Sign in to follow this  
Followers 0
TheFunk

Privilege Escalation

12 posts in this topic

Every once in a while I'll send my information to a college in return for their information, most of the time this information comes on a 1 or 2 GB flash drive. The problem with a lot of these flash drives is that they have right protected autorun files stored on them. Meaning that every time you go to use them...BOOM, a PDF file opens out of nowhere to inform you that, "YOU BELONG IN COLLEGE". Now, this is nice, but I'll never get to college if I have to wait 5 minutes every time a computer tries to recognize my flash drive, because it's busy attempting to inform me about my education options. (Ironic right?)

I've tried chmod, but the only privilege I (the owner) have is "read". I also tried the whole "Take Control" trick with Windows, but alas that didn't work either. To be fair, I don't plan on deleting the information, but the autorun.inf / autorunner.exe have got to go. Thoughts anyone?

EDIT: I realize now I probably should've been more specific. When inserting the drive, the computer first recognizes the flash drive and mounts it, then recognizes the autorun feature, which is part of a separate partition, as a CD or DVD and mounts it. When attempting to change permissions an error that states the "filesystem is read only" appears. As such the drive can't just be wiped or reformatted as you can't write over the one partition.

Edited by TheFunk
0

Share this post


Link to post
Share on other sites

Not had any experience with this but you mentioned chmod, so did you try this in linux? If its creating a virtual CD rom drive then I guess it'll be read only so maybe try copying the data locally, formatting the drive and copy the data back. Also i'm pretty sure that windows will stop autorun if you hold shift when you first insert the disk (or drive in your case).

0

Share this post


Link to post
Share on other sites

you could just disable auto run ;) makes your computer safer aswell.

0

Share this post


Link to post
Share on other sites

It's not u3, it's just file protection. I did disable autorun on my PC but I can't on my school and friends PCs.

Not had any experience with this but you mentioned chmod, so did you try this in linux?

Yeah I tried changing file permissions for the drive in both Windows and Linux, no dice in either. I didn't know you could just use shift to disable autorun, so I might use that for a while, thank you.

usually they are write protected on the hardware

I dunno if it's the hardware or not, but you'd think if it were I wouldn't be able to write to the disk at all.

I'll try a few things and post a conclusion by the end of the month, sorry this thread is starting to age a bit. Consider this maybe a shameless bump/response all in one, or something like that.

0

Share this post


Link to post
Share on other sites

The U3 technology appears to be two partitions as you describe, first a normal fs partition and the second a cdrom drive with autorun files, but both are still flash. But the cd presents as write only and you need a special toolkit to write to it which does something automagical* to the partitions the way it mounts them to allow editing.

Id guess the college partition mounts read only until the U3 software has done something to it first to keep you from overwriting it.

There are some very interesting U3 toolkits available because they bypass the user priv system in windows without popping up dialogues. I had a spate of recasing u3 keys as normal ones so that people would not suspect their payload...

0

Share this post


Link to post
Share on other sites

It does sound alot like U3 and i had a drive with U3. It was a pItA to get rid of.

Plug the drive into a linux box and attempt to copy the entire partition to your hard drive using gparted.

The great thing about linux is when you copy something to a linux box as root, all of the ownership goes to root. So you should be able to access it.

0

Share this post


Link to post
Share on other sites

I was completely convinced it wasn't u3 but what Phaedrus described is almost a perfect representation of this drive. I'll give what xllxjustinxllx said a try and then try u3 uninstaller if that doesn't work. Wow, I need to brush up on some stuff. Sorry for dismissing your post n00blet...should've trusted you!

Regardless, tomorrow's the end of the month and I promised to post findings. Nothing tried up to now has worked so here goes...

0

Share this post


Link to post
Share on other sites

Observations:

1- I have full ownership of the USB partition now and am able to reformat it as I wish.

2- The virtual cd partition is still evil and I'm not its owner. It does look a lot like u3 though.

3- The cd partition is roughly 6mb in size. Dunno whether or not that's even remotely useful to know.

4- There is no noticeable launchpad and the u3 icon doesn't appear when I plug in the drive (Hence why I didn't think it was u3 originally)

5- u3 uninstaller did not recognize the drive as a smart drive when I plugged it into my computer.

That doesn't look like much, but those are the findings.

Edited by TheFunk
0

Share this post


Link to post
Share on other sites

Observations:

1- I have full ownership of the USB partition now and am able to reformat it as I wish.

2- The virtual cd partition is still evil and I'm not its owner. It does look a lot like u3 though.

3- The cd partition is roughly 6mb in size. Dunno whether or not that's even remotely useful to know.

4- There is no noticeable launchpad and the u3 icon doesn't appear when I plug in the drive (Hence why I didn't think it was u3 originally)

5- u3 uninstaller did not recognize the drive as a smart drive when I plugged it into my computer.

That doesn't look like much, but those are the findings.

The u3 branding can be disabled, not splashed etc. Or some companies did a u3 alike setup which isnt u3 compatible but similar.

It can be handy as it tends not to alert the more tech savy people as your software can just gain admin on the windows box its inserted in silently this way.

You need the u3 toolkit to match the chipset hardware in use by that drive so it knows how to mess with the firmware.

For instance I plug in my crappy u3 key i have here, and do a dmesg and only see a sr device mapped in, but :-

# lsusb

Bus 005 Device 003: ID 08ec:0020 M-Systems Flash Disk Pioneers TravelDrive

Doing a search for USB VID 08ec and PID 0020 shows up on some chinese hacking site

chinese hardware hackery page

which states its running a GenesysLogic chipset GL827L.

If you dig round for a tool to reprogram based on the chipset, rather than a generic u3 tool, your chances of sucess are much higher.

You'll find them in odd places, I personally would do any changes on a sandbox machine not connected to anything, and be wary of your payload being altered too. Trust nobody, especially potentially backdoored chinese usb hacking tools...

0

Share this post


Link to post
Share on other sites

...I had a spate of recasing u3 keys as normal ones so that people would not suspect their payload...

Working in Iran at the time?

-1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0