taibeihacker
Moderator
Windows by default are vulnerable to several vulnerabilities that could allow an attacker to execute malicious code in order to abuse a system. From the other side patching systems sufficiently is one of the main problems in security. Even if an organization has a patching policy in place if important patches are not implemented immediately this can still give short window to an attacker to exploit a vulnerability and escalate his privileges inside a system and therefore inside the network.
This article will discuss how to identify missing patches related to privilege escalation and the necessary code to exploit the issue.
wmic qfe get Caption,Description,HotFixID,InstalledOn
The output will be similar to this:
Enumeration of Installed Patches
The HotFixID can be used in correlation with the table below in order to discover any missing patches related to privilege escalation. As the focus is on privilege escalation the command can be modified slightly to discover patches based on the KB number.
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:'KB3136041' /C:'KB4018483'
Alternatively this can be done automatically via Metasploit, Credential Nessus Scan or via a custom script that will look for missing patches related to privilege escalation.
post/windows/gather/enum_patches
Metasploit – Patches Enumeration
Windows Exploit Suggester
MS10-015 : User Mode to Ring (KiTrap0D)
MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : ‘mrxdav.sys’ WebDAV
MS16-032 : Secondary Logon Handle
CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc
The output of this tool can be seen below:
Sherlock – Missing Patches
Sherlock – Identification of Privilege Escalation Patches
Operating SystemDescriptionSecurity BulletinKBExploitWindows Server 2016
Windows Kernel Mode Drivers
MS16-135
3199135
Exploit
Github
Windows Server 2008 ,7,8,10 Windows Server 2012
Secondary Logon Handle
MS16-032
3143141
GitHub
ExploitDB
Metasploit
Windows Server 2008, Vista, 7
WebDAV
MS16-016
3136041
Github
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012
Windows Kernel Mode Drivers
MS15-051
3057191
GitHub
ExploitDB
Metasploit
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8
Win32k.sys
MS14-058
3000061
GitHub
ExploitDB
Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
AFD Driver
MS14-040
2975684
Python
EXE
ExploitDB
Github
Windows XP, Windows Server 2003
Windows Kernel
MS14-002
2914368
Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Kernel Mode Driver
MS13-005
2778930
Metasploit
ExploitDB
GitHub
Windows Server 2008, 7
Task Scheduler
MS10-092
2305420
Metasploit
ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP
KiTrap0D
MS10-015
977165
Exploit
ExploitDB
GitHub
Metasploit
Windows Server 2003, XP
NDProxy
MS14-002
2914368
Exploit
ExploitDB
ExploitDB
Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Kernel Driver
MS15-061
3057839
Github
Windows Server 2003, XP
AFD.sys
MS11-080
2592799
EXE
Metasploit
ExploitDB
Windows Server 2003, XP
NDISTAPI
MS11-062
2566454
ExploitDB
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
RPC
MS15-076
3067505
Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Hot Potato
MS16-075
3164038
GitHub
PowerShell
HotPotato
Windows Server 2003, Windows Server 2008, 7, XP
Kernel Driver
MS15-010
3036220
GitHub
ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP
AFD.sys
MS11-046
2503665
EXE
ExploitDB
This article will discuss how to identify missing patches related to privilege escalation and the necessary code to exploit the issue.
Discovery of Missing Patches
The discovery of missing patches can be identified easily either through manual methods or automatic. Manually this can be done easily be executing the following command which will enumerate all the installed patches.wmic qfe get Caption,Description,HotFixID,InstalledOn
The output will be similar to this:
The HotFixID can be used in correlation with the table below in order to discover any missing patches related to privilege escalation. As the focus is on privilege escalation the command can be modified slightly to discover patches based on the KB number.
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:'KB3136041' /C:'KB4018483'
Alternatively this can be done automatically via Metasploit, Credential Nessus Scan or via a custom script that will look for missing patches related to privilege escalation.
Metasploit
There is a Metasploit module which can quickly identify any missing patches based on the Knowledge Base number and specifically patches for which there is a Metasploit module.post/windows/gather/enum_patches
Windows Exploit Suggester
Gotham Digital Securityreleased a tool with the nameWindows Exploit Suggesterwhich compares the patch level of a system against the Microsoft vulnerability database and can be used to identify those exploits that could lead to privilege escalation. The only requirement is that requires the system information from the target.
PowerShell
There is also a PowerShell script which target to identify patches that can lead to privilege escalation. This script is calledSherlockand it will check a system for the following:MS10-015 : User Mode to Ring (KiTrap0D)
MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : ‘mrxdav.sys’ WebDAV
MS16-032 : Secondary Logon Handle
CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc
The output of this tool can be seen below:
Privilege Escalation Table
The following table has been compiled to assist in the process of privilege escalation due to lack of sufficient patching.Operating SystemDescriptionSecurity BulletinKBExploitWindows Server 2016
Windows Kernel Mode Drivers
MS16-135
3199135
Exploit
Github
Windows Server 2008 ,7,8,10 Windows Server 2012
Secondary Logon Handle
MS16-032
3143141
GitHub
ExploitDB
Metasploit
Windows Server 2008, Vista, 7
WebDAV
MS16-016
3136041
Github
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012
Windows Kernel Mode Drivers
MS15-051
3057191
GitHub
ExploitDB
Metasploit
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8
Win32k.sys
MS14-058
3000061
GitHub
ExploitDB
Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
AFD Driver
MS14-040
2975684
Python
EXE
ExploitDB
Github
Windows XP, Windows Server 2003
Windows Kernel
MS14-002
2914368
Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Kernel Mode Driver
MS13-005
2778930
Metasploit
ExploitDB
GitHub
Windows Server 2008, 7
Task Scheduler
MS10-092
2305420
Metasploit
ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP
KiTrap0D
MS10-015
977165
Exploit
ExploitDB
GitHub
Metasploit
Windows Server 2003, XP
NDProxy
MS14-002
2914368
Exploit
ExploitDB
ExploitDB
Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Kernel Driver
MS15-061
3057839
Github
Windows Server 2003, XP
AFD.sys
MS11-080
2592799
EXE
Metasploit
ExploitDB
Windows Server 2003, XP
NDISTAPI
MS11-062
2566454
ExploitDB
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
RPC
MS15-076
3067505
Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Hot Potato
MS16-075
3164038
GitHub
PowerShell
HotPotato
Windows Server 2003, Windows Server 2008, 7, XP
Kernel Driver
MS15-010
3036220
GitHub
ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP
AFD.sys
MS11-046
2503665
EXE
ExploitDB