提权补丁对比工具

作者: H0r2yC 分类: python 发布时间: 2019-10-31 14:40

前几天做内网的时候,cmd添加KB找提权漏洞,找到漏洞再去查是否当前系统是否存在这个漏洞,过程太麻烦,而且一个漏洞不同操作系统对应了不同的KB,所以打算写个小工具。工具编译后可直接执行,也可以通过-f选项加载补丁编号文本,或者-c选项输出cmd执行的命令。

先贴cmd的命令

set KB2829361=MS13-046&set KB2830290=MS13-046&set KB2667440=MS12-020&set KB2667402=MS12-020&set KB3124280=MS16-016&set KB3077657=MS15-077&set KB3045171=MS15-051&set KB2592799=MS11-080&set KB952004=MS09-012 PR&set KB956572=MS09-012 巴西烤肉&set KB970483=MS09-020 iis6&set KB2124261=MS10-065 ii7&set KB2271195=MS10-065 ii7&systeminfo>a.txt&(for %i in (KB952004 KB956572KB2393802 KB2503665 KB2592799 KB2621440 KB2160329 KB970483 KB2124261 KB977165KB958644 KB2667402 KB2667440 KB2830290 KB2829361 KB3045171 KB3077657 KB3124280)do @type a.txt|@find /i "%i"||@echo %%i% Not Installed!)&del /f/q /a a.txt

敲代码的时候发现,python在使用subprocess的时候遇到一个坑,执行Popen函数并read一次后,在循环中会发现之后的read是空值,所以要先把read的值赋给patchstatread函数。

import subprocess
import argparse
import re

patchstat = subprocess.Popen('systeminfo', stdout=subprocess.PIPE, stderr=subprocess.PIPE)
patchstatread = str(patchstat.stdout.read())


