Quick Tutorial to hacking for autorun for USB Flash drives

Autorun will not work with “regular” USB flash drives the way that they do with CD-ROMs, but there are some tricks that you can do that will come very close. I say “regular” in that as many may know there are ways of modifying U3 drives so that they appear as CD-ROMs on Windows systems and can thus use autorun to silently run your “tools” without any indication anything is happening. The U3 hack however is a bit more complicated, I will do another “How to” on that later. For now let’s just discuss how we can create an autorun.inf file on a regular ‘ol USB flash drive that will do some interesting things.

Also it is important to mention that some of these techniques will even work if autoplay is disabled!

First, although we cannot have an application run automatically with a traditional USB drive, we can make it so that when a USB drive is plugged we have Windows make a suggestion to the user and all they need to do is click “OK” to a specific application or script you have deployed to the flash drive.

First in Notepad create a file called autorun.inf and save it to the root of your USB flash drive of choice. In the autorun file put this:

[autorun]
icon=lilguy.ico
open=howdy.bat
action=Click “OK” to play this fun game!

The first parameter is “icon” this tells Windows what icon to use as the icon image for the drive etc. This is important for the social engineering portion of the trick, you must consider your target. The image you choose should help instill trust in the application they are about to run, maybe a tantalizing icon of a scantly clad babe, a puppy, or my favorite a cute little cartoon devil holding a USB flash drive.

The “open” parameter indicates the program you wish to run, this can be an executable, or as in this case a .bat file. You could even call a .bat file which calls a series of executables. Go crazy.

The next parameter is “action” this is what will trigger the autorun dialog to appear. This text will appear in the dialog box along with your icon, so you probably want make this friendly, something like “Fun Game,” you probably don’t want to put something like “Click ‘OK’ to install backdoors and trojans!”.

Now unplug your flash drive and then replug it in, a dialog box like this should now appear:


So this is not as good as automatically running the application, but is useful nonetheless and there have actually been successful simulations where this has been used. A security consultancy used this technique as a proof of concept to test a credit union client of theirs. Several drives used this simple technique to run exectue a trojan that sent some simple data to an external email account. They scattered the drives in the parking lot, several employees picked the drives up on their way into work and within a short amount of time the email account they had set up was receiving emails.

Now we have our basic autorun.inf setup. But notice that if you click cancel and then click on the drive you just see the contents of the drive. However we can take this one step further, if the user is smart and their spidey senses are tingling from the dialog menu that appears and they click cancel, with the addition of one more line of code to the autorun.inf file that will automatically execute the code we specify when they click the drive either from “My Computer” or Explorer. This is different than a true autorun as it still requires a user to take an action to exectue the application, but still a significant security risk.

Add these lines to your autorun.inf file

[autorun]
icon=lilguy.ico
open=howdy.bat
action=Click “OK” to play this fun game!
shell\open\command=howdy.bat

OK save it and then unplug and plug the drive back in again. This time when the prompt appears hit “cancel”. Now go to double click the drive under “My Computer”. The application will automatically execute. By the way, this second portion will still work even if autoplay is disabled on a system and is actually more dangerous than the dialog in my opinion.

So what if we don’t want to execute a command on the drive and just open a webpage? You could execute Explorer in your .bat file to do this, or in the exectuble you run, but there is a quick and easy way to do this in the autorun.inf file. Replace the last line with this instead:

[autorun]
icon=lilguy.ico
open=howdy.bat
action=Click “OK” to play this fun game!
shellexecute=http://www.usbhacks.com

There we have it. An introduction to the wonderful world of autorun.inf hacks for USB flash drives. Again this should only be tested on your system, or systems you have permission to use this on, we are not responsible for your stupidity. Removable media devices don’t deploy malicious code and steal data, people do

Disclaimer: This tutorial is designed to show existing vulnerabilities and should only be used on systems you own, or have permission to execute this on. Removable media devices don’t deploy malicious code and steal data, people do.