Sawaba · December 9, 2017 01:08
diff --git a/CVE2017-11937-check.cmd b/CVE2017-11937-check.cmd
 @echo off
 REM Local Windows check to ensure we're safe from CVE-2017-11937 
 REM https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11937
 cls
 ECHO.
 ECHO CVE-2017-11937 Vulnerability Check version 1.0
 ECHO Checking to make sure your antivirus isn't going to sell you out to cyberbaddies.
 ECHO The last vulnerable version was 1.1.14306.0 - anything newer should be safe.
 ECHO.

 REM Initialize Variables
 set sigloc=""
 set sigverfull=""
 set sigver=""

 REM Approach no1 (shouldn't require admin privs)
 ECHO Finding your current signature location...
 for /f "tokens=1,2,3,4,5" %%a in ('dir /OD "C:\ProgramData\Microsoft\Windows Defender\Definition Updates" ^| find "{"') do set sigloc=%%e
 ECHO Current signature location is C:\ProgramData\Microsoft\Windows Defender\Definition Updates\%sigloc%
 ECHO.
 REM Approach no2 - Not implemented yet, but would use the registry to check 
 REM version instead of file version.
 REM HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion

 REM Use WMIC to grab file version
 ECHO Finding MPE version...
 for /f "tokens=1,2 delims==" %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^| find "Version"') do set sigverfull=%%b
 ECHO MPE Version found...
 ECHO. 
 for /f "tokens=1,2,3,4 delims=." %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^| find "Version"') do set sigver=%%c

 ECHO Checking MPE version...
 if sigver GTR 14306 (
 	set conclusion=SAFE
 	ECHO SAFE from CVE-2017-11937 - you are running MPE version %sigverfull%.
 	) ELSE (
 		set conclusion=VULNERABLE
 		ECHO VULNERABLE to CVE-2017-11937. 
 		ECHO You are running MPE version %sigverfull% which can give specially crafted malware full access to systems
 		ECHO It is recommended that you update immediately
 	)

 REM If not in front of a console to view the output, comment out the next line.
 goto end

 REM This will write the results out to a file to the root of USERPROFILE
 REM You could rewrite this to update a webdav server, send a syslog message, etc
 REM You could also modify the file output to go to a mapped file server.
 REM To do that, add COMPUTERNAME to make the file name unique and then move
 REM or copy it to the destination. If you're feeling adventurous, you could
 REM skip the copy and just write directly to the file server or a UNC path.
 echo Time: %DATE% %TIME% >> %USERPROFILE%\CVE2017-11937-check.txt
 echo Hostname: %COMPUTERNAME% >> %USERPROFILE%\CVE2017-11937-check.txt
 echo MPEVersion: %sigverfull% >> %USERPROFILE%\CVE2017-11937-check.txt
 echo Conclusion: %conclusion% >> %USERPROFILE%\CVE2017-11937-check.txt

 :end
	@echo off
	REM Local Windows check to ensure we're safe from CVE-2017-11937
	REM https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11937
	cls
	ECHO.
	ECHO CVE-2017-11937 Vulnerability Check version 1.0
	ECHO Checking to make sure your antivirus isn't going to sell you out to cyberbaddies.
	ECHO The last vulnerable version was 1.1.14306.0 - anything newer should be safe.
	ECHO.

	REM Initialize Variables
	set sigloc=""
	set sigverfull=""
	set sigver=""

	REM Approach no1 (shouldn't require admin privs)
	ECHO Finding your current signature location...
	for /f "tokens=1,2,3,4,5" %%a in ('dir /OD "C:\ProgramData\Microsoft\Windows Defender\Definition Updates" ^\| find "{"') do set sigloc=%%e
	ECHO Current signature location is C:\ProgramData\Microsoft\Windows Defender\Definition Updates\%sigloc%
	ECHO.
	REM Approach no2 - Not implemented yet, but would use the registry to check
	REM version instead of file version.
	REM HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion

	REM Use WMIC to grab file version
	ECHO Finding MPE version...
	for /f "tokens=1,2 delims==" %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^\| find "Version"') do set sigverfull=%%b
	ECHO MPE Version found...
	ECHO.
	for /f "tokens=1,2,3,4 delims=." %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^\| find "Version"') do set sigver=%%c

	ECHO Checking MPE version...
	if sigver GTR 14306 (
	set conclusion=SAFE
	ECHO SAFE from CVE-2017-11937 - you are running MPE version %sigverfull%.
	) ELSE (
	set conclusion=VULNERABLE
	ECHO VULNERABLE to CVE-2017-11937.
	ECHO You are running MPE version %sigverfull% which can give specially crafted malware full access to systems
	ECHO It is recommended that you update immediately
	)

	REM If not in front of a console to view the output, comment out the next line.
	goto end

	REM This will write the results out to a file to the root of USERPROFILE
	REM You could rewrite this to update a webdav server, send a syslog message, etc
	REM You could also modify the file output to go to a mapped file server.
	REM To do that, add COMPUTERNAME to make the file name unique and then move
	REM or copy it to the destination. If you're feeling adventurous, you could
	REM skip the copy and just write directly to the file server or a UNC path.
	echo Time: %DATE% %TIME% >> %USERPROFILE%\CVE2017-11937-check.txt
	echo Hostname: %COMPUTERNAME% >> %USERPROFILE%\CVE2017-11937-check.txt
	echo MPEVersion: %sigverfull% >> %USERPROFILE%\CVE2017-11937-check.txt
	echo Conclusion: %conclusion% >> %USERPROFILE%\CVE2017-11937-check.txt

	:end