In this webinar, Stephen will demonstrate the process of downloading Microsoft cumulative updates to extract the patches and prep them for diffing.
It's a very useful way to identify patched vulnerabilities that can potentially be weaponized for exploitation of un-patched systems, as well as learning how vulnerabilities are patched to aid in bug hunting.
My notes:
- Time consuming to find the diff. (use bindiff or diaphora)
- 2022-10 x64 "Windows 10" 22H2 Vs "Cumulative windows 10"
- 2 purposes:
- weaponize patched vuln (n-day exploit)
- find new 0-day vuln
- MS doesn't obfuscate the patch management process. 😅
- expand.exe -F:* .\xxxx.msu .\extract
- expand.exe -F:* .\extract\xxxx.cab .\patch
- expand.exe -F:* .\patch\yyyy.cab .\patch
- expand.exe -F:* .\patch\zzzz.cab .\patch [20min++]
- gci -Recurse c:\windows\WinSxS\ -Filter ntdll.dll
- .\delta_patch.py -i .\NTDLL\ntdll.dll -o ntdll.2020-10.dll .\NTDLL\r\ntdll.dll .\2020-10\x64\ntdll.dll_10.0.18362.1139\f\ntdll.dll
- .\delta_patch.py -i
.\NTDLL\ntdll.dll -o ntdll.2020-11.dll .\NTDLL\r\ntdll.dll
.\2020-11\x64\ntdll.dll_10.0.18362.1171\f\ntdll.dll
Links:
- Youtube - Modern Binary/Patch Diffing
- https://github.com/joxeankoret/diaphora
- https://security.googleblog.com/2016/03/bindiff-now-available-for-free.html
- https://www.zynamics.com/bindiff.html
- https://www.catalog.update.microsoft.com/Home.aspx