCALS'] patches = patches + MSF_MODULES.keys end extapi_loaded = load_extapi if extapi_loaded begin objects = session.extapi.wmi.query("SELECT HotFixID FROM Win32_QuickFixEngineering") rescue RuntimeError print_error "Known bug in WMI query, try migrating to another process" return end kb_ids = objects[:values].map { |kb| kb[0] } report_info(patches, kb_ids) else print_error "ExtAPI failed to load" end end def report_info(patches, kb_ids) patches.each do |kb| if kb_ids.include?(kb) print_status("#{kb} applied") else if MSF_MODULES.include?(kb) print_good(MSF_MODULES[kb]) else print_good("#{kb} is missing") end end end end end