Hello everyone,
I'm talking about this recent payload: https://www.hak5.org/blog/hak5/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained
The bug is in the e.cmd file, where the folder name is created, depending on date and time:
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
Thanks to the fact that I always do my hacking homeworks in the night, I discovered that the time is not always 11 characters long, in fact it could be like this:
2:34:54 instead of 02:34:54.
So, if you are executing the script in the night, you'll have a folder name containing an empty character, like NAME_10122017_ 23454, and this is causing issues later when the scrip has to copy the files to this folder.
The responsible script part is this: %time:~-11,2%, where it always goes back 11 characters to get the first two numbers, but it finds just one.
I did not have the time to modify it to make it work every"time" ;), but it should be easy to do. I just wanted all of you to know about it ;)
Cheers