PCFreak Logo (c) Der PCFreak

Most sophisticated utilman exploit for Teensy and other HID emulators

Posted Februar 8, 2012 * Comments(2)

These days it is very cheap and easy to to build your own „evil“ USB-dongle that emulates a USB HID (Human Interface Device) and sends keystrokes. You could use the very easy to program „USB Rubber Ducky“ or the cheaper „Teensy USB Development Board„. So you now have a very nice „Phantom Keystroker“ that you can use for pen testing.

You could find many payloads for the „Ducky“ and also for the „Teensy“ on the internet. For me, the most interesting payload was the „Utilman exploit“ for Windows 7, but I was not comfortable with the way it worked.

  • take ownership fo utilman.exe
  • change permissons of utilman.exe
  • replace utilman.exe with something else (cmd.exe)

A sample payload, that does exactly this can be found here: Utilman Exploiter by Xcellerator for the „Ducky“

This is a huge change to the operating system and you leave your marks on the target system. So how could we do the same without going to deep into the target system? ….. I remembered a registry key that could exactly do that!!!

If you want to run CMD.EXE everytime the system tries to execute UTILMAN.EXE just add the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe
REG_SZ: Debugger VALUE: cmd.exe

Now every try to execute UTILMAN.EXE will result in opening CMD.EXE instead. It even works if you type UTILMAN (without the extension).

Based on this knowledge, it is now very easy to write a payload for our „Phantom Keystroker“, that:

  • Press WIN key
  • Enter „cmd.exe“
  • Press „APP“ key
  • press „a“ (will do Run as Administrator)
  • press „LEFT“ (brings cursor on YES on UAC prompt)
  • press „ENTER“ (to open the administrative CMD.EXE)
  • enter a command that sets the registry key
  • enter EXIT to close the command prompt

This was very easy to accomplish by using the Teensy 2.0.

Here you can download the working exploit for Teensy 2.0 here: Most_Sophisticated_Utilman_Exploit.zip

 

Here a post in the hak5-Forum with a working exploit for the USB Ruberducky.

The following video will show you how to run CMD.EXE instead of UTILMAN.EXE just by adding a registry key!

Video of a possible attack.

Links
Inside ‚Image File Execution Options‘ debugging
Launching the debugger automatically

2 Comments so far

  1. Chipeater on November 23rd, 2014

    Hallo kann es sein das dass Script nicht mit dem Teensy 3.1 ?

  2. Der PCFreak on November 23rd, 2014

    Das ist möglich, ich habe den 2.0.