-
Notifications
You must be signed in to change notification settings - Fork 12
/
fanny_bmp_check.rb
70 lines (64 loc) · 2.39 KB
/
fanny_bmp_check.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'FannyBMP or DementiaWheel Detection Registry Check',
'Description' => %q{
This module searches for the Fanny.bmp worm related reg keys.
fannybmp is a worm that exploited zero day vulns
(more specifically, the LNK Exploit CVE-2010-2568).
Which allowed it to spread even if USB Autorun was turned off.
This is the same exploit that was used in StuxNet.
},
'License' => MSF_LICENSE,
'Author' => ['William M.'],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter', 'shell'],
'References' =>
[
['URL', 'https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787'],
['CVE', '2010-2568']
]
)
)
end
def run
artifacts =
[
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\"acm"',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\Driver',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter2',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter3',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter8'
]
matches = {}
print_status('Searching the registry for Fanny.bmp artifacts.')
artifacts.each do |key|
key, _, value = key.rpartition('\\')
has_key = registry_enumkeys(key)
has_val = registry_enumvals(key)
next unless has_key&.include?(value) || has_val&.include?(value)
print_good("Target #{key}\\#{value} found in registry.")
matches[key] = value
end
unless matches.empty?
report_vuln(
host: session.session_host,
name: name,
info: "Target keys found in registry:\n#{matches.map { |k, v| "#{k}: #{v}\n" }.join}",
refs: references,
exploited_at: Time.now.utc
)
end
print_status('Done.')
end
end