Video: usbploit.rb and the original MSF to get all the remote USB files by extensions through Meterpreter

Par Xavier Poli, secuobs.com
Le 14/07/2010

---

Résumé : USBsploit: PoC for dumping files from remote USB drives on multiple targets at the same time. It works through Meterpreter sessions with a light (24MB) modified version of Metasploit. The interface is a modified version of SET. usbsploit.rb can be used with the original Metasploit Framework. - Lire l'article



Reports the bugs to https://twitter.com/secuobs or xavier.poli@infratech.fr (recommanded for privacy issues), KeyID: 0x3A3D555A, FingerPrint: 04B1 244C CC25 DA93 EB73 EF52 E278 881F 3A3D 555A, xpo.asc

The usbsploit.rb script seems to have some issues if used with the default Ruby version of Backtrack 4, installing a 1.9.1 version will fixed. The details to give in the bugs reports: the version of Python, the version of Ruby, the version of Metasploit if used, the OS of the targets, the OS of the listener, the hardware details for both the targets and the listener but also for the USB drives, the security solutions installed on both the targets and the listener, the particular firewall configuration on both the target and the listener, the version of VMware or others if used, the last file for the Dump configuration, the stage where the bug was identified, the global USBsploit options if changed, the output of the high verbosity scan, the output of USBsploit

To use USBsploit, you certainly need the same dependencies ( link ) as the Metasploit Framework.



USBsploit ressources:

- Video: USBsploit gets all the remote USB files through Meterpreter and a modified MSF
- Video: USBsploit gets all the remote USB files by extensions through Meterpreter and a modified MSF
- Video: usbsploit.rb and the original MSF to get all the remote USB files through Meterpreter
- Video: usbploit.rb and the original MSF to get all the remote USB files by extensions through Meterpreter
- How to install USBsploit v0.1b through SVN, the tar.gz, the .run or to work with original Metasploit

Changelog:

V0.1b:

- USBsploit v0.1b was tested under a GNU/Linux operating system with Python 2.6.2 and ruby 1.9.1,
- USBsploit v0.1b was tested against a target Microsoft Windows XP PRO SP3 running under a GNU/Linux VMware Server 2.0.2,
- USBsploit v0.1b needs the wmic command on the targets (Windows XP home is not a possible target),
- USBsploit v0.1b works against multiple targets at the same time and multiple USB keys on each target
- USBsploit v0.1b deals the multiple plugs and unplugs for a same key
- USBsploit v0.1b can be installed via SVN, ".run" or ".tar.gz" archives,
- USBsploit v0.1b can be managed through a Python interface (a modified version of the Social Engineering Toolkit, original by ReL1K),
- USBsploit v0.1b can be updated via SVN,
- USBsploit v0.1b allows the activation and the desactivation for auto-updates,
- USBsploit v0.1b allows to edit global configuration file,
- USBsploit v0.1b allows to generate Meterpreter Backdoors with some available options (ip for the listener, type of Backdoor, type of Encoding, port for the Listener, multiple Encoding stages) and choose if a Dump Listener will be launched,
- USBsploit v0.1b allows to generate Meterpreter Backdoors with the same kind of options and launching automatically a Dump Listener,
- USBsploit v0.1b lets choosing between 3 types of Meterpreter Backdoors available (Reverse_TCP the only one tested for now, Reverse_TCP_X64, Egress Buster),
- USBsploit v0.1b lets choosing between 3 types of Encoding for the Meterpreter Backdoors (shikata_ga_nai, Multi-Encoder, Backdoored EGxecutable),
- USBsploit v0.1b allows to dump all the files from a remote USB key through multiple Meterpreter sessions and a light version (24MB) of Metasploit (original by HDM),
- USBsploit v0.1b allows to dumps, from a remote USB key, all the files matching a specific set of extensions, defined through a text file,
- USBsploit v0.1b allows to edit the file for defining the set of extensions,
- USBsploit v0.1b allows to launch a Dump Listerner through the last file of Dump configuration,
- USBsploit v0.1b allows to edit the last file of Dump configuration,
- USBsploit v0.1b allows to activate the high verbose mode,
- USBsploit v0.1b allows to hoose between only one USB Scan/Dump ending with success for each attack or an infinite loop,
- Ruby script usbsploit.rb compatible with the Metasploit Framework original (all the options work with the version 3.4.x, the anterior versions weren't tested).

Possible evolutions:

- The future versions of USBsploit could inject a malicious VBS script into the XLS files available on the remote USB keys, by uploading and executing the XLSinjector tool,
- The future versions of USBsploit could Upload and execute a modified version of USBDumper 0.2 to the targets. Injecting a malicious VBS script into XLS and DOC files available on the remote USB keys by this way,
- The future versions of USBsploit could launch an Autorun attack by uploading malicious files (autorun.inf, autorun.ico and usbsploitBackdoor.exe) on the remote USB keys,
- The future versions of USBsploit could target the USB U3 keys,
- The future versions of USBsploit could target the PDF files available on the remote USB keys with various attacks,
- The future versions of USBsploit could reintegrate the features of SET to spread the Backdoors,
- Others ???