def openfile(filename):
    with open(filename,'r',encoding='utf-8') as allpatchname:
        eveline = allpatchname.read().splitlines()
    return eveline
def MS17010():
    MS17010STAT = False
    MS17010KB = ['KB4013389', 'KB4012212', 'KB4013081', 'KB4013081', 'KB4012606', 'KB4013198', 'KB4012213', 'KB4012214',
                 'KB4012216', 'KB4012598']
    for i in MS17010KB:
        if i in patchstatread:
            MS17010STAT = True
    if not MS17010STAT:
        print('KB4013389 Not Install!  MS:[MS17-010]  Describe:Windows Kernel Mode Drivers  VULNOS:(windows 7/2008/2003/XP)')
def MS17017():
    MS17017STAT = False
    MS17017KB = ['KB4012214', 'KB4011981', 'KB4012212', 'KB4012213', 'KB4013429', 'KB4012606', 'KB4013198']
    for i in MS17017KB:
        if i in patchstatread:
            MS17017STAT = True
    if not MS17017STAT:
        print('KB4013081 Not Install!  MS:[MS17017]  Describe:GDI Palette Objects Local Privilege Escalation  VULNOS:(windows 7/8)')
def MS16135():
    MS16135STAT = False
    MS16135KB = ['KB3194371', 'KB3197873', 'KB3197867', 'KB3198234', 'KB3197876', 'KB3197874', 'KB3198585', 'KB3198586', 'KB3200970']
    for i in MS16135KB:
        if i in patchstatread:
            MS16135STAT = True
    if not MS16135STAT:
        print('KB3199135 Not Install!  MS:[MS16135]  Describe:Windows Kernel Mode Drivers  VULNOS:(2016)')
def MS16111():
    MS16111STAT = False
    MS16111KB = ['KB3175024', 'KB3185611', 'KB3185614', 'KB3189866']
    for i in MS16111KB:
        if i in patchstatread:
            MS16111STAT = True
    if not MS16111STAT:
        print('KB3186973 Not Install!  MS:[MS16111]  Describe:kernel api  VULNOS:(Windows 10 10586 (32/64)/8.1)')
def MS16098():
    MS16098STAT = False
    MS16098KB = ['KB3176495', 'KB3176493', 'KB3177725', 'KB3176492']
    for i in MS16098KB:
        if i in patchstatread:
            MS16098STAT = True
    if not MS16098STAT:
        print('KB3178466 Not Install!  MS:[MS16098]  Describe:Kernel Driver  VULNOS:(Win 8.1)')
def MS16075():
    MS16075STAT = False
    MS16075KB = ['KB3161561', 'KB3163017', 'KB3163018']
    for i in MS16075KB:
        if i in patchstatread:
            MS16075STAT = True
    if not MS16075STAT:
        print('KB3164038 Not Install!  MS:[MS16075]  Describe:Hot Potato  VULNOS:(2003/2008/7/8/2012)')
def MS16034():
    MS16034STAT = False
    MS16034KB = ['KB3139852', 'KB3140768', 'KB3140745']
    for i in MS16034KB:
        if i in patchstatread:
            MS16034STAT = True
    if not MS16034STAT:
        print('KB3143145 Not Install!  MS:[MS16034]  Describe:Kernel Driver  VULNOS:(2008/7/8/10/2012)')
def MS16032():
    MS16032STAT = False
    MS16032KB = ['KB3140745', 'KB3140768', 'KB3139914']
    for i in MS16032KB:
        if i in patchstatread:
            MS16032STAT = True
    if not MS16032STAT:
        print('KB3143141 Not Install!  MS:[MS16032]  Describe:Secondary Logon Handle  VULNOS:(2008/7/8/10/2012)')
def MS16016():
    MS16016STAT = False
    MS16016KB = ['KB3124280', 'KB3135174', 'KB3135173']
    for i in MS16016KB:
        if i in patchstatread:
            MS16016STAT = True
    if not MS16016STAT:
        print('KB3136041 Not Install!  MS:[MS16016]  Describe:WebDAV  VULNOS:(2008/Vista/7)')
def MS16014():
    MS16014STAT = False
    MS16014KB = ['KB3126587', 'KB3126434', 'KB3135174', 'KB3135173', 'KB3126593', 'KB3126041']
    for i in MS16014KB:
        if i in patchstatread:
            MS16014STAT = True
    if not MS16014STAT:
        print('KB3134228 Not Install!  MS:[MS16014]  Describe:remote code execution  VULNOS:(2008/Vista/7)')
def MS15097():
    MS15097STAT = False
    MS15097KB = ['KB3087039', 'KB3087135', 'KB3081455', 'KB3081087', 'KB3081088', 'KB3081089', 'KB3081090', 'KB3085546', 'KB3085529', 'KB3085500']
    for i in MS15097KB:
        if i in patchstatread:
            MS15097STAT = True
    if not MS15097STAT:
        print('KB3089656 Not Install!  MS:[MS15097]  Describe:remote code execution  VULNOS:(win8.1/2012)')
def MS15010():
    MS15010STAT = False
    MS15010KB = ['KB3013455', 'KB3023562']
    for i in MS15010KB:
        if i in patchstatread:
            MS15010STAT = True
    if not MS15010STAT:
        print('KB3036220 Not Install!  MS:[MS15010]  Describe:Kernel Driver  VULNOS:(2003/2008/7/8)')
def MS14040():
    MS14040STAT = False
