Merge branch 'duqu'

2011-11-11 10:22:12 -06:00 · 2011-11-11 10:22:12 -06:00 · 184eee0e64
parent 6ae8bbb6ce e03b6d27d2
commit 184eee0e64
1 changed files with 79 additions and 0 deletions
--- a/modules/post/windows/gather/forensics/duqu_check.rb
+++ b/modules/post/windows/gather/forensics/duqu_check.rb
@ -0,0 +1,79 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/priv'
+
+class Metasploit3 < Msf::Post
+
+	include Msf::Post::Common
+	include Msf::Post::Windows::Registry
+	include Msf::Auxiliary::Report
+
+	def initialize(info={})
+		super( update_info( info,
+				'Name' => 'Duqu Registry Check',
+				'Description' => %q{ This module searches for CVE-2011-3402 [Duqu] related registry artifacts.},
+				'License' => MSF_LICENSE,
+				'Author' => [ 'Marcus J. Carey <mjc[at]threatagent.com>'],
+				'Version' => '$Revision: $',
+				'Platform' => [ 'windows' ],
+				'SessionTypes' => [ 'meterpreter' ],
+				'References' => [
+					[ 'CVE', '2011-3402'  ],
+					[ 'URL', 'http://r-7.co/w5h7fY' ]
+								]
+		))
+
+	end
+
+	def run
+		# Registry artifacts sourced from Symantec report
+		artifacts = [
+				'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"CFID"',
+				'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CFID',
+				'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3',
+				'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER'
+					]
+		match = 0
+
+		print_status("Searching registry on #{sysinfo['Computer']} for CVE-2011-3402 exploitation [Duqu] artifacts.")
+
+		begin 
+			artifacts.each do |artifact|
+				(path, query) = parse_path(artifact)
+				has_key = registry_enumkeys(path)
+				has_val = registry_enumvals(path)
+
+				if has_key.include?(query) or has_val.include?(query)
+					print_good("#{sysinfo['Computer']}: #{path}\\#{query} found in registry.")
+					match += 1
+					report_vuln(
+						:host			=>	target_host,
+						:name			=>	self.fullname,
+						:info			=>	"#{path}\\#{query} possible CVE-2011-3402 exploitation [Duqu] artifact.",
+						:refs			=>	self.references,
+						:exploited_at	=>	Time.now.utc
+						)
+				end
+			end
+		rescue;	end
+	
+		print_status("#{sysinfo['Computer']}: #{match} artifact(s) found in registry.")
+
+	end
+
+	def parse_path(artifact)
+		parts = artifact.split("\\")
+		query = parts[-1]
+		parts.pop
+		path = parts.join("\\")
+		return path, query
+	end
+end
+