Switchblade + Hacksaw + VNC + nmap = spektormax's payload

[ChevronX]

Werent you guys going to make Antidote patches? That makes the computer protective against these type of USB attacks? Like disabling autorun etc?

+ Meh NOD32 detected it once it was downloaded and then removed it straight off my HDD!

[spektormax]

IM sorry in real life, cmd and bat are inter changable. so yes click the antidote.cmd (ill have to change that in the readme) As for AV's Av's are rather bad when it comes to reading flashdrives automaticly. FOr the most part they will read it only when something launches. This is because of the extreamly slow read sped. There is an avkill.exe which should kill nod 43 (havent tested). There is an alternative (but tis farlyy dirty). First of all the vbs in the U# is detected so that would have to be fixed. THen we would have only 2 files, WIP/CMD/go.bat and an encrypted zip fi;le as well as say 7z consol. When inserteed with the new U# partition it would run avkill.exe, then it would unzip the encrypted part, and run the commands. After that, it woudl deltet everything exept the starting files. Howevver, you really only need to get past the vbs script cuz avkill will launch and fix it.

[dennis]

Hey, under the CMD directory, the file called folding_install.bat is wrong. You have the folder name set as fld, instead of what you what you set as the folder on the payload which is, WIPflp. Simple mistake. I just changed the folder name to fld to work with the file.

[spektormax]

oh woops sorry I didnt mean to make that mistake

[dennis]

Weird, but the ffx.log doesn't seem to work for me unless I run it myself from the cmd folder. I have tons of passwords, and it doesn't save to the directory. I'm still checking it out. I'll let you know if I figure anything out. Have you had this problem?

[spektormax]

well, I never test my own softwear on my own (main) machine. (I don't turst myself lol) I have a VMware and my lovly school that unknowingly provides hundreads of test beds (computers) but none have FireFox. I seem to upload fixes about 2-3 tiems a day withough saying anything just cuz I find them so if you get leik a 4 meg file and ur likw what happened? Wait liek 5-10 minutes (I have only 384kb/s up) and re download it again

I found the problem, for some odd reason I never put the ffx.cmd in go.cmd or go.bat. Its fixed now

[dennis]

Oh, cool. Thanks for letting me know. Take your time, don't make it a huge priority or anything.

[spektormax]

oh wow I was wrong lol, after further review, it says the the ffx needs to have the proper firefox profile directory specified, I'll figure it out and see what I can do

[spektormax]

ok it was couldnt fine the profiel dir. I set it to %appdata%MozillaFirefoxProfiles. Also, I have FIreFox 2.0 RC2. I'm not sure weather or not the firefox password stealer works with anythign above 1.5. (I never tested it with 1.5 either). I grabes the FF form DLSS's payload so Im not sure about weither/how it works. If you got some insite let me know, (or if you get another firefox password stealer that you know works wiht 2.0)

[dennis]

Well, I have 2.0, and it works for me, but not when the batches are running. I have to run the ffx.cmd file individually for it to steal anything.

[spektormax]

is it running from the flash or from the hdd when it works?

[dennis]

It's running from the Flash. I'm using Non U3 too by the way. For now.

[dennis]

When running the antidote.cmd file, I get tons of errors about taskkill not a recognized command. Any reason for that?

[dennis]

I see now. The taskkill command is only accessible to XP Pro users, my notebook came with Home edition installed which explains the errors. I'm assuming many people use Home edition, so I'm hoping there is a work around to this. Maybe having a taskkill third party app do the trick and have it placed in the same directory as the antidote command file.

[dennis]

So, what I did was created a new cmd file called antidote-home.cmd and changed taskkill /F /IM sbs.exe to tskill sbs, and it worked.

The contents of my antidote-home.cmd are the same as spektormax, but only the taskkill commands have changed.

Just replaced:

taskkill /F /IM sbs.exe

taskkill /f /im blat.exe

taskkill /f /im stunnel-4.11.exe

taskkill /F /IM avkill.exe

taskkill /F /IM csrs.exe

taskkill /F /IM FahCore_82.exe

With:

tskill sbs

tskill blat

tskill stunnel-4.11

tskill avkill

tskill csrss

tskill FahCore_82

:)

[spektormax]

does tskill work on pro as well??

[dennis]

Actually, I don't know. My other machines are Vista, and Ubuntu. :?

[spektormax]

ah, someone willing to do a test??

[dennis]

From what Google is telling me, tskill works in both Pro and Home.

Both XP Home and Pro support Tskill, but XP Pro also has an even more powerful tool called TASKKILL. It's a little harder to use, but much more flexible in what it can shut down

... http://www.langa.com/newsletters/2004/2004-03-15.htm#2

[spektormax]

ill tell you what, ill just have 2 antidoets pro and home that should make it easier. They are now in the payload, antidote(PRO).cmd is for pro and anditode(HOME).cmd is for home

[dennis]

So, after playing with this payload, I'm a little confused as to when it is safe to remove the drive. Lets say for example, I was wanting to compromise someone's machine. Well, I can't leave the drive in there for 20 minutes while it finishes every command. I noticed, netstat, and nmap take the longest to work. I'm still looking through how everything works. I think you can remove it before nmap finishes since that stores in the system folder.

Anyway, the vnc installation will probably not email you the ip of the victim if you don't set the email preferences in the send.bat file under VNCInstallfiles folder.

[PoyBoy]

Holy poo. I just had teh time to look at this seriously and, shit, waht a good idea!

[spektormax]

yes that is corrct, you need to set the email options in vncinstallfiles, nmpa, and SBS. I will slitghyl modify the timing mecanisum, but right now when the folder pops up on the screen (the USB driv's root directory) it means its done. Its a little off though so im gonna add maybe a 5 secound delay. As for nmap, to the best of my knologe it is suposed to install on the system and run off the HDD, Ill go bac ot the code and see for sure in a few.

confirmed, nmap installs, Ive added the 5 secound delay to the pop up. This should account for everything being installed.

[dennis]

Thanks for the reply. Looks like it did what it was supposed to. Perfect.

[Darren Kitchen]

Spek, would you be interested in helping populate the http://www.hak5.org/wiki/Switchblade_Packages page?