Windows kernel Right

Last Update:2017-08-09 Source: Internet

Author: User

Tags knowledge base nessus scan

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Windows By default is vulnerable to several vulnerabilities this could allow a attacker to execute malicious code in ORD Er to abuse a system. From the other side patching systems sufficiently are one of the main problems in security. Even if an organization have a patching policy in place if important patches is not implemented immediately this can still Give short window to the attacker to exploit a vulnerability and escalate his privileges inside a system and therefore ins IDE the network.

This article would discuss how to identify missing patches related to privilege escalation and the necessary code to Exploi t the issue.

Discovery of Missing Patches

The discovery of missing patches can be identified easily either through manual methods or automatic. Manually this can is done easily is executing the following command which would enumerate all the installed patches.

WMIC QFE Get Caption,description,hotfixid,installedon

The output'll is similar to this:

Enumeration of installed Patches

The HOTFIXID can used in correlation with the table below in order to discover any missing patches related to privilege Escalation. As the focus is on privilege escalation the command can be modified slightly to discover patches based on the KB number.

WMIC QFE Get Caption,description,hotfixid,installedon | FINDSTR/C: "KB3136041"/C: "KB4018483"

Alternatively this can is done automatically via Metasploit, credential Nessus Scan or via a custom script that would look For missing patches related to privilege escalation.

Metasploit

There is a Metasploit module which can quickly identify any missing patches based on the knowledge Base number and Specifi Cally patches for which there is a Metasploit module.

Post/windows/gather/enum_patches

Metasploit–patches Enumeration

Windows Exploit Suggester

Gotham Digital Security released a tool with the name Windows Exploit suggester which compares the patch level of a system Against the Microsoft vulnerability database and can be used to identify those exploits that could leads to privilege Esca Lation. The only requirement are the requires the system information from the target.

Windows Exploit Suggester

PowerShell

There is also a PowerShell script which target to identify patches that can leads to privilege escalation. This script is called Sherlock and it would check a system for the following:

Ms10-015:user Mode to Ring (kitrap0d)
Ms10-092:task Scheduler
Ms13-053:ntusermessagecall win32k Kernel Pool Overflow
Ms13-081:trackpopupmenuex win32k NULL Page
Ms14-058:trackpopupmenu win32k Null Pointer dereference
Ms15-051:clientcopyimage win32k
Ms15-078:font Driver Buffer Overflow
ms16-016: ' Mrxdav.sys ' WebDAV
Ms16-032:secondary Logon Handle
Cve-2017-7199:nessus Agent 6.6.2–6.10.3 Priv ESC

The output of this tool can be seen below:

Sherlock–missing Patches

Sherlock–identification of Privilege escalation patches

Privilege escalation Table

The following table has been compiled to assist in the process of privilege escalation due to lack of sufficient patching.

Operating System	Description	Security Bulletin	KB	Exploit
Windows Server 2016	Windows Kernel Mode Drivers	ms16-135	3199135	Exploit Github
Windows Server 7,8,10, Windows Server 2012	Secondary Logon Handle	ms16-032	3143141	GitHub Exploitdb Metasploit
Windows Server, Vista, 7	WebDAV	ms16-016	3136041	Github
Windows Server 2003, Windows Server 7, Windows 8, Windows 2012	Windows Kernel Mode Drivers	ms15-051	3057191	GitHub Exploitdb Metasploit
Windows Server 2003, Windows Server 2012, 7, 8	Win32k.sys	ms14-058	3000061	GitHub Exploitdb Metasploit
Windows Server 2003, Windows Server 7, 8, Windows Server 2012	AFD Driver	ms14-040	2975684	Python Exe Exploitdb Github
Windows XP, Windows Server 2003	Windows Kernel	ms14-002	2914368	Metasploit
Windows Server 2003, Windows Server 7, 8, Windows Server 2012	Kernel Mode Driver	ms13-005	2778930	Metasploit Exploitdb GitHub
Windows Server 2008, 7	Task Scheduler	ms10-092	2305420	Metasploit Exploitdb
Windows Server 2003, Windows Server 7, XP	kitrap0d	ms10-015	977165	Exploit Exploitdb GitHub Metasploit
Windows Server 2003, XP	NDProxy	ms14-002	2914368	Exploit Exploitdb Exploitdb Github
Windows Server 2003, Windows Server 7, 8, Windows Server 2012	Kernel Driver	ms15-061	3057839	Github
Windows Server 2003, XP	Afd.sys	ms11-080	2592799	Exe Metasploit Exploitdb
Windows Server 2003, XP	NDISTAPI	ms11-062	2566454	Exploitdb
Windows Server 2003, Windows Server 7, 8, Windows Server 2012	Rpc	ms15-076	3067505	Github
Windows Server 2003, Windows Server 7, 8, Windows Server 2012	Hot Potato	ms16-075	3164038	GitHub PowerShell Hotpotato
Windows Server 2003, Windows Server 7, XP	Kernel Driver	ms15-010	3036220	GitHub Exploitdb
Windows Server 2003, Windows Server 7, XP	Afd.sys	ms11-046	2503665	Exe Exploitdb

Windows kernel Right

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More