#76367 - 2003-08-14 08:52 PM
Another W32LoveSAN patch script
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11628
Loc: CA
|
First Posted: Thursday, August 14
This is sort of a follow-up to these posts
http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=2;t=004498
http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=1;t=007670
The following script was written to attempt to address some of the
workstations that have eluded either LOGON/GPO/SMS attempts at installing
the KB823980 patch. This list is derived by scanning your network for vulnerable systems.
Tool to scan for vulnerable systems
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Free tool, but registration required
What the script does is takes an array of KNOWN workstation local Administrator account
passwords and attempts to establish an Administrative connection.
If successful it will then add the specified Domain Groups to the local administrators
group on the remote system. (you must add an account that you belong to)
Then it copies the patch to the local system. Then it runs
a WMI connecton to execute the patch and FORCE REBOOTS the system.
WARNING!! Any data or applications that are open and in an unsaved state
will lose data or changes as the /F switch in the batch file will force a reboot.
This is an ADMINISTRATIVE script and as such should be run from your own
local 2000/XP Workstation. You could also add the RedirectOutput function to log
the results. Normally this is run from a DOS box so that you can watch the results
at least for initial testing. Once you feel it is working as expected you can then
use the RedirectOutput function and log all of it.
EXAMPLE
C:\SCRIPT\KIX32.EXE DEPLOYPATCH.KIX
Special thanks to Radimus, Chris, and Howard for there help with this script.
Requires:
1. Win32Admin DLL by Howard Bullock
http://mywebpages.comcast.net/habullock/kix_solutions.htm
http://mywebpages.comcast.net/habullock/Library/Win32Admin.dll.txt
2. KiXtart v4.21 (many download locations)
3. Windows 2000/XP Workstation to run script from
4. Remote Administrative account or list of KNOWN passwords for your own workstations
If you don't know or have a list of KNOWN passwords to use then this script will
not be useful to you
5. WMI must be functional on remote system
This script has been tested on 2000/XP systems, it has not been tested yet on NT 4
This script is not opotimized, but should perform reasonably well if all of the
required criteria are met.
Known possible improvements:
1. Modify section where groups are added to use the Win32Admin method to determine the
remote Workstations real name for the Administrator account in case it has been renamed
2. Add an array or redline method to process multiple computers
3. More sophisticated logging method or data
4. I'm sure there are other possible improvements I have not listed
Break On
$nul=SetOption("WrapAtEOL","On")
$nul=SetOption("Explicit","On")
DIM $wksta,$Pass,$Index,$OSV,$OS,$KBFile,$KBpath,$KBBatPath,$KBBatFile
DIM $Win32Admin,$AdminAccount,$CheckAdmin,$grouptoadd1,$grouptoadd2,$group
$wksta = 'computer to run against'
$Pass = 'pass1','pass2','pass3','pass4' ; etc... array of known passwords
$Win32Admin = createobject("Win32Admin")
$AdminAccount = $Win32Admin.GetAdminAccount("$wksta");
$CheckAdmin = RemoteAdmin($wksta)
$KBBatPath='\\SERVER\SHARE\KB823980.bat'
; Contents of batch is:
; KB823980.exe /q /f
$KBBatFile='KB823980.bat'
SELECT
CASE $CheckAdmin
? 'You have admin rights on '+$wksta
$OSV = OSVer($wksta)
SELECT
CASE $OSV = '4.0'
$KBpath='\\SERVER\SHARE\Q823980i.EXE'
$KBFile='Q823980i.EXE'
CASE $OSV = '5.0'
$KBpath='\\SERVER\SHARE\Windows2000-KB823980-x86-ENU.exe'
$KBFile='Windows2000-KB823980-x86-ENU.exe'
CASE $OSV = '5.1'
$KBpath='\\SERVER\SHARE\WindowsXP-KB823980-x86-ENU.exe'
$KBFile='WindowsXP-KB823980-x86-ENU.exe'
CASE 1
EXIT @ERROR
ENDSELECT
USE P: '\\'+$wksta+'\Admin$$'
COPY $KBpath 'P:\SYSTEM32\KB823980.exe'
COPY $KBBatPath 'P:\SYSTEM32'
$grouptoadd1="Domain Admins"
$grouptoadd2="Desktop Support"
$group = getobject("WinNT://$wksta/administrators")
$group.add("WinNT://Domain/$grouptoadd1")
? 'Adding group '+$grouptoadd1+ 'error was: '+@error+' : '+@serror
$group.add("WinNT://Domain/$grouptoadd2")
? 'Adding group '+$grouptoadd2+ 'error was: '+@error+' : '+@serror
$group=0
RemoteExec($KBBatFile,$wksta)
? 'Remote Execute error was: '+@error+' : '+@serror
USE 'P:' /DEL
CASE NOT $CheckAdmin
Do
USE P: '\\'+$wksta+'\Admin$$' /user:$wksta+'\'+$AdminAccount /password:$Pass[$Index]
? 'Mapping with password "'+$Pass[$Index]+'" was: '+@ERROR+' - '+@SERROR
$Index = $Index + 1
Until @ERROR = 0 or $Index = Ubound($Pass)+1
IF @ERROR = 0
? 'You successfully mapped the Admin$ share as an admin - with password "'+$Pass[$Index-1]+'"'
$OSV = OSVer($wksta)
SELECT
CASE $OSV = '4.0'
$KBpath='\\SERVER\SHARE\Q823980i.EXE'
$KBFile='Q823980i.EXE'
CASE $OSV = '5.0'
$KBpath='\\SERVER\SHARE\Windows2000-KB823980-x86-ENU.exe'
$KBFile='Windows2000-KB823980-x86-ENU.exe'
CASE $OSV = '5.1'
$KBpath='\\SERVER\SHARE\WindowsXP-KB823980-x86-ENU.exe'
$KBFile='WindowsXP-KB823980-x86-ENU.exe'
CASE 1
EXIT @ERROR
ENDSELECT
COPY $KBpath 'P:\SYSTEM32\KB823980.exe'
COPY $KBBatPath 'P:\SYSTEM32'
$grouptoadd1="Domain Admins"
$grouptoadd2="Desktop Support"
$group = getobject("WinNT://$wksta/administrators")
$group.add("WinNT://Domain/$grouptoadd1")
? 'Adding group '+$grouptoadd1+ 'error was: '+@error+' : '+@serror
$group.add("WinNT://Domain/$grouptoadd2")
? 'Adding group '+$grouptoadd2+ 'error was: '+@error+' : '+@serror
$group=0
RemoteExec($KBBatFile,$wksta)
? 'Remote Execute error was: '+@error+' : '+@serror
USE 'P:' /DEL
Else
? 'Tried all known passwords - Unable to map as an Administrator'
EndIf
CASE 1
ENDSELECT
$Win32Admin = 0
EXIT @ERROR
Function RemoteAdmin($wksta)
dim $dir,$err
$dir=dir('\\'+$wksta+'\admin$$')
$err=@error
$RemoteAdmin=iif(not $err,1,0)
exit $err
endfunction
Function OSVer(Optional $wksta)
If $wksta = ""
$OSVer = @DOS
Exit @ERROR
Else
If Left($wksta,2) <> "\\" $wksta = "\\" + $wksta EndIf
If Right($wksta,1) <> "\" $wksta = $wksta + "\" EndIf
$OSVer = ReadValue($wksta + "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion", "CurrentVersion")
Exit @ERROR
EndIf
EndFunction
FUNCTION RemoteExec($command, optional $computer)
dim $Connect, $Process
if not $computer $computer='.' endif
if instr($computer,'\')
$computer=substr($computer,instrrev($computer,'\')+1)
endif
$Connect = GetObject('winmgmts:{impersonationLevel=impersonate}!\\'+$computer+'/root/cimv2:Win32_Process')
$Process = $Connect.Create($Command)
? 'Processed the remote command '+@error+' : '+@serror
exit @error
ENDFUNCTION
|
[ 03. September 2003, 19:57: Message edited by: NTDOC ]
|
|
Top
|
|
|
|
|
#76370 - 2003-08-14 11:39 PM
Re: Another W32LoveSAN patch script
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
? WMIQuery('Description','Win32_QuickFixEngineering',$computer,'HotFixID','KB823980')
[ 14. August 2003, 23:39: Message edited by: Radimus ]
|
|
Top
|
|
|
|
|
#76376 - 2003-08-17 02:05 PM
Re: Another W32LoveSAN patch script
|
gwgaston
Fresh Scripter
Registered: 2002-02-06
Posts: 13
|
Another thing to note with the Microsoft tool is that it will (like the eEye tool prior to v1.04) report Win9x with DCOM 1.3 installed as vulnerable.
-Gerald
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
1 registered
(Allen)
and 1198 anonymous users online.
|
|
|
