dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use revision in MSF modules

This commit is contained in:
Ashley Donaldson 2023-06-16 08:32:41 +10:00
parent ddbd24554d
commit 381d291da9
No known key found for this signature in database
GPG Key ID: D4BCDC8C892F7477
7 changed files with 93 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/msf/core/post/windows/version.rb
View File

@ -53,8 +53,12 @@ module Msf::Post::Windows::Version
service_pack = os_version_info_ex[6]
product_type = os_version_info_ex[9]
session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows NT\CurrentVersion', KEY_READ)
Msf::WindowsVersion.new(major, minor, build, service_pack, product_type)
revision = 0
if (major >= 10)
revision = registry_getvaldata('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'UBR', Msf::Post::Windows::Registry::REGISTRY_VIEW_NATIVE)
end
Msf::WindowsVersion.new(major, minor, build, service_pack, revision, product_type)
else
# Command shell - we'll try reg commands, and fall back to `ver`
build_str = shell_registry_getvaldata('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'CurrentBuildNumber', Msf::Post::Windows::Registry::REGISTRY_VIEW_NATIVE)

1
lib/msf/core/windows_version.rb
View File

@ -21,6 +21,7 @@ module Msf
Vista_SP0 = Server2008_SP0 = Rex::Version.new('6.0.6000.0')
Vista_SP1 = Server2008_SP1 = Rex::Version.new('6.0.6001.1')
Vista_SP2 = Server2008_SP2 = Rex::Version.new('6.0.6002.2')
Server2008_SP2_Update = Rex::Version.new('6.0.6003.2') # https://support.microsoft.com/en-us/topic/build-number-changing-to-6003-in-windows-server-2008-1335e4d4-c155-52eb-4a45-b85bd1909ca8
Win7_SP0 = Server2008_R2_SP0 = Rex::Version.new('6.1.7600.0')
Win7_SP1 = Server2008_R2_SP1 = Rex::Version.new('6.1.7601.1')
Win8 = Server2012 = Rex::Version.new('6.2.9200.0')

49
modules/exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.rb
View File

@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Version
include Msf::Exploit::EXE # Needed for generate_payload_dll
include Msf::Post::Windows::FileSystem
include Msf::Post::Windows::Process
@ -94,55 +95,43 @@ class MetasploitModule < Msf::Exploit::Local
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
end
# XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.
build_num_raw = session.shell_command_token('cmd.exe /c ver')
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
if build_num.nil?
print_error("Couldn't retrieve the target's build number!")
else
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]
print_status("Target's build number: #{build_num}")
end
# see https://docs.microsoft.com/en-us/windows/release-information/
version = get_version_info
unless version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win10_1909)
unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_1909)
return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
end
build_num_gemversion = Rex::Version.new(build_num)
# Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/
if (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.719')) # Windows 10 v1909
if version.build_number == Msf::WindowsVersion::Win10_1909 && version.build_number.revision_number.between?(0, 718)
return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.719')) # Windows 10 v1903
elsif version.build_number == Msf::WindowsVersion::Win10_1903 && version.build_number.revision_number.between?(0, 718)
return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.1098')) # Windows 10 v1809
elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.build_number.revision_number.between?(0, 1097)
return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.1365')) # Windows 10 v1803
elsif version.build_number == Msf::WindowsVersion::Win10_1803 && version.build_number.revision_number.between?(0, 1364)
return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.1747')) # Windows 10 v1709
elsif version.build_number == Msf::WindowsVersion::Win10_1709 && version.build_number.revision_number.between?(0, 1746)
return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.2313')) # Windows 10 v1703
elsif version.build_number == Msf::WindowsVersion::Win10_1703 && version.build_number.revision_number.between?(0, 2312)
return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.3564')) # Windows 10 v1607
elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.build_number.revision_number.between?(0, 3563)
return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
elsif version.build_number == Msf::WindowsVersion::Win10_1511
return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.18519')) # Windows 10 v1507
elsif version.build_number == Msf::WindowsVersion::Win10_1507 && version.build_number.revision_number.between?(0, 18518)
return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2
elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012
return CheckCode::Detected('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012
target_not_presently_supported
return CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2
return CheckCode::Detected('Vulnerable Windows 8/Windows Server 2012 build detected!')
elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.0.6001.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2
return CheckCode::Detected('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update) # Includes Server 2008
target_not_presently_supported
return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')
return CheckCode::Detected('Windows Windows Server 2008 build detected!')
else
return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
end

