Skip to main content

USB Autorun

I lost my notes on this, so this is from memory mostly, except for the actual ini that I made and recovered from one of my USBs.

To get anything (example below is winmine.exe) to automatically run on a Thumb drive, Autorun has to be enabled on the host Windows system.  The file will, in fact, run, if there are no media files in four or less directories deep.  If there are, Windows will pop up a dialog asking you what you want to do (ie, run the ini or play the wav file).  So you can put the autorun.ini in the home directory, and tell it to point to a file several folders deep for an executable, or just leave the file extension off of the executable in the root directory.  The file can even be a hidden file for a hint of stealth.  So, a CONOP for a PENTEST would be to laden a thumb drive with MP3s, more than 5 folders deep, and put only the autorun in the root folder.  Then it could be made read-only, so it could not be edited/deleted, and reference a payload several folders deep, which is hidden.  
Here is an example:

autorun.inf contained:

[autorun]
UseAutoPlay=1
open=winmine.exe
icon=DELLSUPPORT
label=WinMine Game
action=Play Winmine From Thumb

shell\open\command=winmine.exe

;; note, can't have known file extension in kernel
;; attrib +R (read only), -S (system file), -H (Hidden) -A (archive)
- strip off .ico from icon, or else it will be recognized as media and a window will pop up
- Results may vary with VMWare.
- autoPlay is just for CDs.  AutoRun is expanded to other devices.
- AutoPlay is necessary for U3 drives, but NOT for normal thumb drives

here are some of my paper notes for possible extensions of the above:
open=Menu open
action=Windows Explorer
action= Browse files on the drive using Windows explorer to find... this text will wrap off screen, and can be followed by an action

check out this Microsoft's site for further details

some useful actions can be the following: 
shell\open\Command=xxx
shell\explore\Command=xxx
shell\find\Command=xxx
;; where xxx.exe = exploit
to disable autorun, look for "@SYSoesNotExist" in the registry.   Also check out my Disabling Windows Autorun blog for more details.   

Comments

Post a Comment

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosm...
27 comments
Read more

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" ...
Post a Comment
Read more

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor: Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid. My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing. I flashed it with the  Debian   9.3   2018-03-05   4GB SD   IoT   image, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces. So I went with the  Debian   9.3   2018-01-28   4GB SD   LXQT   i  image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below STEP 1--Remove Blotatware from Beaglebone Black...
6 comments
Read more