Patch testing and analysis are important parts in vulnerability research and exploit development. One popular reason is people would try this technique to rediscover patched bugs, or find ways to keep an 0day alive in case the fix in place is inadequate. The same process is also used to find the range of builds affected by a vulnerability, which tends to be useful to predict the value of the exploit, improving target coverage and reliability.

Going through Microsoft patches is no easy task, though. There could be hundreds of advisories for the bug you're working on, each including different operating systems, different architectures, different languages, etc. Of course, there are tools publicly available that can search and patch whatever you're vulnerable to, but this is only great for regular use such as home or IT infrastructure. For research purposes, we usually don't want just one patch. We often want all (or most) that are associated with the product. Surprisingly, there seem to be no tools suitable for this kind of task. So we made a new tool called MSU Finder, and another called extract_msu.bat to extract patches.

MSU Finder

The main purpose of MSU Finder is to find the download links for Microsoft patches. You can also use it to find advisories of a given product, in case you are curious about how often something gets updated.

Technet Search Engine

The tool supports two ways to find Microsoft advisories: The first and default one is via Technet. In this mode, MSU Finder will check against pre-defined product list from Technet, and return all the ones that match. If nothing matches, the tool will just perform a more generic search. The Technet search engine allows you to search by MSB, KB, or CVE number.

Google Custom Search API

The other search engine MSU Finder supports is Google Custom Search API. The request is equivalent to the following Google search:

SEARCH_QUERY site:technet.microsoft.com intitle:"Microsoft Security Bulletin" -"Microsoft Security Bulletin Summary" 

To be able to use the Google engine, you need to get an API key and a Search Engine ID:

  1. Have a Gmail account
  2. Go to Google Developer's Console
    1. Enable Custom Search API
    2. Create a credential. This credential is the API key.
  3. Go to Custom Search
    1. Create a new search engine
    2. Under Sites to Search, set it to: technet.microsoft.com
    3. In your search site, get the Search Engine ID under the Basics tab.

Usage

MSU Finder currently has a bit of learning curve. First off, the -q argument is mandatory. An important thing to understand is that the script will find advisories associated with that string, and then give you ALL the download links. And by "ALL", I mean all of it. For example, if your -q is "Internet Explorer 11", you will also get download links for other IE versions because they are all associated with the same advisory (vulnerability). So to narrow down your results more, you will need the -r option as well.

For example, if you want to look for IE 11 patches for x86, use a more narrow query like this:

$ ruby tools/exploit/msu_finder.rb -q "Internet Explorer 11" -r "^IE11.+x86"  

The -r option is a regular expression (regex) filter for the download link. This method works well if you are already familiar with Microsoft's patch naming convention, which typically begins with the product name or the operating system. You may need to play with this a little bit to get the hang of it. Even if you can't find an appropriate regex, it's okay. Download them anyway, and then on Windows you can sort files by modified date or product version, and then it will become apparent which ones you want, or don't want.

If you are not sure which advisories might get picked up by the search, try the -d option. This will only show you advisories numbers without actually fetching any links:

$ ruby tools/exploit/msu_finder.rb -q "Internet Explorer (10|11)" -d  

Finally, MSU Finder does not include the ability to download patches directly, but you can save the links to a file and use a tool like wget to download them:

$ ruby tools/exploit/msu_finder.rb -q "ms15-100" -r x86 > /tmp/list.txt && wget -i /tmp/list.txt  

To learn more about MSU Finder, please use the -h flag.

extract_msu.bat

As the name implies, this tool can extract Microsoft patches, specifically MSU files. It only runs on Windows, because it basically uses the expand command to extract. To use this:

  1. Start a Windows machine (XP or higher, so you have the expand command available)
  2. Copy extract_msu.bat onto the Windows machine
  3. Put all the MSU files in the same directory
  4. Run: extract_msu.bat [absolute path to the directory]
  5. As the tool runs, it will create a new folder for each MSU. And then in that new folder, there's another sub-folder named "extracted", that's where you can find the actual file(s) the patch wants to install. Now, since you're on Windows, you can search whatever DLL (or EXE) you are looking for, and then easily sort by creation date, product version, etc. Or, you can copy and paste all the found files onto the same folder, and then use whatever 3rd-party tool for additional analysis.

Both of these tools are now available for the Metasploit Framework. You can use MSU Finder to find you advisories or even be leveraged to automatically download patches. After downloading, you can use extract_msu.bat to extract them. After the patches are extracted, you can easily search for the actual components you want, put them in one place, and now you have a nice collection of release builds for research or development purposes.

To get your hands on these tools, please feel free to download Metasploit Framework, or git clone. If you are already a Metasploit user, you can run the msfupdate to receive them. To report a bug, or request additional features, please submit them to our metasploit-framework Github.