25
modules/exploits/windows/local/cve_2020_17136.rb
View File

@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Local
include Exploit::EXE
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Version
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Post::Windows::Dotnet
@ -117,29 +118,21 @@ class MetasploitModule < Msf::Exploit::Local
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
end
build_num_raw = cmd_exec('cmd.exe /c ver')
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
if build_num.nil?
return CheckCode::Unknown("Couldn't retrieve the target's build number!")
else
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]
vprint_status("Target's build number: #{build_num}")
end
version = get_version_info
build_num_gemversion = Rex::Version.new(build_num)
# Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/
if (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.685')) # Windows 10 20H2
if version.build_number == Msf::WindowsVersion::Win10_20H2 && version.build_number.revision_number.between?(0, 684)
return CheckCode::Appears('A vulnerable Windows 10 20H2 build was detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.685')) # Windows 10 v2004 aka 20H1
elsif version.build_number == Msf::WindowsVersion::Win10_2004 && version.build_number.revision_number.between?(0, 684)
return CheckCode::Appears('A vulnerable Windows 10 20H1 build was detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1256')) # Windows 10 v1909
elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.build_number.revision_number.between?(0, 1255)
return CheckCode::Appears('A vulnerable Windows 10 v1909 build was detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.1256')) # Windows 10 v1903
elsif version.build_number == Msf::WindowsVersion::Win10_1903 && version.build_number.revision_number.between?(0, 1255)
return CheckCode::Appears('A vulnerable Windows 10 v1903 build was detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.1637')) # Windows 10 v1809
return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.1902')) # Windows 10 v1803
elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.build_number.revision_number.between?(0, 1636)
return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')
elsif version.build_number == Msf::WindowsVersion::Win10_1803 && version.build_number.revision_number.between?(0, 1901)
return CheckCode::Appears('A vulnerable Windows 10 v1803 build was detected!')
else
return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
end

65
modules/exploits/windows/local/cve_2021_40449.rb
View File

@ -79,63 +79,52 @@ class MetasploitModule < Msf::Exploit::Local
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
end
version_info = get_version_info
unless version_info.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win10_21H1) ||
version_info.build_number == Msf::WindowsVersion::Server2022 ||
version_info.build_number == Msf::WindowsVersion::Win11_21H1
version = get_version_info
unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_21H1) ||
version.build_number == Msf::WindowsVersion::Server2022 ||
version.build_number == Msf::WindowsVersion::Win11_21H2
return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
end
build_num_raw = cmd_exec('cmd.exe /c ver')
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
if build_num.nil?
print_error("Couldn't retrieve the target's build number!")
else
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]
print_status("Target's build number: #{build_num}")
end
build_num_gemversion = Rex::Version.new(build_num)
# Build numbers taken from https://www.qualys.com/research/security-alerts/2021-10-12/microsoft/
if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) && (build_num_gemversion < Rex::Version.new('10.0.22000.258')) # Windows 11
if version.build_number == Msf::WindowsVersion::Win11_21H2 && version.build_number.revision_number.between?(0, 257)
return CheckCode::Appears('Vulnerable Windows 11 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) && (build_num_gemversion < Rex::Version.new('10.0.20348.288')) # Windows Server 2022
elsif version.build_number == Msf::WindowsVersion::Server2022 && version.build_number.revision_number.between?(0, 287)
return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) && (build_num_gemversion < Rex::Version.new('10.0.19044.1319')) # Windows 10 21H2
elsif version.build_number == Msf::WindowsVersion::Win10_21H2 && version.build_number.revision_number.between?(0, 1318)
return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1
elsif version.build_number == Msf::WindowsVersion::Win10_21H1 && version.build_number.revision_number.between?(0, 1287)
return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2
elsif version.build_number == Msf::WindowsVersion::Win10_20H2 && version.build_number.revision_number.between?(0, 1287)
return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1
elsif version.build_number == Msf::WindowsVersion::Win10_2004 && version.build_number.revision_number.between?(0, 1287)
return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909
elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.build_number.revision_number.between?(0, 1853)
return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903
elsif version.build_number == Msf::WindowsVersion::Win10_1903
return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809
elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.build_number.revision_number.between?(0, 2236)
return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803
elsif version.build_number == Msf::WindowsVersion::Win10_1803
return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709
elsif version.build_number == Msf::WindowsVersion::Win10_1709
return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703
elsif version.build_number == Msf::WindowsVersion::Win10_1703
return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607
elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.build_number.revision_number.between?(0, 4703)
return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
elsif version.build_number == Msf::WindowsVersion::Win10_1511
return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507
elsif version.build_number == Msf::WindowsVersion::Win10_1507 && version.build_number.revision_number.between?(0, 19085)
return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2
return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012
return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2
return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.0.6003.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.21251')) # Windows Server 2008/Windows Server 2008 SP2
return CheckCode::Appears('Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!')
elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2
return CheckCode::Detected('Windows 8.1/Windows Server 2012 R2 build detected!')
elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012
return CheckCode::Detected('Windows 8/Windows Server 2012 build detected!')
elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2
return CheckCode::Detected('Windows 7/Windows Server 2008 R2 build detected!')
elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update)
return CheckCode::Detected('Windows Server 2008/Windows Server 2008 SP2 build detected!')
else
return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
end

68
modules/exploits/windows/local/cve_2022_26904_superprofile.rb
View File

@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Local
include Msf::Exploit::FileDropper
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Version
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Exploit::EXE # Needed for generate_payload_dll
@ -92,7 +93,7 @@ class MetasploitModule < Msf::Exploit::Local
# see https://docs.microsoft.com/en-us/windows/release-information/
version = get_version_info
unless version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win10_21H2) ||
unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_21H2) ||
version.build_number == Msf::WindowsVersion::Win11_21H2 ||
version.build_number == Msf::WindowsVersion::Server2022
return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
@ -116,76 +117,63 @@ class MetasploitModule < Msf::Exploit::Local
return CheckCode::Unknown("PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?")
end
_major, _minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntdll.dll')
major_minor_version = sysinfo_value.match(/\((\d{1,2}\.\d)/)
if major_minor_version.nil?
return CheckCode::Unknown("Could not retrieve the major n minor version of the target's build number!")
end
major_minor_version = major_minor_version[1]
build_num = "#{major_minor_version}.#{build}.#{revision}"
build_num_gemversion = Rex::Version.new(build_num)
# Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from
# https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history
if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11
# Build numbers taken from https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904, and associated
# security update information (e.g. https://support.microsoft.com/en-us/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb,
# https://support.microsoft.com/en-us/topic/windows-11-version-21h2-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9)
if version.build_number == Msf::WindowsVersion::Win11_21H2 && version.build_number.revision_number.between?(0, 612)
return CheckCode::Appears('Vulnerable Windows 11 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022
elsif version.build_number == Msf::WindowsVersion::Server2022 && version.build_number.revision_number.between?(0, 642)
return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2
elsif version.build_number == Msf::WindowsVersion::Win10_21H2 && version.build_number.revision_number.between?(0, 1644)
return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1
elsif version.build_number == Msf::WindowsVersion::Win10_21H1 && version.build_number.revision_number.between?(0, 1644)
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2
elsif version.build_number == Msf::WindowsVersion::Win10_20H2 && version.build_number.revision_number.between?(0, 1644)
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004
elsif version.build_number == Msf::WindowsVersion::Win10_2004
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909
elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.build_number.revision_number.between?(0, 2211)
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903
elsif version.build_number == Msf::WindowsVersion::Win10_1903
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809
elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.build_number.revision_number.between?(0, 2802)
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803
elsif version.build_number == Msf::WindowsVersion::Win10_1803
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709
elsif version.build_number == Msf::WindowsVersion::Win10_1709
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703
elsif version.build_number == Msf::WindowsVersion::Win10_1703
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607
elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.build_number.revision_number.between?(0, 5065)
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511
elsif version.build_number == Msf::WindowsVersion::Win10_1511
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507
elsif version.build_number == Msf::WindowsVersion::Win10_1507
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2
elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012
return CheckCode::Detected('Windows 8.1/Windows Server 2012 R2 build detected!')
elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1
return CheckCode::Detected('Windows 8/Windows Server 2012 build detected!')
elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2
return CheckCode::Detected('Windows 7/Windows Server 2008 R2 build detected!')
elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update) # Includes Server 2008
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2
target_not_presently_supported
return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')
return CheckCode::Detected('Windows Server 2008/Windows Server 2008 SP2 build detected!')
else
return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
end

6
spec/lib/msf/core/post/windows/version_spec.rb
View File

@ -90,7 +90,7 @@ RSpec.describe Msf::Post::Windows::Version do
allow(subject).to receive_message_chain('session.type').and_return('shell')
version = subject.get_version_info
expect(version.build_number).to eq(Msf::WindowsVersion::Win10_22H2)
expect(version.revision).to eq(256)
expect(version.revision_number).to eq(256)
expect(version.windows_server?).to eq(false)
expect(version.domain_controller?).to eq(false)
end
@ -105,14 +105,14 @@ RSpec.describe Msf::Post::Windows::Version do
allow(subject).to receive_message_chain('session.type').and_return('shell')
version = subject.get_version_info
expect(version.build_number).to eq(Msf::WindowsVersion::Server2022)
expect(version.revision).to eq(256)
expect(version.revision_number).to eq(256)
expect(version.windows_server?).to eq(true)
expect(version.domain_controller?).to eq(true)
end
it "Windows 2000 German" do
allow(subject).to receive(:cmd_exec).with("cmd.exe /c reg query \"#{current_version_key}\" /v \"#{current_build_number}\"") { "Der Befehl \"reg\" ist entweder falsch geschrieben oder\r\nkonnte nicht gefunden werden." }
allow(subject).to receive(:cmd_exec).with("ver") { "Microsoft Windows 2000 [Version 5.00.2195]" }
allow(subject).to receive(:cmd_exec).with("cmd.exe /c ver") { "Microsoft Windows 2000 [Version 5.00.2195]" }
allow(subject).to receive_message_chain('session.type').and_return('shell')
version = subject.get_version_info
expect(version.build_number).to eq(Msf::WindowsVersion::Win2000)