Decompiling WSU 1812

You have found the WSU 1812 install disk! This is a copy of the original install disk used in Sloan Hall. I've provided this information for historical purposes, as far as I can tell, none of the technical details are still valid. (The file is linked at the bottom of this page.) The following files were removed due to upload size limitations:

MD5 (v/v.avi) = 3113992c8ab9f2ca971a30671530e475

57914601 Nov 4 2010 v.avi

MD5 (v/mplayer.exe) = 0b3f732913f6f52801870887cfc7309f

16768512 Oct 31 2010 mplayer.exe

MPlayer Sherpya-SVN-r32492-4.2.5


As you can hopefully tell from the website, I was never really fond of the university administration. In my opinion, bloated and incompetent is an accurate description of Washington State University at all levels. It was alarming to me that my fellow students weren't upset by this, especially considering the record tuition increases. There are exceptions, but this story didn't start with one of those.

It was mid-October 2010, not quite two months after class had begun in our newly remodeled classrooms. Unfortunately, all this remodel amounted to was an expensive downgrade. The old classrooms were functional. All they really needed was some new paint, acoustic treatment, and chairs that didn't squeak. What we got was new paint, a giant wooden box that blocked the whiteboard, and a semi-functional media system.

The old media system worked. You push a button, pull down the screen and about ten seconds later your laptop was projected on the wall. The new system required significantly more work. The first step was typically to reboot the hung computer. Once that was done, you would login with your WSU AD credentials. Finally, you'd launch the visual basic application to drop the screen and power on the projector. This full process took two minutes without a reboot, four with. It was significantly eating into the start of class.

This started out as a project to fix what I could. One day after class, I went and grabbed a copy of the application controlling the media system. Fortunately, Visual Basic .NET is an interpreted language, and the binaries are just bundles with the source and an interpreter. So I decompiled the application and was shocked at what I found. In just under three hours I created small website that completely replaced the functionality of the visual basic tool, complete with a pixel for pixel identical interface. But that's not the alarming part. The application worked literally everywhere. On any computer connected to the internet you could go to this website and control any classroom in Sloan. The control box in each room was just a network appliance connected directly to the internet. They were controlled via HTTP requests.

My first plan was to install Ubuntu on all the computers and just add a link to the appropriate webpage to the desktop. There were two problems with this plan. First, it would break the video conference application that was used in one of the classrooms. Second, it would expose the remote control issue to all the students, one or more of which would be sure to exploit it. That left only one solution; it was time for a show.

Not wanting to break the video conferencing system, this attack had to be non-destructive. When you have physical access, that isn't much of a problem. Passwords for local accounts, including Administrator, are stored on the disk of the computer. Just grab the file off the disk, and run a password cracker for a few hours. You might not be aware that Windows also caches recent network login credentials. The net result is, not only did I capture the local Administrator account password, but dozens of professor and student passwords. Those passwords weren't important to me so I discarded them. However I know that there are groups on campus that are not so kind. (Many of the public computers on campus have key logging software installed.)

Time passed, and by now it was October 31. I spent a few hours with a Windows VM scripting and testing everything. It was critical that the system installed, ran, and uninstalled cleanly. The original goal was to only use built-in scripting and publicly available and verifiable executables. That is why everything is done with batch files and wget. Unfortunately, there were some problems with the scheduled event system in Windows. The single custom executable, a.exe, was a very simple scheduler service. It ran the main batch file every hour. The Windows event scheduler was still used to do the uninstall and cleanup at the end of the day. Source code is provided on this disk.

I spent the last week working on my video and attack vector. The video was simple. I wanted it to be funny but not threatening. With the ongoing witch hunt for terrorists, you can't be too careful. As for the attack vector, I wasn't quite sure what to do. I had remote access to all the computers in Sloan, but I decided to just treat it as a normal software deployment. Writing and testing automation to install over the network would take more time than just walking around to each computer and popping in a cd.

At the last minute, and by the last minute I mean late on the 4th, I got the idea to try and turn it into a political movement. By this point, the video was already recorded, the audio was already mixed, everything else was done. I decided to register a domain name, and expand the attack to the rest of the classrooms with bloated media equipment.

Unfortunately, I hit a problem. Unlike in Sloan Hall, the IP address of the control box was compiled into the visual basic application. I started working on a tool to extract the address when I hit a lucky break. The system administrator left the C drive of his office desktop mapped on several of the computers. Even better, the recent file history in Excel happened to point to the file with all the network IP mappings on his desktop.

It was past midnight by the time I finished deploying the attack across the university. From that point on, everything is quite well documented by various media sources.

Disk Information

autologin.reg - Registry file to enable auto-login

autorun.inf - Autorun file

cat.exe - cat

code/a.out - Complied binary

code/main.c - Source for a.out/a.exe

install.bat - Install script

ip.txt - Sample IP address for testing

libiconv2.dll - Library for cat

libintl3.dll - Library for cat

run.reg - Registry file to launch a.exe on startup

v/ - Directory copied to computer

v/a.exe - Scheduler

v/autologonrm.reg - Registry file to disable auto-login

v/down.bat - Sample script to drop the screen (generated by install.bat)

v/dsnative.dll - Library for wget

v/libeay32.dll - Library for wget

v/libiconv2.dll - Library for wget

v/libintl3.dll - Library for wget

v/libssl32.dll - Library for wget

v/mplayer/codecs.conf - Mplayer config file

v/mplayer/config - Mplayer config file

v/mplayer/input.conf - Mplayer config file to block keyboard

v/mplayer/subfont.tff - Mplayer subtitle font

v/mplayer.exe - Mplayer

v/runrm.reg - Remove a.exe from autorun

v/test.bat - Main script called by a.exe

v/uninstall.bat - Uninstall script

v/up.bat - Script to raise screen

v/v.avi - The video!

v/wget.exe - Wget

v1.job - Attempt to use windows scheduler

wget* - Files used to generate up.bat/down.bat

Description of attack

First, the computer was logged on as Administrator, and then this disk was placed in the drive. At that point, autorun.inf is run by Windows. It launches install.bat, which is the main install script. This script copies over the v folder, generates the up.bat and down.bat, enables autologin and autorun of a.exe, and schedules an uninstall event for 5 PM. Finally, it reboots the computer. When the computer reboots, it does an auto-login, and runs a.exe. The a.exe program runs test.bat 12 minutes after the hour. Then, at 5 PM, everything uninstalls.

The test.bat script is the terminal window that would popup just before the video played. It uses wget to command the hardware appliance to drop the screen, turn on the projector, and maximize the audio level. Then, mplayer is used to play v.avi full screen without any keys responding. Finally, the screen is raised and the projector is turned off. At all other times, the computer was left fully functional.

As far as I can tell, all of the computers were powered down and had their disks removed by 5 PM. I sent an email to the IT people over the weekend detailing what I had done, how to verify all the files were safe, and how to run uninstall.bat to revert my changes.

Sep 30, 2012, 4:27 PM