Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Combining DLL hijacking with USB keyboard emulation

From: gremlin () gremlin ru
Date: Sat, 9 Jan 2016 13:14:03 +0300
On 2016-01-08 00:50:51 -0200, Rodrigo Menezes wrote:


Many of us have now been long aware of the possibility of
programming an USB device to emulate a keyboard and automatically
send keystrokes in order to perform malicious actions on a
computer. Some of the most interesting payloads that can be used
with this technique are based around downloading or creating an
executable file and then running it.
I'd like to bring to light that this attack could be combined
with DLL hijacking, with some benefits for the attacker.
For instance, a payload which simply downloads a DLL to the
current user's folder tends to complete faster and be more
reliable than one which tries to transfer an executable
AND immediately run it. The DLL would then most likely
be found and executed by a vulnerable installer [...] This way,
there would be no need for embeeding in the payload a complicated
attempt of bypassing the active defense mechanisms.


Once you can fool the user to plug the USB device, you don't need
anything else. The device may appear as
1. A mass storage, and
2. A keyboard or any other HID, and
3. Some unknown hardware

Once the W-ndows enumerates this hardware, it will try to find and
automatically install drivers for it. With a mass storage and a
keyboard it will succeed, thus immediately bringing them to use,
and unknown hardware would bring up a "search for drivers" dialog,
where the attacker may (after some delay) send keystrokes to choose
"search removable devices for drivers". Obviously, the mass storage
part of the USB device would contain suitable .inf file pointing to
malicious binaries.

The USB device capable of performing such attack may be as simple
as ATtiny85 + 25Q64 chips (both are available in a 3*4 mm SOP8),
with a total cost of 1 EUR. The 25Q64 offers 8 Mbyte of storage,
which is well enough for almost anything.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: