Released on HAK.5 Episode 2×03 — The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retriev documents from USB drives plugged into the target machine and securely transmit them to an email account. Proof of concept code shows how to deliver the payload instantly with a U3 autorun hack borrowed from the USB Switchblade on Windows 2000 or higher computers running as administrator or guest. Automatic propogation to other USB devices is possible however was not shown on Episode 2×03.
The purpose of this hack, dubbed USB Hacksaw for googleability, is to automatically and silently install on windows 2000, XP, or 2003 machines with either administrator or guest access. Installation consists of hiding the hacksaw tools in a hidden folder, add to either registry or startup folder depening on user rights, and start the program.
This hack is based on a modified version of USBDumper. Once installed on a targert machine it will stay resident and wait for a USB flash drive to be inserted. Once a USB flash drive is inserted the hacksaw will download the contents of the drive to a temporary location using the modified USBDumper, then silently run the send.bat file located in the same directory, which will then archive the contents using RAR, eastablish an SSL SMTP connection to smtp.gmail.com using Stunnel and Blat, email the downloaded data to an email address, and remove the documents and archives.
The proof of concept code in this 0.1 version is not as pretty as it could be. Originally a method for determining user rights and thus installing accordingly was planned, however problems with the IFMEMBER command were found and many dirty hacks followed. Future versions are expected to use a more elegent method of determining user privledges. (Thinking outloud: try creating a file where guests shouldnt be able to and check errorlevel).
Development of this project has been done with the aid of the Hak.5 community at http://www.hak5.org
- USBDumper — http://www.secuobs.com/news/07062006-sstic_usbdumper.shtml
- Stunnel — http://www.stunnel.org/
- Blat — http://www.blat.net/
- Shortcut — http://www.optimumx.com/download/#Shortcut
- Rar — http://www.rarlabs.com/
- U3 Enabled USB Flash Drive (or other hacked USB drive that allows autorun. More details to come)
Creating a USB Hacksaw
- Insert U3 SanDisk Cruzer Micro USB Drive
- Run LPInstaller.exe from /loader_u3_sandisk. This will flash the CDFS partitoin of the U3 SanDisk Cruzer Micro USB Drive
- Copy the WIP directory in /payload to the root of the flash drive partition on the U3 SanDisk Cruzer Micro USB Drive.
- Edit the /wip/sbs/send.bat file. The following paramaters need to be added
## emailfrom (Gmail address from which the documents will be sent) ## emailto (Email address where the documents will be sent) ## password (Password of Gmail account used in 4a)
- You now have a USB Hacksaw
Installing on target computer
- Insert the USB Hacksaw into a Windows 2000, XP, or 2003 computer
- Wait until the drive has been recognized and either the flash partition opens in explorer, or a menu appears asking what to run.
- Eject USB Hacksaw
- Insert non-hacksaw USB Flash drive into compromised computer
- Once recognized the sbs.exe process will copy data to the /docs directory where the USB Hacksaw has been installed, then silently run send.bat
- Send.bat will process the documents in /docs by archiving them to goodies.rar using RAR, establish an SSL connection to smtp.gmail.com using Stunnel, and transmitting them to the email address designated in the emailto variable using Blat. Send.bat will then remove the /docs and goodies*.*
Copy the contents of the /antidote directory to an infected computer and run the hacksaw–antidote.cmd file. This crude batch file will kill USB Hacksaw processes, delete files, and remove registry changes.
- 0.2 POC
Added for statement to sendfiles section of send.bat, no longer makes me feel dirty. Thanks hauser!
- 0.1 POC
Original dirty hack demonstrated on Hak.5 episode 2×03
You can just add Hacksaw to your existing Switchblade by copying the SBS folder inside the CMD folder and add the go.cmd to your current go.cmd.