    MS14040KB = ['KB2961072', 'KB2973408']
    for i in MS14040KB:
        if i in patchstatread:
            MS14040STAT = True
    if not MS14040STAT:
        print('KB2975684 Not Install!  MS:[MS14040]  Describe:AFD Driver  VULNOS:(2003/2008/2012/7/8)')
def MS14002():
    MS14002STAT = False
    MS14002KB = ['KB2914368']
    for i in MS14002KB:
        if i in patchstatread:
            MS14002STAT = True
    if not MS14002STAT:
        print('KB2914368 Not Install!  MS:[MS14002]  Describe:NDProxy  VULNOS:(2003/XP)')
def MS13046():
    MS13046STAT = False
    MS13046KB = ['KB2830290', 'KB2829361']
    for i in MS13046KB:
        if i in patchstatread:
            MS13046STAT = True
    if not MS13046STAT:
        print('KB2840221 Not Install!  MS:[MS13046]  Describe:dxgkrnl.sys  VULNOS:(Vista/2003/2008/2012/7)')
def MS12042():
    MS12042STAT = False
    MS12042KB = ['KB2707511', 'KB2709715']
    for i in MS12042KB:
        if i in patchstatread:
            MS12042STAT = True
    if not MS12042STAT:
        print('KB2972621 Not Install!  MS:[MS12042]  Describe:Service Bus  VULNOS:(2008/2012/win7)')
def MS12020():
    MS12020STAT = False
    MS12020KB = ['KB2621440', 'KB2667402']
    for i in MS12020KB:
        if i in patchstatread:
            MS12020STAT = True
    if not MS12020STAT:
        print('KB2671387 Not Install!  MS:[MS12020]  Describe:RDP  VULNOS:(2003/2008/7/XP)')
def MS10065():
    MS10065STAT = False
    MS10065KB = ['KB2124261', 'KB2271195', 'KB2290570']
    for i in MS10065KB:
        if i in patchstatread:
            MS10065STAT = True
    if not MS10065STAT:
        print('KB2267960 Not Install!  MS:[MS10065]  Describe:FastCGI  VULNOS:(IIS 5.1, 6.0, 7.0, and 7.5)')
def MS09012():
    MS09012STAT = False
    MS09012KB = ['KB952004', 'KB956572']
    for i in MS09012KB:
        if i in patchstatread:
            MS09012STAT = True
    if not MS09012STAT:
        print('KB959454 Not Install!  MS:[MS09012]  Describe:Chimichurri  VULNOS:(Vista/win7/2008/Vista)')
def parse_args():
    args = argparse.ArgumentParser()
    args.description = '如果使用外部KB文件扫描漏洞,请注意格式为MS编号:KB编号:漏洞信息:影响版本,使用KB文件生成cmd只需要存在MS编号及KB编号即可'
    args.add_argument('-c','--cmd', dest='cmd',help='output code for cmd',action='store_true')
    args.add_argument('-f','--filename',dest='filename',help='use file with KB inf',type=str)
    return args.parse_args()
def cmd():
    cmdshell = spacelist = ''
    patchlist = openfile(args.filename)
    patchcmdlist = {}
    for i in patchlist:
        KB = re.search(r'KB\d+',i).group()
        MS = re.search(r'MS\d+\d+',i).group()
        patchcmdlist[KB] = MS
    for i in patchcmdlist:
        cmdshell += 'set '+i+'='+patchcmdlist[i]+'&'
        spacelist += i+' '
    print(cmdshell+'systeminfo>a.txt&(for %i in ('+spacelist+')do @type a.txt|@find /i "%i"||@echo %%i% Not Installed!)&del /f/q /a a.txt')
def localcmd():
    print('set KB4013081=MS17017&set KB4013389=MS17010&set KB3199135=MS16135&set KB3186973=MS16111&set KB3178466=MS16098&set KB3164038=MS16075&set KB3143145=MS16034&set KB3143141=MS16032&set KB3136041=MS16016&set KB3134228=MS16014&set KB3089656=MS15097&set KB3067505=MS15076&set KB3077657=MS15077&set KB3057839=MS15061&set KB3057191=MS15051&set KB3031432=MS15015&set KB3036220=MS15010&set KB3023266=MS15001&set KB2989935=MS14070&set KB3011780=MS14068&set KB3000061=MS14058&set KB2992611=MS14066&set KB2975684=MS14040&set KB2914368=MS14002&set KB2850851=MS13053&set KB2840221=MS13046&set KB2778930=MS13005&set KB2972621=MS12042&set KB2671387=MS12020&set KB2641653=MS12018&set KB2645640=MS12009&set KB2646524=MS12003&set KB2620712=MS11097&set KB2592799=MS11080&set KB2566454=MS11062&set KB2507938=MS11056&set KB2503665=MS11046&set KB2478960=MS11014&set KB2393802=MS11011&set KB2305420=MS10092&set KB2360937=MS10084&set KB2267960=MS10065&set KB982799=MS10059&set KB2160329=MS10048&set KB977165=MS10015&set KB971468=MS10012&set KB975517=MS09050&set KB971657=MS09041&set KB970483=MS09020&set KB959454=MS09012&set KB957097=MS08068&set KB958644=MS08067&set KB956803=MS08066&set KB941693=MS08025&set KB942831=MS08005&set KB944653=MS07067&set KB921883=MS06040&set KB899588=MS05039&set KB823980=MS03026&systeminfo>a.txt&(for %i in (KB4013081 KB4013389 KB3199135 KB3186973 KB3178466 KB3164038 KB3143145 KB3143141 KB3136041 KB3134228 KB3089656 KB3067505 KB3077657 KB3057839 KB3057191 KB3031432 KB3036220 KB3023266 KB2989935 KB3011780 KB3000061 KB2992611 KB2975684 KB2914368 KB2850851 KB2840221 KB2778930 KB2972621 KB2671387 KB2641653 KB2645640 KB2646524 KB2620712 KB2592799 KB2566454 KB2507938 KB2503665 KB2478960 KB2393802 KB2305420 KB2360937 KB2267960 KB982799 KB2160329 KB977165 KB971468 KB975517 KB971657 KB970483 KB959454 KB957097 KB958644 KB956803 KB941693 KB942831 KB944653 KB921883 KB899588 KB823980 )do @type a.txt|@find /i "%i"||@echo %%i% Not Installed!)&del /f/q /a a.txt')
def run():
    patchlist = []
    patchlist.append('MS15-076:KB3067505:RPC:(2003/2008/7/8/2012)')
    patchlist.append('MS15-077:KB3077657:ATM:(XP/Vista/Win7/Win8/2000/2003/2008/2012)')
    patchlist.append('MS15-061:KB3057839:Kernel Driver:(2003/2008/7/8/2012)')
    patchlist.append('MS15-051:KB3057191:Windows Kernel Mode Drivers:(2003/2008/7/8/2012)')
    patchlist.append('MS15-015:KB3031432:Kernel Driver:(Win7/8/8.1/2012/RT/2012 R2/2008 R2)')
    patchlist.append('MS15-001:KB3023266:Kernel Driver:(2008/2012/7/8)')
    patchlist.append('MS14-070:KB2989935:Kernel Driver:(2003)')
    patchlist.append('MS14-068:KB3011780:Domain Privilege Escalation:(2003/2008/2012/7/8)')
    patchlist.append('MS14-058:KB3000061:Win32k.sys:(2003/2008/2012/7/8)')
    patchlist.append('MS14-066:KB2992611:Windows Schannel Allowing RCE:(VistaSP2/7 SP1/8/Windows 8.1/2003 SP2/2008 SP2/2008 R2 SP1/2012/2012 R2/Windows RT/Windows RT 8.1)')
    patchlist.append('MS13-053:KB2850851:win32k.sys:(XP/Vista/2003/2008/win7)')
    patchlist.append('MS13-005:KB2778930:Kernel Mode Driver:(2003/2008/2012/win7/8)')
    patchlist.append('MS12-018:KB2641653:PostMessage function:(2003/2008/Vista/XP/win7)')
    patchlist.append('MS12-009:KB2645640:Auxiliary function driver:(2003/2008/Vista/XP/win7)')
    patchlist.append('MS12-003:KB2646524:CSRSS:(2003/2008/Vista/XP)')
    patchlist.append('MS11-097:KB2620712:CSRSS:(2003/2008/Vista/XP/7)')
    patchlist.append('MS11-080:KB2592799:AFD.sys:(2003/XP)')
    patchlist.append('MS11-062:KB2566454:NDISTAPI:(2003/XP)')
    patchlist.append('MS11-056:KB2507938:CSRSS:(2003/XP/win7/2008)')
    patchlist.append('MS11-046:KB2503665:AFD.sys:(2003/2008/7/XP)')
    patchlist.append('MS11-014:KB2478960:LSASS:(2003/XP)')
    patchlist.append('MS11-011:KB2393802:kernel Driver:(2003/2008/7/XP/Vista)')
    patchlist.append('MS10-092:KB2305420:Task Scheduler:(2008/7)')
    patchlist.append('MS10-084:KB2360937:RPCSS:(2003/xp)')
    patchlist.append('MS10-065:KB2267960:FastCGI:(IIS 5.1, 6.0, 7.0, and 7.5)')
    patchlist.append('MS10-048:KB2160329:win32k.sys:(XP SP2 & SP3/2003 SP2/Vista SP1 & SP2/2008 Gold & SP2 & R2/Win7)')
    patchlist.append('MS10-015:KB977165:KiTrap0D:(2003/2008/7/XP)')
    patchlist.append('MS10-012:KB971468:SMB Client Trans2 stack overflow:(Windows 7/2008R2)')
    patchlist.append('MS09-050:KB975517:Remote Code Execution:(2008/Vista)')
    patchlist.append('MS09-041:KB971657:Workstaion:(xp/2003/2008/Vista)')
    patchlist.append('MS09-020:KB970483:IIS 6.0:(IIS 5.1 and 6.0)')
    patchlist.append('MS08-068:KB957097:Remote Code Execution:(2000/XP)')
    patchlist.append('MS08-067:KB958644:Remote Code Execution:(Windows 2000/XP/Server 2003/Vista/Server 2008)')
    patchlist.append('MS08-066:KB956803:AFD.sys:(Windows 2000/XP/Server 2003)')
    patchlist.append('MS08-025:KB941693:Win32.sys:(XP/2003/2008/Vista)')
    patchlist.append('MS08-005:KB942831:IIS:(XP/2003/2000/Vista)')
    patchlist.append('MS07-067:KB944653:Macrovision:(2003/xp)')
    patchlist.append('MS06-040:KB921883:Remote Code Execution:(2003/xp/2000)')
    patchlist.append('MS05-039:KB899588:PnP Service:(Win 9X/ME/NT/2000/XP/2003)')
    patchlist.append('MS03-026:KB823980:Buffer Overrun In RPC Interface:(/NT/2000/XP/2003)')
    patchstat = subprocess.Popen('systeminfo', stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    patchstatread = str(patchstat.stdout.read())
    for i in patchlist:
        MS, KB, DE, OS = i.split(':', 3)
        if KB not in patchstatread:
            print(KB + ' Not Install!  MS:[' + MS + ']  Describe:' + DE + '  VULNOS:' + OS)
    MS17010()
    MS17017()
    MS16135()
    MS16111()
    MS16098()
    MS16075()
    MS16034()
    MS16032()
    MS16016()
    MS16014()
    MS15097()
    MS15010()
    MS14040()
    MS14002()
    MS13046()
    MS12042()
    MS12020()
    MS10065()
    MS09012()

def main():
    patchlist = openfile(args.filename)
    for i in patchlist:
        MS, KB, DE, OS = i.split(':', 3)
        if KB not in patchstatread:
            print(KB + ' Not Install!  MS:[' + MS + ']  Describe:' + DE + '  VULNOS:' + OS)
    MS17010()
    MS17017()
    MS16135()
    MS16111()
    MS16098()
    MS16075()
    MS16034()
    MS16032()
    MS16016()
    MS16014()
    MS15097()
    MS15010()
    MS14040()
    MS14002()
    MS13046()
    MS12042()
    MS12020()
    MS10065()
    MS09012()

if __name__ == '__main__':
    args = parse_args()
    if not args.filename and not args.cmd:
        run()
    if args.filename and args.cmd:
        cmd()
    if not args.filename and args.cmd:
        localcmd()
    if args.filename and not args.cmd:
        main()

测试后发现有些地方不完善,比如我的2008服务器已经打了ms17-010补丁,但是编号为kb4012212,KB编号为组件KB号,而不是公告KB号(KB4013389)。脚本还会继续完善

exe工具下载

参考链接:

http://download.microsoft.com/download/6/7/3/673E4349-1CA5-40B9-8879-095C72D5B49D/BulletinSearch.xlsx

https://github.com/SecWiki/windows-kernel-exploits

     

如果觉得我的文章对您有用,欢迎关注我的公众号:网安成长笔记