Fanny.bmp Exploit

[loneicewolf]

Summary

Hello!

I hope no one is sick in Covid19(or sick at all, by the way)!

to introduce some bit of context:

I am the person who contributed the fanny.bmp module awhile ago(at the metasploit-framework);

(big shoutout "thanks" to all who helped me that time too! @bcoles , and others! keep it up!)

and I am just wondering if I would want to contribute the exploit fanny.bmp used (which is a a slightly modified version of the stuxnet lnk exploit)

Would that be a "good" idea? it is very very like the stuxnet lnk exploit, but with some changes here n there.

Basic example

I do not have a POC(for the exploit that is); (will do it very soon when I have reversed it enough)

References

fanny.bmp_repo stuxnet__repo

I however,wrote a (unfortunately written in a hurry because of various factors) technical report fanny_bmp.pdf

and; this the following pdf is not made by me: Symantec - Stuxnet 0.5 - The Missing Link v1.0.pdf

Motivation

same motivations as the lnk exploits metasploit already has; this just adds more coverage if the stuxnet 'version' of the lnk exploits wouldn't work; fanny.bmp would add more chance to get it working(NOTE: I have not encountered any scenario where stuxnets lnk exploit didnt work; but this is the very reason why I write this question)

• And; when I say the above; I mean - of course stuxnet lnk exploits doesn't work on a patched system(that is excluded) I mean on a unpatched system (which, is kinda the assumption) :)

[loneicewolf]

as usual please:

Do not think this is in a hurry; I will be slow since I will do my OSCP exam soon :)

So no stress; this is not something to prioritize.

Wishes from Sweden!

[bcoles]

same motivations as the lnk exploits metasploit already has; this just adds more coverage Would that be a "good" idea? it is very very like the stuxnet lnk exploit, but with some changes here n there.

I skim read through some of those references. Off the top of my head, I'm not sure what is missing from Metasploit, but if there's room for improvement then sure. Improvements are always welcome. Do you have some cliff notes on potential improvements to the existing modules?

For reference, these are the CVE-2010-2568 exploits already in Framework:

• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb

I mean - of course stuxnet lnk exploits doesn't work on a patched system(that is excluded) I mean on a unpatched system (which, is kinda the assumption) :)

Stuxnet was a long time ago. While there are still vulnerable systems in the wild these are rare nowadays. Improvements for exploitation of these old bugs have limited real world value. It is unlikely that contributors will put effort into further development of associated exploits. However, if you're volunteering, then go for it. Stuxnet has historical significance, so if there are improvements which can be made I'd like to see that happen, presuming that they fit within Metasploit goals (ie, fully automated worm functionality is not desired, but the individual pieces are).

I however,wrote a (unfortunately written in a hurry because of various factors) technical report As well as to say that - this is my first “serious” technical report. So, which is why please: any feedback, questions, or suggestions as well as improvements and/or ideas for future reports(projects) would be greatly, greatly appreciated!

I suggest reading through similar reports as examples. Here's a recent example:

• https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware

Contents At A Glance

It looks like you're generating the table of contents manually. Your editing software should be able to generate this for you.

There are a bunch of typos, misspellings, random capitalization and grammatical errors. Use a spell checker :)

For example:

[...] if not trough the internet, trough the USBSticks

Should be:

[...] if not through the Internet, through external USB storage devices.

I notice that your report uses first person terms like "I" and "my" a lot. Usually technical reports are written in a clear matter-of-fact style. Not that I want to detract from your personal style, but bland matter-of-fact style is the standard reporting style for ivory tower academics detached from reality, to which everyone else mimics in oft unwarranted reverence, but not entirely without reason.

For example, rather than:

(or, in some rare cases, in Windows 2000 I noticed it wasn’t using __.lnk but __.pif in some cases, but that’s unusual still – in Windows 2000. )

Consider:

(In some rare cases, Fanny was observed to use `__.pif` rather than `__.lnk` on Windows 2000. This behaviour is unusual for Windows 2000.)

(although I may have misunderstood the sentence, so my re-wording may be wrong.)

