Jump to content

Lost and Found for U3


Peppery

Recommended Posts

This was coded and written in response to this post but I didn't want to topic hijack so I gave it its own.

It took me a few days longer than expected (trying to get it all within the 6mb .iso limit), but it's all here.

This is strictly proof of concept and may not work as you expect it. blah blah blah, use it at your own risk.

I've also written this guide to be "noob-friendly" but I'm sure most Hak5-ers won't have any problem with it.

How it works

This is a cheap excuse for me to draw a crude ms paint diagram.

crudemspaintdiagramvd9.png

Tools needed:

* A U3 USB drive - preferably with the latest version of LaunchPad.

* Your own webspace for the "control" file

* WinRAR and UPX - to compress LaunchPad. Probably optional, but I'd rather be on the safe side.

* InfraRecorder (or other iso image creation program) to create our custom .iso image

* A modded LPInstaller.exe to write the .iso to the drive - I got mine from hak5_usb_hacksaw_ver0.2poc.rar

Download

Here's my .zip containing everything I explain in this post:

Download

Install:

controlininb7.png

Step #1 - The Control File

Firstly, we're going to customize the control file and upload it to our webspace. To do this, extract the downloaded .zip file to a folder where we will be working on your computer. Not on your drive!

Next, double click on control.ini (or open it in Notepad/your favorite text editor) and you'll see a basic configuration file.

It's pretty self explanatory, if Lost is set to "1", then it'll run the command in the file, if it's set to "0", then it'll load Launchpad.

Feel free to edit the command. It'll be executed on the windows command line. A word of warning, make sure it's between speech marks ("). If you need to use speech marks in your command, use an apostrophe (') instead. If you need to use an apostrophe in your command, well, you're out of luck :p

Upload this to your webspace however you usually do it and make note of the URL where it can be found. We'll need it in step #3.

u3systemyu0.png

Step #2 - Extracting and compressing Launchpad

Open My Computer and Right Click -> Open on the fake U3 disc drive. It's usually labeled "U3 System". Select everything in that folder and copy it to a new folder named "U3" in our other folder.

This might not be necessary, but it cant hurt! :D We're going to compress Launchpad with UPX. To do this, simply extract UPX.exe from the UPX package you downloaded into our U3 folder. Next, drag LaunchU3.exe onto UPX.exe. It'll compress it and leave us more space.

If you're wondering why we're doing this, it's because the .iso we're going to flash onto the CD part of your U3 drive cannot exceed 6mb. I don't know what will happen if you do exceed that, but I wouldn't try.

I also compressed all of the .exe files in Launchpad.zip, but that might not be necessary.

autoruninfmw1.png

Step #3 - Injecting our executable

The next step is to "inject" our executable to do all of this freakymagic stuff before Launchpad does. To do this, open up autorun.inf in our U3 directory. This is the file that tells Windows what to do when the drive is inserted.

Here's my unmodified autorun file from my Sandisk 4gb Cruzer Micro

[AutoRun] 
open=LaunchU3.exe -a
icon=LaunchU3.exe,0 

[Definitions]
Launchpad=LaunchPad.exe
Vtype=2

[CopyFiles]
FileNumber=1
File1=LaunchPad.zip

[Update]
URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.4.0.3&brand=cruzer


[Comment]
brand=cruzer

To modify it, we need to change 2 things and add 1 thing.

Find this at the top of the file:

[AutoRun] 
open=LaunchU3.exe -a

Modify it to:

[AutoRun] 
open=Hak.5-POC.exe

Find this (it may be different depending on your Launchpad version and drive model and manufacturer)

[Update]
URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.4.0.3&brand=cruzer

Add speechmarks around the URL, like so:

[Update]
URL="http://u3.sandisk.com/download/lp_installer.asp?custom=1.4.0.3&brand=cruzer"

The program that we're running gets confused if it doesn't have speechmarks. I'll probably fix it at a later date.

Finally, we're going to add our own code. Right down the bottom add:

[Hak5]
ConfigURL="http://www.peppery.org/control.ini"

Replacing http://www.peppery.org/control.ini with wherever your control file is located on the web.

hak5pocrk0.png

Step #4 - Putting it all together and flashing your drive

Finally, extract Hak.5-POC.exe from the archive and place it in our U3 folder. This part of the process is complete, we now need to create an .iso of these files and flash our drive with it.

For this, I've used InfraRecorder (download link above). You may use any program which will make a .iso file but I'll explain it using InfraRecorder.

Open InfraRecorder and choose New -> Data CD.

Under Disc Layout there will be an image of a CD and the date and time. Click on these numbers and press F2, type in "U3 System" (without the speechmarks)

Finally, drag everything in the U3 folder (but not the folder itself!) into the pane to the right of the U3 system image. InfraRecorder should look something like this:

infrarecorderte3.png

Once your InfraRecorder looks like that, choose Actions -> Burn compilation -> to Disc Image. Call this "cruzer-autorun.iso" and place it in our working directory (one up from the U3 directory).

Close InfraRecorder and navigate to the directory where you saved your .iso. Extract LPInstaller.exe from hak5_usb_hacksaw_ver0.2poc.rar and double click it. Follow the wizard to install "Launchpad" onto your drive!

Once that's done, you're good to go! It should automatically run after it's finished installing!

Final Notes

I'll rewrite that guide later as I wrote it in a bit of a hurry, but you should get the idea.

It's extremely alpha and I don't know what will happen if you plug it into a computer that requires a proxy for internet access. Also, any ideas for new features? :)

Enjoy!

- Pep

Link to comment
Share on other sites

  • 3 weeks later...
  • 4 weeks later...

What happens if the control file cant be downloaded (no tubes/firewall)?

This could also be modded to run any .exe you want, I can see it now "The USB drive you have just inserted has been reported stolen, in Response Your Computer will now be destroyed.  Have a nice day!"

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...