Lucene search
William M.MSF:POST-WINDOWS-GATHER-FORENSICS-FANNY_BMP_CHECK-HistoryJan 25, 2021 - 7:54 p.m.
FannyBMP or DementiaWheel Detection Registry Check
2021-01-2519:54:37
William M.
www.rapid7.com
32
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%
This module searches for the Fanny.bmp worm related reg keys. fannybmp is a worm that exploited zero day vulns (more specifically, the LNK Exploit CVE-2010-2568). Which allowed it to spread even if USB Autorun was turned off. This is the same exploit that was used in StuxNet.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'FannyBMP or DementiaWheel Detection Registry Check',
'Description' => %q{
This module searches for the Fanny.bmp worm related reg keys.
fannybmp is a worm that exploited zero day vulns
(more specifically, the LNK Exploit CVE-2010-2568).
Which allowed it to spread even if USB Autorun was turned off.
This is the same exploit that was used in StuxNet.
},
'License' => MSF_LICENSE,
'Author' => ['William M.'],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter', 'shell'],
'References' => [
['URL', 'https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787'],
['CVE', '2010-2568']
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [],
'Reliability' => []
}
)
)
end
def run
artifacts =
[
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\"acm"',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\Driver',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter2',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter3',
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter8'
]
matches = {}
print_status('Searching the registry for Fanny.bmp artifacts.')
artifacts.each do |key|
key, _, value = key.rpartition('\\')
has_key = registry_enumkeys(key)
has_val = registry_enumvals(key)
next unless has_key&.include?(value) || has_val&.include?(value)
print_good("Target #{key}\\#{value} found in registry.")
matches[key] = value
end
unless matches.empty?
report_vuln(
host: session.session_host,
name: name,
info: "Target keys found in registry:\n#{matches.map { |k, v| "#{k}: #{v}\n" }.join}",
refs: references,
exploited_at: Time.now.utc
)
end
print_status('Done.')
end
end
Related
saint
saint
Windows Shell LNK file CONTROL item command execution
2010-07-22 00:00:00
Windows Shell LNK file CONTROL item command execution
2010-07-22 00:00:00
Windows Shell LNK file CONTROL item command execution
2010-07-22 00:00:00
securityvulns
securityvulns
securelist
securelist
IT threat evolution Q3 2018
2018-11-12 10:00:24
USB threats from malware to miners
2018-09-25 10:00:57
Threats to users of adult websites in 2018
2019-02-21 10:00:01
openvas
openvas
Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)
2010-08-04 00:00:00
Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)
2010-08-04 00:00:00
threatpost
threatpost
New Gauss Malware, Descended From Flame and Stuxnet, Found On Thousands of PCs in Middle East
2012-08-09 13:31:45
ThreatList: Skype-Themed Apps Hide a Raft of Malware
2020-04-08 16:23:29
Microsoft Security Intelligence Report: Top Takeaways
2016-05-07 09:52:06
mskb
mskb
Microsoft Security Advisory 2286198
1970-01-01 00:00:00
cert
cert
Microsoft Windows automatically executes code specified in shortcut files
2010-07-15 00:00:00
Microsoft Windows automatically executes code specified in shortcut files
2017-08-03 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows Shell LNK File Parsing Code Execution (MS10-046; CVE-2010-2568)
2010-07-18 00:00:00
Microsoft Windows LNK PIF Code Execution - Ver2 (CVE-2010-2568)
2014-03-03 00:00:00
qualysblog
qualysblog
Countdown to GDPR: Manage Vulnerabilities
2017-08-02 15:27:04
packetstorm
packetstorm
Microsoft Windows Shell LNK Code Execution
2010-08-05 00:00:00
Microsoft Windows Shell LNK Code Execution
2010-07-21 00:00:00
nessus
nessus
ics
ics
USB Malware Targeting Siemens Control Software (Update C)
2014-01-08 12:00:00
canvas
canvas
Immunity Canvas: WINDOWS_SHELL_LNK
2010-07-22 05:43:00
cisa_kev
cisa_kev
Microsoft Windows Remote Code Execution Vulnerability
2022-09-15 00:00:00
attackerkb
attackerkb
CVE-2010-2568
2010-07-22 00:00:00
CVE-2010-2772
2010-07-22 00:00:00
prion
prion
Code injection
2010-07-22 05:43:00
Hardcoded credentials
2010-07-22 05:43:00
cve
cve
CVE-2010-2568
2010-07-22 05:43:00
CVE-2010-2772
2010-07-22 05:43:00
myhack58
myhack58
rapid7blog
rapid7blog
Metasploit Wrap-Up
2021-01-29 21:09:49
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%
Related for MSF:POST-WINDOWS-GATHER-FORENSICS-FANNY_BMP_CHECK-