For example, rather than:

Throughout this report I will adher to specific terms, or “words” and “codenames” as it’s
called. I thought of providing them in 1 page (like below) to make it easier for
you as a reader.

Simply:

This report utilises various technical terms and codenames, defined below:

Alternatively, simply having a table with a title "Glossary", without a preceding definition of a glossary, is usually sufficient.

The following text is the lnk files in raw(binary) form (excluding the unprintable data)

This doesn't make sense. You're only showing strings from each file. Also, each file only has two strings. You should explain what these string are and why these strings are important.

Given that the LNK files are almost entirely binary data and you're only discussing specific strings, if you did want to discuss the "raw binary data", I imagine much of this data is identical for each file. You could optionally provide a single sample and discuss the LNK file format (as you do a few sections later) describing where these sections differ between each sample. You could also show a hexdump of the LNK file with color coded segments. This looks pretty, is easy to read, and looks more professional (presuming that the binary data is relevant).

Hexdump of the [dot]LNK file used by Fanny Decoded:

This could easily be formatted much more nicely. The hexdump below shows a nice representation of both binary data and ASCII side by side:

$ ruby -e "puts ['4c0000000114020000000000c00000000000004681000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000003e0414001f50e04fd020ea3a6910a2d808002b30309d14002e002020ec21ea3a6910a2dd08002b30309d14040000000000000e000000653a5c66616e6e792e626d7000004d79204e616d65000000000000000000000000000000000000000000000000000000000'].pack('H*')" > lnk

$ file lnk
lnk: MS Windows shortcut, Item id list present, ctime=Mon Jan  1 04:56:02 1601, mtime=Mon Jan  1 04:56:02 1601, atime=Mon Jan  1 04:56:02 1601, length=0, window=hide

$ hexdump -C lnk 
00000000  4c 00 00 00 01 14 02 00  00 00 00 00 c0 00 00 00  |L...............|
00000010  00 00 00 46 81 00 00 00  00 00 00 00 00 00 00 00  |...F............|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 3e 04 14 00  |............>...|
00000050  1f 50 e0 4f d0 20 ea 3a  69 10 a2 d8 08 00 2b 30  |.P.O. .:i.....+0|
00000060  30 9d 14 00 2e 00 20 20  ec 21 ea 3a 69 10 a2 dd  |0.....  .!.:i...|
00000070  08 00 2b 30 30 9d 14 04  00 00 00 00 00 00 0e 00  |..+00...........|
00000080  00 00 65 3a 5c 66 61 6e  6e 79 2e 62 6d 70 00 00  |..e:\fanny.bmp..|
00000090  4d 79 20 4e 61 6d 65 00  00 00 00 00 00 00 00 00  |My Name.........|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 0a                                    |.....|
000000b5

Or you could use a fancy hex editor like ImHex.

Table of IOC (Indicators Of Compromise)

Usually SHA256 hashes are provided for each file.

[loneicewolf]

Hi! Thanks so much! it was written in a hurry but I didn't think of a few points you pointed out; again, thanks so much for looking into this. will def. apply your tips and advice!

Will come back after OSCP my exam is passed; and make an update and then; if still good to go; an contribution; And;

Also, you also use ImHex! I have used it alot; nice!

as seen numerous times, many will notice writing is not my strongest front. And I always look for things to improve! cannot thank you enough;

have it good and take care!

[loneicewolf]

@bcoles Hi again!

As this really was just a theoretical question; (much to do now so) shall I close this issue and when I have MORE INFO , Poc, and ABSOLUTELY followed your advice(which was the best advice I have ever seen! so extremely direct and on to the point! LOVE IT!) with the report and repo; etc.

? I think that is best course of action because; the first message doesn't make much sense; so if I close this and open a new one (that is;after awhile) 'aka' properly, "issuing" (or maybe even a pull request like the last time?)

[loneicewolf]

just as a final comment "There are a bunch of typos, misspellings, random capitalization and grammatical errors. Use a spell checker :)" this is soo obvious, too obvious, it's painfully obvious but I still didn't do that.. I ask myself even today why I didn't. thanks, once, more.

