USBsploit 0.5b - added: Railgun[only] - process migration - EXE, PDF, LNK replacements - split usbsploit.rb

[xpo xpo <smashxpo () gmail com>]

PoC to generate Reverse TCP backdoors, malicious PDF or LNK files. But
also running Auto[run|play] infections (EXE, PDF, LNK) and dumping all
USB files remotely on multiple targets at the same time, a set of
extensions to dump can be specified. All EXE, PDF and LNK already
available on the USB targets can also be replaced by malicious ones,
or only the EXE files (same for PDF or LNK). USBsploit works through
Meterpreter sessions (wmic, railgun, process migration) with a minimal
(30M - not mini msf) modified version of Metasploit (updated to
v3.5.1-dev svn r11223 2010.12.04). The interface is a mod of SET (The
Social Engineering Toolkit).

Note that if wmic's not available on a target, railgun'll now be used
with GetLogicalDrives(), GetDriveTypeN() and GetVolumeInformationW().
A switch can be activated to always use railgun, even if vmic's
available on the targets. Adobe FlateDecode Stream Predictor 02
Integer Overflow was also added to the list of FileFormat attacks.

With the original Metasploit framework, usbsploit.rb can be used with
all options but also now the independent autorun_usbsploit.rb,
dump_usbsploit.rb and replace_usbsploit.rb meterpreter scripts.
dump_usbsploit.rb has an option to protect the dumped files from being
overwritten when trying to dump a malicious file with the same name
(previously uploaded by replace_usbsploit.rb or autorun_usbsploit.rb).
Every scripts can be used with the last original Metasploit Framework
(all the options work with the 3.5.1-dev).

The USBsploit v0.5b home page :

http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_5.shtml

The .run archive:
https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.run

sha1sum usbsploit-0.5-BETA-linux-i686.run
614c321553a4de2bc7843aafa4ce926b232595ef usbsploit-0.5-BETA-linux-i686.run

The .tar.gz archive:
https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.tar.gz

sha1sum usbsploit-0.5-BETA-linux-i686.tar.gz
6ea0c951282775a6eb764333a3c95ae94bba5c71 usbsploit-0.5-BETA-linux-i686.tar.gz

SVN repo: https://svn.secuobs.com/svn
80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e

Some new videos:

- USBsploit 0.5 BETA: Dump, Autorun, Migration and all EXE, PDF, LNK
files replaced through Railgun against XP HOME

http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_1.shtml

- USBsploit 0.5 BETA: Dump, Autorun, Migration and all EXE files
replaced, Railgunonly option against XP PRO

http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_2.shtml

- usbsploit.rb 0.5b with Metasploit: Dump, Autorun, Migration and all
EXE, PDF, LNK files replaced using Railgun against XP HOME

http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_3.shtml

- usbsploit.rb 0.5b split into 3 scripts with Metasploit: Migration,
Replacement, dump protection and Railgunonly against XP PRO

http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_4.shtml

More videos on http://youtube.com/secuobs

The split scripts can be found in the archives (.run, .tar.gz) or on
the SVN ( https://svn.secuobs.com/svn/lib/msf/split_meterpreter_scripts/
)

XPO

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/