Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Common
8
  include Msf::Post::Windows::ExtAPI
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Windows Gather Applied Patches',
15
        'Description' => %q{
16
          This module enumerates patches applied to a Windows system using the
17
          WMI query: SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering.
18
        },
19
        'License' => MSF_LICENSE,
20
        'Platform' => ['win'],
21
        'SessionTypes' => ['meterpreter'],
22
        'Author' => [
23
          'zeroSteiner', # Original idea
24
          'mubix' # Post module
25
        ],
26
        'References' => [
27
          ['URL', 'http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx']
28
        ],
29
        'Notes' => {
30
          'Stability' => [CRASH_SAFE],
31
          'Reliability' => [],
32
          'SideEffects' => []
33
        },
34
        'Compat' => {
35
          'Meterpreter' => {
36
            'Commands' => %w[
37
              extapi_wmi_query
38
            ]
39
          }
40
        }
41
      )
42
    )
43
  end
44

45
  def run
46
    unless session.commands.include?(Rex::Post::Meterpreter::Extensions::Extapi::COMMAND_ID_EXTAPI_WMI_QUERY)
47
      fail_with(Failure::NoTarget, 'Session does not support Meterpreter ExtAPI WMI queries')
48
    end
49

50
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
51
    print_status("Running module against #{hostname} (#{session.session_host})")
52

53
    begin
54
      objects = session.extapi.wmi.query('SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering')
55
    rescue RuntimeError
56
      fail_with(Failure::BadConfig, 'Known bug in WMI query, try migrating to another process')
57
    end
58

59
    if objects.nil?
60
      print_error('Could not retrieve patch information. WMI query returned no data.')
61
      return
62
    end
63

64
    if objects[:values].blank?
65
      print_status('Found no patches installed')
66
      return
67
    end
68

69
    results = Rex::Text::Table.new(
70
      'Header' => 'Installed Patches',
71
      'Indent' => 2,
72
      'Columns' =>
73
      [
74
        'HotFix ID',
75
        'Install Date'
76
      ]
77
    )
78

79
    objects[:values].compact.each do |k|
80
      results << k
81
    end
82

83
    if results.rows.empty?
84
      print_status("No patches were found to be installed on #{hostname} (#{session.session_host})")
85
      return
86
    end
87

88
    print_line
89
    print_line(results.to_s)
90

91
    loot_file = store_loot('enum_patches', 'text/plain', session, results.to_csv)
92
    print_status("Patch list saved to #{loot_file}")
93
  end
94
end
95

96