PoC to generate Reverse TCP backdoors, malicious PDF or LNK files. But also running Auto[run|play] infections (EXE, PDF, LNK) and dumping all USB files remotely on multiple targets at the same time, a set of extensions to dump can be specified. All EXE, PDF and LNK already available on the USB targets can also be replaced by malicious ones, or only the EXE files (same for PDF or LNK). USBsploit works through Meterpreter sessions (wmic, railgun, process migration) with a minimal (30M - not mini msf) modified version of Metasploit (updated to v3.5.1-dev svn r11223 2010.12.04). The interface is a mod of SET (The Social Engineering Toolkit). Note that if wmic's not available on a target, railgun'll now be used with GetLogicalDrives(), GetDriveTypeN() and GetVolumeInformationW(). A switch can be activated to always use railgun, even if vmic's available on the targets. Adobe FlateDecode Stream Predictor 02 Integer Overflow was also added to the list of FileFormat attacks. With the original Metasploit framework, usbsploit.rb can be used with all options but also now the independent autorun_usbsploit.rb, dump_usbsploit.rb and replace_usbsploit.rb meterpreter scripts. dump_usbsploit.rb has an option to protect the dumped files from being overwritten when trying to dump a malicious file with the same name (previously uploaded by replace_usbsploit.rb or autorun_usbsploit.rb). Every scripts can be used with the last original Metasploit Framework (all the options work with the 3.5.1-dev). The USBsploit v0.5b home page : http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_5.shtml The .run archive: https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.run sha1sum usbsploit-0.5-BETA-linux-i686.run 614c321553a4de2bc7843aafa4ce926b232595ef usbsploit-0.5-BETA-linux-i686.run The .tar.gz archive: https://www.secuobs.com/usbsploit/usbsploit-0.5-BETA-linux-i686.tar.gz sha1sum usbsploit-0.5-BETA-linux-i686.tar.gz 6ea0c951282775a6eb764333a3c95ae94bba5c71 usbsploit-0.5-BETA-linux-i686.tar.gz SVN repo: https://svn.secuobs.com/svn 80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e Some new videos: - USBsploit 0.5 BETA: Dump, Autorun, Migration and all EXE, PDF, LNK files replaced through Railgun against XP HOME http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_1.shtml - USBsploit 0.5 BETA: Dump, Autorun, Migration and all EXE files replaced, Railgunonly option against XP PRO http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_2.shtml - usbsploit.rb 0.5b with Metasploit: Dump, Autorun, Migration and all EXE, PDF, LNK files replaced using Railgun against XP HOME http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_3.shtml - usbsploit.rb 0.5b split into 3 scripts with Metasploit: Migration, Replacement, dump protection and Railgunonly against XP PRO http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_4.shtml More videos on http://youtube.com/secuobs The split scripts can be found in the archives (.run, .tar.gz) or on the SVN ( https://svn.secuobs.com/svn/lib/msf/split_meterpreter_scripts/ ) XPO
