-
Notifications
You must be signed in to change notification settings - Fork 6
Using MSU Finder
Patch testing and analysis are important parts in vulnerability research and exploit development. One popular reason is people would try this technique to rediscover patched bugs, or find ways to keep an 0day alive in case the fix in place is inadequate. The same process is also used to find the range of builds affected by a vulnerability, which tends to be useful to predict the value of the exploit, improving target coverage and reliability.
Going through Microsoft patches is no easy task, though. There could be hundreds of advisories for the bug you're working on, each including different operating systems, different architectures, different languages, etc. Of course, there are tools publicly available that can search and patch whatever you're vulnerable to, but this is only great for regular use such as home or IT infrastructure. For research purposes, we usually don't want just one patch. We often want all (or most) that are associated with the product. Surprisingly, there seem to be no tools suitable for this kind of task, therefore MSU Finder is born.
Currently, there are two search engines MSU Finder supports.
The first and default one is via Technet. In this mode, MSU Finder will check against pre-defined product list from Technet, and return all the ones that match. If nothing matches, the tool will just perform a more generic search. The Technet search engine allows you to search by MSB, KB, or CVE number.
Usage example:
Download all the IE patches and save them to /tmp:
msu_finder -q "Internet Explorer" -d /tmp/
The other search engine MSU Finder supports is Google Custom Search API. The request is equivalent to the following Google search:
SEARCH_QUERY site:technet.microsoft.com intitle:"Microsoft Security Bulletin" -"Microsoft Security Bulletin Summary"
To be able to use the Google engine, you need to get an API key and a Search Engine ID:
- Have a Gmail account
- Go to Google Developer's Console
- Enable Custom Search API
- Create a credential. This credential is the API key.
- Go to Custom Search
- Create a new search engine
- Under Sites to Search, set it to: technet.microsoft.com
- In your search site, get the Search Engine ID under the Basics tab.
Usage example:
Download all the IE patches and save them to /tmp:
msu_finder -q "Internet Explorer" -s Google -d /tmp
Patch Finder also includes some smaller tools in the tools directory that assist you with going through patches.
Once you have the MSU patches, you can use this tool to automatically extract them. Note that since this is a .bat script, you must use this from a Windows machine.
Usage example:
$ extract_msu.bat C:\msu_patches\
This tools is allows you to examine the base address of the patched component (such as DLL), as well as other info that might be useful for research purposes such as timestamp, filename, build version.
To use this, you must place this script under the parent directory that contain all the extracted patches. And then run it from command prompt.