Windows exploit suggester – An easy way to find and exploit windows vulnerabilities 2023

Ahmad Khan March 19, 2023March 19, 2023 0 Comments black hat pakistan, Ethical hacking, hacking, Windows exploit suggester

This article is about Windows exploit suggester.

Information About Windows exploit suggester:

During our penetration tests, we often come across situations where we need to find the right exploits to escalate privileges on a compromised host. While there are several techniques for privilege escalation, finding missing patches can be an easy way if the exploit is publicly available. Blindly trying different exploits can be a time-consuming process if most of them fail. “Windows Exploit Suggester” is a tool developed in python to detect missing patches and show us relevant exploits on Windows platform. This tool can be useful for penetration testers, administrators and end users alike.

This article explains the following.

How to use the “Windows Exploit Suggester” tool to detect if a host is exploitable
Using the results to exploit a local privilege escalation vulnerability
Vulnerability fix
Vulnerability rescan with “Windows exploit Suggester”

Preparation with settings

The following is the setup I have for this article.

Kali v2.0 to run “Windows Exploit Suggester”
Unpatched “Windows Server 2003 R2”
Download the “Windows Exploit Suggester” tool in Kali Linux here:

[download]

I am copying the zip file to my root directory to save some space on the terminal.

Once done, unzip the compressed file. You should see the python script inside the extracted folder. This looks as shown below.

This tool uses security bulletin database from Microsoft and checks against the hotfixes installed on the host. For this reason, we need to have the security bulletin database with us to use this tool. This tool makes our life easy by automatically downloading and saving the results into an excel spreadsheet using “—update” flag. This is shown below.
Then install the required dependencies using the command below.

pip install xlrd –upgrade

This completes the setup.

Permission Escalation Check

Although this tool reports both remote and local exploits available, I’m specifically looking for a local privilege escalation exploit on the target machine.

This tool requires the output of the “systeminfo” command to find the data of the installed hotfix. So let’s get the output of the “systeminfo” command from the target host as shown below.

https://resources.infosecinstitute.com/wp-content/uploads/100315_1801_WindowsExpl6.png

Place it in the folder where we have the python script. Now, we have the following files in the local machine.

Run the following command, to get the information about the missing patches.

./windows-exploit-suggester.py –database 2015-09-22-mssb.xlsx –systeminfo systeminfo_1.txt

root@kali:~/Windows-Exploit-Suggester-master# ls

2015-09-22-mssb.xlsx LICENSE.md README.md systeminfo_1.txt windows-exploit-suggester.py

root@kali:~/Windows-Exploit-Suggester-master# ./windows-exploit-suggester.py –database 2015-09-22-mssb.xlsx –systeminfo systeminfo_1.txt

[*] initiating winsploit version 2.9…

[*] database file detected as xls or xlsx based on extension

[*] attempting to read from the systeminfo input file

[+] systeminfo input file read successfully (ascii)

[*] querying database file for potential vulnerabilities

[*] comparing the 1 hotfix(es) against the 473 potential bulletins(s) with a database of 115 known exploits

[*] there are now 473 remaining vulns

[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin

[+] windows version identified as ‘Windows 2003 SP2 32-bit’

[*]

[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) – Important

[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) – Critical

[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) – Important

[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) – Critical

[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) – Critical

[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) – Important

[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) – Critical

[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) – Critical

[E] MS14-029: Security Update for Internet Explorer (2962482) – Critical

[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) – Important

[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) – Critical

[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) – Important

[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) – Important

[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) – Important

[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) – Critical

[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) – Critical

[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) – Critical

[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) – Important

[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) – Critical

[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) – Critical

[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) – Critical

[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) – Critical

[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) – Critical

[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) – Critical

[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) – Important

[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) – Important

[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) – Important

[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) – Critical

[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) – Important

[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) – Critical

[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) – Critical

[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) – Critical

[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) – Important

[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) – Important

[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) – Important

[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) – Critical

[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) – Critical

[M] MS08-078: Security Update for Internet Explorer (960714) – Critical

[M] MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) – Critical

[M] MS08-053: Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156) – Critical

[M] MS08-041: Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617) – Critical

[E] MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693) – Important

[M] MS07-064: Vulnerabilities in DirectX Could Allow Remote Code Execution (941568) – Critical

[M] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966) – Critical

[M] MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902) – Critical

[M] MS06-019: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803) – Critical

[*] done

root@kali:~/Windows-Exploit-Suggester-master#

As we can see in the above table, we have got various remote as well as local exploits found for this machine. This machine appears to be extremely vulnerable. Good News!

In the output, [M] suggests that there is a Metasploit module available for that bulletin. If it is [E], it has an exploit-db POC.

Among the list of vulnerabilities, I have highlighted one vulnerability ms10-015, which is one of the most popular privilege escalation exploits. You should have heard about it if you know what meterpreter “getsystem” does.

You can also see the popular ms08-067, which I am not going to touch here.

We can use “grep” command to filter out the output and thus we can have only local privilege escalation exploit list.

./windows-exploit-suggester.py –database 2015-09-22-mssb.xlsx –systeminfo systeminfo_1.txt | grep ‘Elevation’

root@kali:~/Windows-Exploit-Suggester-master# ./windows-exploit-suggester.py –database 2015-09-22-mssb.xlsx –systeminfo systeminfo_1.txt | grep ‘Elevation’