[bcoles]

shall I close this issue

Usually we track issues in the issue tracker to track legitimate bugs, argue about discuss new features, and prevent duplicated effort.

There's no real harm in leaving the issue open, although it will be automatically closed unless it is labelled as not-stale. It is extremely unlikely that anyone else will work on this, so duplicated effort is unlikely to be a problem.

There's no harm in closing it.

I think that is best course of action because; the first message doesn't make 8much* sense

Your post makes more sense that some of the bug reports we get.

so if I close this and open a new one (that is;after awhile) 'aka' properly, "issuing" (or maybe even a pull request like the last time?)

You can create a pull request. Your changes can be discussed there during review. Code speaks louder than words.

Although in this instance it may be worth discussing whether your approach/idea is viable before you go to the effort of developing something. In my naiveté I'm unsure what of value the Fanny.bmp worm functionality offers, as weaponised worm functionality is not part of Metasploit design goals.

You never answered my original question(s), so I'm not sure what exactly you have in mind for improvements: "Off the top of my head, I'm not sure what is missing from Metasploit, but if there's room for improvement then sure. Improvements are always welcome. Do you have some cliff notes on potential improvements to the existing modules?"

You can also drop by Slack to discuss stuff. The invite link can be found here:

• https://www.metasploit.com/help

[loneicewolf]

@bcoles

Final "closing" reply

Again; thanks, for all the advice and feedback. truly astonishing amount of it too; and the quality is flawless as usual- but to build up this much feedback from my little Theoretical "issue", it's Just amazing.

• :open_mouth: "Your post makes more sense that some of the bug reports we get." Wow this made my day; okay thanks! not pointing at anyone/anything specific, it just made me happy;

"Code speaks louder than words." Oh heaven, this was a nice phrase :+1:

• :thinking: Yes I wasn't sure myself; but as shortly I thought StuxNet and fanny is very similar, but somewhat different. and fanny could be used in the so called "edge"-cases, and (I think.. if it wasn't the "other way around' - that fanny.bmp's exploit (lnk files, ..) was more easier/More; I don't know, not "successful" - that is a completely wrong choice of words; it is - more covering; really this is proof I need to look more into this; but basically ; think more lnk improvement; (basically, shortly and simplified speaking))

and I need to say wow yogurt for a nice and quick reply! I also thought closing this will reduce the pressure on you guys; because; the more issues/pulls; "the more to deal with" (I mean; it doesn't matter if one has filters, and neat systems that deal with this kind of pile of information) it's always good to start a fresh - kind of, "thing". if it's really needed. to which case I think(myself) it is;

Will of course first; when really digging into this later; check for improvements on existing modules; would be (if possible otherwise) to make a totally "new" module; for "exploit that fanny.bmp used" I mean.. even the name doesn't make sense..

shall we make an "exploit" for every malware out in the wild? no I do not hope so.. :rofl: But yeah; I will close this one; and open a new one later. Thanks for the response and replies!

You and the team over there

is as always..

Doing a HELL of a great job!! Keep it up! :heart:

• :radioactive: (excuse my language) :radioactive:

• Peace from Sweden! :sweden:

[peggy-48]

By the way, the .pif trick ain't truly a trick, in fact, .pif is an extension which is an executable similarily to .scr files, and also .cmd files lawl

[peggy-48]

Sorry For necro

[loneicewolf]

By the way, the .pif trick ain't truly a trick, in fact, .pif is an extension which is an executable similarily to .scr files, and also .cmd files lawl

I have a couple of questions of this reply; why the lawl ? is it a joke-reply because of that..? Or does it have some deeper meaning that I didn't understand? :)

Also,

Sorry For necro

You mean - sorry for the necro-bump? That's fine.. Just don't overdo it, and well if you have something to add(which I thought, because it did notify me and I did thought someone replied, and that I could improve something)

Wishes from Sweden! ^_^ We're all doing mistakes here and there, so no worries! Have a great day 👍🏼

[peggy-48]

When i said lawl i mean that's just a funny fact.