Skip to content

July 3, 2012


Pwn Plug Command Execution Using USB Sticks

This is something I’ve been meaning to do for a while, and whilst the title may not sound all that intuitive, it’s actually referring to something pretty simple. When I got my Pwnie Express Pwn Plugs, there were several times when I wished I could run commands on them when I couldn’t connect to them over SSH, for example when I couldn’t remember the last static IP I’d set. Yes, I could use the serial connection, but somehow that didn’t fully appeal to me.

So I came up with the idea of being able to use a USB stick to carry a command ‘payload’ that would get automatically executed upon being plugged into the Pwn Plug. Now I can run commands such as ifconfig, kick off an nmap scan, whatever I need; and all the results are output back onto the USB stick.

Note that I chose to do this on my Pwn Plug, but it should work equally well on other embedded devices such as the MiniPwner with a bit of tweaking.

How it works

1. This hack uses autofs to perform auto-mounting of the USB drive, and udev to launch an execution script when the USB drive is plugged in.

2. Configure udev to run my auto-execution script.

2. Format a USB drive which contains three files (one optional):

  • This file is a simple bash script containing all the commands to be run on the Pwn Plug.
  • secret (optional): This file contains a secret value (password) that must match the one configured on the Pwn Plug for to be executed.
  • log.txt: This file will be automatically created, and will contain the output of all the commands executed in The log file is appended each time, delimited by a timestamped line.

3. Plug your prepared USB drive into your Pwn Plug, wait at least 10 seconds (plus however long you expect your commands to run), and unplug it. If you want to see the output of the commands, you can plug the USB drive into your computer to read log.txt.

4. ????

5. Profit!

Setting up the Pwn Plug

Format your USB stick using the ext3 filesystem. Note, format the entire device (sda, sdb) and not just a partition (sda1, sdb1):

mkfs.ext3 /dev/sda (change this to your correct device)

Run apt-get update and install udev and autofs:

apt-get update && apt-get install udev autofs

Edit /etc/auto.master and append the following line:

/var/autofs/removable /etc/auto.removable --timeout=2

Create /etc/auto.removable and copy in the following line:

cmdusb -fstype=ext3 :/dev/cmdusb

Create /etc/udev/rules.d/custom.rules and add the following line:

KERNEL=="sd?", SUBYSTEM=="usb", ATTRS{model}=="*", SYMLINK+="cmdusb%n", RUN+="/bin/sh /usr/local/bin/"

Side note: If you want to only allow one specific USB drive to be used to run commands, enter your USB device’s model into the ATTRS{model} value above (instead of the wildcard). You can obtain your USB stick’s ID by running the following command, make sure your correct device is used (sda or sdb):

udevadm info -a -p /sys/block/sda | grep model 

It’ll look something like: ATTRS{model}==”Flash Disk “

Create /usr/local/bin/, copy in the code below and set a custom secret value (if required). Setting a secret will require that secret value to be present in a file called ‘secret’ in the root of the USB drive, otherwise commands will not be executed.

# This script executes commands on a USB stick and outputs the results to a logfile.
# --------------------------------------------------------------------------
# Copyright (c) 2011 Security Generation <>
# This script is licensed under GNU GPL version 2.0
# --------------------------------------------------------------------------
# Visit
# for more information.
# --------------------------------------------------------------------------

# Enter a secret or leave blank (ie. "").

# first wait for drive to be automounted
/bin/sleep 3;

# add separator to log
/bin/echo "--------- $(date) ---------" >> /var/autofs/removable/cmdusb/log.txt; 

# is a secret required?
if [ "$secret" != "" ]; then
        # check secret file exists on drive
        if [ -f /var/autofs/removable/cmdusb/secret ]; then
                # check secret in file matches secret above
                if [ "$secret" = $(/usr/bin/head -n 1 /var/autofs/removable/cmdusb/secret) ]; then
                        /bin/sh /var/autofs/removable/cmdusb/ >> /var/autofs/removable/cmdusb/log.txt;
                        /bin/echo "Incorrect secret!" >> /var/autofs/removable/cmdusb/log.txt;
                /bin/echo "Missing secret file!" >> /var/autofs/removable/cmdusb/log.txt;

# no secret
/bin/sh /var/autofs/removable/cmdusb/ >> /var/autofs/removable/cmdusb/log.txt;


Remember to set the correct permissions on

chmod a+x /usr/local/bin/

And finally restart autofs and udev:

/etc/init.d/autofs restart && /etc/init.d/udev restart

Important note: the path to your USB drive will always be /var/autofs/removable/usbcmd.

Setting up the USB stick

Commands to be executed must be placed in a bash file called ‘’ in the root of the USB drive. Make sure that begins with “#!/bin/sh”, and then place one command on each line (also best to end each line with a semicolon). You must use the full path to executables and files in, so for ifconfig you would have to enter /sbin/ifconfig. If you don’t know the full path for a particular command you can type which <command> to find it. You may need to ‘chmod a+x’ as well.

If you set a secret in above (“changeme” by default), then you will need to place the same value in a file called ‘secret’ in the root of the USB drive.

Once you’re all set, just plug the USB stick in, wait 10 seconds or so (plus however long you expect your commands to take), then unplug it. Any output from the command(s) will be piped into a file called ‘log.txt’, which you can read by plugging it into your computer. Note your computer will need to be able to read the ext3 filesystem to mount the USB drive, so use Linux or install OSXFuse and fuse-ext2 on Mac OS X as described here.


I should point out at this point that this was only tested on version 1.1 and 1.1.1 of the Pwn Plug software. udev can be quite finicky, but I’ve tested these instructions on two Pwn Plugs and it works great. The following link may come in handy if you get stuck:

Please post any questions, feedback, ideas or improvements in the comments if you have any!

2 Comments Post a comment
  1. Jul 4 2012

    This is awesome. I’ve stuck a feature request into our github to get this included as a service!

Trackbacks & Pingbacks

  1. Top 5 USB Hacks that PWN You

Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments