Darren Kitchen

for development and testing purposes I've included an uninstaller in the antidote directory. Also hold the shift key while inserting your usb drive to have it not infect your system again. but no, the sbs.exe will rip the contents of a removeable drive regardless. obviously the code can be changed to only copy certain files, etc.

Released on HAK.5 Episode 2x03 -- The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retriev documents from USB drives plugged into the target machine and securely transmit them to an email account. Proof of concept code shows how to deliver the payload instantly with a U3 autorun hack borrowed from the USB Switchblade on Windows 2000 or higher computers running as administrator or guest. Automatic propogation to other USB devices is possible however was not shown on Episode 2x03. More in the show notes here: http://www.hak5.org/wiki/USB_Hacksaw

I'm still busy editing but as soon as this episode is kicked out the door, and I get a little nap, I'm jumping on this hack.

Thanks. I'm just sitting here waiting for this segment to render. Cant do much else but laugh. Good one.

:( I get off the tubes for one day to take care of work and now there's an Internet meme that I don't get. Someone linky me the wombat happyness. zomg ponies

Funny, I was thinking about something similar on my drive back from work today. I was going to bring it up in a Dev5 meeting. I'll post about it after I sleep. No, scratch that, after the episode is out. Priorities. But yes, a switchblade shield would be a fun project, though sort of seperate from this thread. We'll coordinate on that later. Zzz

Nah, it wont be a day late. At the very least I've technically got until 3am here, or midnight PST. But I'm not going to cheap out like that. As soon as I have a little nap (it's caught up to me) I'm going to edit my brains out and still make it look good. I'm just giving myself hell in the third person as a sort of reminder to myself as to why we do this. The flames are encouraging.

Yes, looks like we have a very nice hack here. Though it's going to take some more R&D before all of the ins and outs are understood. As such I won't be working this into the current episode (as if I had time to edit it anyway). I'm home from work safe and sound, and will be taking a quick nap before I hop back into edit mode for the next 20 hours or so. The episode will be on time. On a semi-related note, I'd like to schedule a Dev5 meeting after the release of the episode to talk about a few things. I'd like for it to become a regular thing. However this is not the thread to discuss that. Keep an eye out for that thread some time after my nappy nap. Now I'm going to go dream in binary. Great find MaxDamage, moonlit, everyone! This is a prime example of the whole point in the Dev5 team. Hehe, wait a second.... "Dev5... Putting the Point in Hak5" BBL Zzzz

Ok I'm leaving work now. I'll be back on this in 3 hours (long drive)

Wow, so much great support. I don't know any more than what's been discussed in this thread, and what's in the links mentioned. Thanks guys. I'll check in when I get home from work... In about 240 kilometers (Yes, kilometers can be time as well as distance)

Ninja, there will be a party, not sure how big or when, but it should be in the days following the release. we never really party on the 5th, maybe crack a few beers and pass out (usually passing out from lack of sleep, not beer). i'll let ya know cause you're always welcome down here

you may in fact be the first if i'm not able to find it. thanks for the report from the road. i'll add those keywords to my search criteria and hopefully have confirmation on this. either way i'll bet $20 that we'd be the first to use it in such a manner. moonlit & vako, don't forget that your concerns have been heard and as such you should expect a whitehat segment or two on prevention, both for the user side and system side. i dont want you guys to think we've gone blackhat. it was supposed to be in this episode but the security companies that we've been talking to want, for some reason, to mail us their products rather than email it, so it's taking a bit longer to get them in the labs for testing (and setting the labs up as a proper testing environment, etc)

It's a good idea and sounds like the perfect start for my trials. I'll pick up a couple small cheap USB flash disks on my way home from work today and try it out. Esentially what you've described is exactly what U3 is. In fact, the 1GB U3 drive I have is actually 6MB shy of 1GB on the FAT partition. The 6MB has been reallocated to the CDFS partition, so we might need to not only repartition the drive and edit the 7th bit to make it a "cdrom", but we may need to format it for CDFS... or do we? MaxDamage, can you maybe shed some light on this?

Yeah I'm only running on an hours sleep over the last 48, and I've got another 24-32 to go so that I can release and then pass out at my keyboard, and to top it off there might be a hack in development that may be slipstreamed into the ep at the last minute, and, damnit. time machine please?

Yes but the question then becomes, if we can tell windows that the device is not removable, and it thinks its a cdrom, and it autoruns, are we then able to write to the device? or does it not think the device is a cdrom. does it consider the device a hard disk drive. and if so, does it then autorun? I wont be able to test this until I get back to the studio this in about 6 or 7 hours, at which point i need to devote all of my human resources into editing, so really I wont be able to get this hack going until after the episode is done, in which case no way of "slipstreaming" this new info. And no, we're not going to issue a patch (.5). So, I guess this is exactly what Dev5 was created for. Can we do it? It would be so perfect for the current topic of this episode. If we wait another month to do it, it may be old news. Gah. I need more time.

URLs of possible interest: http://www.microsoft.com/whdc/whql/resources/support.mspx http://www.microsoft.com/whdc/device/storage/usbfaq.mspx http://www.usb.org/developers/defined_class/ http://en.wikipedia.org/wiki/Usb

If this method can be documented in the next 12 hours it can be "slipstreamed"* into 2x03. *Yes, thats what I'm calling it. Yes, it does sound a lot better than "really effing behind schedule on editing"

No i actually havent seen it yet. I'm trying to track down the link right now. I know that it was released within the last week at a demoparty, but I'm not sure which one it was because Tom Merritt who mentioned it on Cnet BOL and it wasnt posted in the show notes. It was one of those things in passing but it's not really their thing so the other hosts didn't pick up on it. I assumed it was released at The Gathering but I'm not able to find it there. Now the 7th bit on the first byte on the disk, how exactly are you supposed to find that in a hex editor? I havent checked because I'm only familiar with hex editors that allow you to open files... no full volumes. Does it have to do with changing the device class from 0x08, or the bInterfaceSubClass?

Grr. Now I can't find the link to the app that was demo'd at Demo. (Demo is a conference btw). I heard about it on Cnet's BOL and I cant seem to find the link on the forums. Grr.

Yeah I just heard about this, it was released at the latest Demo in Denmark I believe? Are you using the same method?

/me thinks he should play the hak5 drinking game while editing. i watch the episode about 50 times before it heads out the door, or at least it feels that way. gah. sleep. what. phearies? thats not even how you spell phearies??

No.. Did you happen to checkout the webcam last night / this morning. We shot until 2am. I havent slept since the day before. Doctor, my bwain hurts

You will, don't worry. The episode will be out on the 5th as usual. I'm just speaking about myself in the 3rd person as if I were a "comicbook guy"esque fanboy. I'll just not sleep and make it happen. Oh, and that was a joke, not a stab, at teh broken. respekt.

I hear that Darren is like, totally slacking off and doesnt have the episode done yet. What a total loser. And with only like 30 some hours remaining until launch, and like another 3 hours of DV tape to edit, you know he must be feeling the pressure. I bet he's also tied up in Washington DC working for that 3 letter company he sysadmins at. If that's even his real job. I bet he doesnt even have a job. I bet they make like buku bucks on Hak5 with all the advertising and they're just too lazy to make the show weekly, which is what we all want right? Darren gets a capital L for LAME this month. Bunch of lame sellouts. I'm totally going back to the_broken, they had a much better release schedule.

@eDgE Are you planning on releasing the source for those?