Résumé : PoC to generate Reverse TCP backdoors, running Autorun or LNK USB infections, but also dumping all USB files remotely on multiple targets at the same time. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET (The Social Engineering Toolkit). The Meterpreter script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework. - Lire l'article
The usbsploit.rb script seems to have some issues if used with the default Ruby version of Backtrack 4, installing a 1.9.1 version will fixed. The details to give in the bugs reports: the version of Python, the version of Ruby, the version of Metasploit if used, the OS of the targets, the OS of the listener, the hardware details for both the targets and the listener but also for the USB drives, the security solutions installed on both the targets and the listener, the particular firewall configuration on both the target and the listener, the version of VMware or others if used, the last file for the Dump configuration, the stage where the bug was identified, the global USBsploit options if changed, the output of the high verbosity scan, the output of USBsploit
To use USBsploit, you certainly need the same dependencies ( link ) as the Metasploit Framework and SET.
- Add an option for the replacement module, allowing to try to upload an infected version of the original USB files first. Only for PDF and EXE files, LNK ones will always be replaced by a generic malicious one. If not succeeding to infect an embed custom version, a generic malicious one will be used to replace the EXE and PDF files. It can be use alone or with any Auto[run|play] infection but not with a single dump (all or by extension) attack. It's useful when the targets don't have Auto[run|play] activated. Can be used with USBsploit or with the original Metasploit framework via the usbsploit.rb script provided. Also supported into the 3 splited meterpreter scripts (autorun_usbsploit.rb, dump_usbsploit.rb, replace_usbsploit.rb).
- Offer a CLI to automate the creation of the malicious files and the launch of the listeners. The ip, payload, encoder, count, port, attacks, replacing, template for pdf embed and pdf type options can be specified via specific switchs on the command line. If nothing specified for an option, the default value will be used. All the different combinaisons were tested via an intenal fuzzing tools and looks to work.
- offers an internal Metasploit core updated with the last SVN version (metasploit v3.7.0-dev svn r12145 2011.03.26).
- integrates a EXE, PDF and LNK USB replacement module. It can be use alone or with any Auto[run|play] infection but not a single dump (all or by extension) attack. It's useful when the targets don't have Auto[run|play] activated.
- offers an option to use to replace only the contextual files to an Auto[run|play] USB infection. If Auto[run|play]/exe, all the EXE can be replaced, same for Auto[run|play]/pdf PDF files and Auto[run|play]/lnk LNK files.
- now using railgun with with GetLogicalDrives(), GetDriveTypeN() and GetVolumeInformationW() when vmic's not available on the targets (XP HOME).
- an option can be activated to always using railgun with with GetLogicalDrives(), GetDriveTypeN() and GetVolumeInformationW(), even when vmic's available on the targets (XP PRO).
- More than the single usbsploit.rb scripts, now offering 3 independent ruby meterpreter scripts (autorun_usbsploit.rb, dump_usbsploit.rb, replace_usbsploit.rb). Note that dump_usbsploit.rb's an option to protect the dumped files from being overwritten when trying to dump a file previously uploaded by replace_usbsploit.rb or autorun_usbsploit.rb. Every scripts can be used with the last original Metasploit Framework (all the options work with the 3.5.1-dev).
- offers an internal Metasploit core updated with the last SVN version (v3.5.1-dev svn r11223 2010.12.04).
- Add Adobe FlateDecode Stream Predictor 02 Integer Overflow to the list of MSF FileFormat attacks.
- Minor improvements and some bug fixes like when a non default value's specified for the path of the file listing the extension to dump.
- integrates a Auto[run|play]/PDF USB infection module with various attacks (Adobe CoolType SING Table 'uniqueName' Overflow, Adobe Flash Player 'newfunction' Invalid Pointer Use, Adobe Collab.collectEmailInfo Buffer Overflow, Adobe Collab.getIcon Buffer Overflow, Adobe JBIG2Decode Memory Corruption Exploit, Adobe PDF Embedded EXE Social Engineering, Adobe util.printf() Buffer Overflow, Adobe U3D CLODProgressiveMeshDeclaration Array Overrun, Adobe PDF Embedded EXE Social Engineering (NOJS)).
