Windows Gather Forensics Duqu Registry Check

🗓️ 10 Nov 2011 21:20:48Reported by Marcus J. Carey <[email protected]>Type

Windows Gather Forensics Duqu Registry Check. This module searches for CVE-2011-3402 (Duqu) related registry artifacts

Reporter	Title	Published	Views	Family All 43
BDU FSTEC	The vulnerability of the TrueType driver Win32k.sys in the Windows operating system allows a hacker to execute arbitrary code.	4 Jun 202100:00	–	bdu_fstec
Circl	CVE-2011-3402	29 May 201815:50	–	circl
CISA KEV Catalog	Microsoft Windows Remote Code Execution Vulnerability	6 Oct 202500:00	–	cisa_kev
CISA	CISA Adds Seven Known Exploited Vulnerabilities to Catalog	6 Oct 202512:00	–	cisa
Check Point Advisories	Microsoft Windows TrueType Font File Parsing Code Execution (CVE-2011-3402)	6 Nov 201100:00	–	checkpoint_advisories
Check Point Advisories	Microsoft Windows TrueType Font File Parsing Code Execution - Ver2 (CVE-2011-3402)	18 May 201500:00	–	checkpoint_advisories
CVE	CVE-2011-3402	4 Nov 201121:00	–	cve
Cvelist	CVE-2011-3402	4 Nov 201121:00	–	cvelist
Microsoft KB	MS11-087: Vulnerability in Windows kernel-mode drivers could allow remote code execution: December 13, 2011	13 Dec 201100:00	–	mskb
Microsoft KB	MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight: May 8, 2012	8 May 201200:00	–	mskb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Forensics Duqu Registry Check',
        'Description' => %q{ This module searches for CVE-2011-3402 (Duqu) related registry artifacts.},
        'License' => MSF_LICENSE,
        'Author' => [ 'Marcus J. Carey <mjc[at]threatagent.com>'],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'References' => [
          [ 'CVE', '2011-3402' ],
          [ 'URL', 'http://r-7.co/w5h7fY' ]
        ]
      )
    )
  end

  def run
    # Registry artifacts sourced from Symantec report
    artifacts =
      [
        'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"CFID"',
        'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CFID',
        'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3',
        'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER'
      ]
    match = 0

    print_status("Searching registry on #{sysinfo['Computer']} for CVE-2011-3402 exploitation [Duqu] artifacts.")

    begin
      artifacts.each do |artifact|
        (path, query) = parse_path(artifact)
        has_key = registry_enumkeys(path)
        has_val = registry_enumvals(path)

        next unless has_key.include?(query) || has_val.include?(query)

        print_good("#{sysinfo['Computer']}: #{path}\\#{query} found in registry.")
        match += 1
        report_vuln(
          host: session.session_host,
          name: name,
          info: "Module #{fullname} detected #{path}\\#{query} - possible CVE-2011-3402 exploitation [Duqu] artifact.",
          refs: references,
          exploited_at: Time.now.utc
        )
      end
    rescue StandardError # Probably should do something here...
    end

    print_status("#{sysinfo['Computer']}: #{match} artifact(s) found in registry.")
  end

  def parse_path(artifact)
    parts = artifact.split('\\')
    query = parts[-1]
    parts.pop
    path = parts.join('\\')
    return path, query
  end
end

08 Feb 2023 13:47Current

6.5Medium risk

Vulners AI Score6.5

CVSS 29.3

EPSS0.78285