- offers an option to use both the Auto[run|play]/PDF USB infection and the USB files dumping attack on a same target
- offers a ruby meterpreter script (usbsploit.rb) compatible with the last original Metasploit Framework (all the options work with the 3.5.1-dev). A bug (reported to the MSF team) seems to exist with this last version of MSF (not with the previous 3.4.2-dev) when exit -y is used if you have an active session and an InitialAutorunScript was used (finished or not), you need to kill it with sessions -K before exit or exit -y. The USBsploit Framework is always based on the 3.4.2-dev for the moment to avoid this issue.
- was tested under a GNU/Linux operating system with Python 2.6.5 and ruby 1.9.1,
- integrates a Auto[run|play]/LNK USB infection module. The generation of the LNK file, the autorun.inf and the rest of the process are splitted but share some random values to work together
- offers to launch a LNK listener (different from the one handling the USB infection) to get the connect back from the USB drives infected with the last LNK file generated.
- offers also a full console with this listener, including all the Metasploit features, except the exploits, payloads, encoders and nops. You have to add manually this kind of stuffs if you want to use it (copy from a classic Metasploit installation to the lib/msf/modules in the USBsploit installation tree). You can choose to activate the database support or not on this console.
- offers an internal Metasploit core updated with the last SVN version (v3.4.2-dev)
- adds support for the French outputs of the wmic commands
- offers an option to use both the Auto[run|play]/LNK USB infection and the USB files dumping attack on a same target
- offers a ruby meterpreter script (usbsploit.rb) compatible with the last original Metasploit Framework (all the options work with the 3.4.2-dev).
- integrates the Auto[run|play]/EXE USB infection module
- offers an option to use both the Auto[run|play]/EXE infection and files dumping attack on a same target
- was tested under a GNU/Linux operating system with Python 2.6.2 and ruby 1.9.1,
- was tested against a target Microsoft Windows XP PRO SP3 running under a GNU/Linux VMware Server 2.0.2,
- needs the wmic command on the targets (Windows XP home is not a possible target),
- works against multiple targets at the same time and multiple USB keys on each target
- deals the multiple plugs and unplugs for a same key
- can be installed via SVN, ".run" or ".tar.gz" archives,
- can be managed through a Python interface (a modified version of the Social Engineering Toolkit, original by ReL1K),
- can be updated via SVN,
- allows the activation and the desactivation for auto-updates,
- allows to edit global configuration file,
- allows to generate Meterpreter Backdoors with some available options (ip for the listener, type of Backdoor, type of Encoding, port for the Listener, multiple Encoding stages) and choose if a Dump Listener will be launched,
- allows to generate Meterpreter Backdoors with the same kind of options and launching automatically a Dump Listener,
- lets choosing between 3 types of Meterpreter Backdoors available (Reverse_TCP the only one tested for now, Reverse_TCP_X64, Egress Buster),
- lets choosing between 3 types of Encoding for the Meterpreter Backdoors (shikata_ga_nai, Multi-Encoder, Backdoored EGxecutable),
- allows to dump all the files from a remote USB key through multiple Meterpreter sessions and a light version (24MB) of Metasploit (original by HDM),
- allows to dumps, from a remote USB key, all the files matching a specific set of extensions, defined through a text file,
- allows to edit the file for defining the set of extensions,
- allows to launch a Dump Listerner through the last file of Dump configuration,
- allows to edit the last file of Dump configuration,
- allows to activate the high verbose mode,
- allows to choose between only one USB Scan/Dump ending with success for each attack or an infinite loop,
- Ruby script usbsploit.rb compatible with the original Metasploit Framework (all the options work with the version 3.4.x, the anterior versions weren't tested).
The future versions of USBsploit could:
- inject a malicious VBS script into the DOC/XLS files available on the remote USB keys
- target USB U3 keys,
- integrate the ReverseConnectRetries directive for the Reverse_TCP payloads
- integrate the EnableContextEncoding and ContextInformationFile directives for the generation of payloads
- reintegrate some features of SET to spread the malicious files,
- help to build a fake malicious website alimenting a Twitter account with the items from the most popular Press RSS. Karmetasploit, Wepbuster, MITM and ARP poisonning modules could also be added
- Others ???