Jump to content

All switchblade files on cd partition (U3)


bomberman

Recommended Posts

Iv'e been trying out the switchblade a bit latley, And as many(most) others have experienced antivirus programs arent too found of the switchblade executables.

So this got me thinking, How about putting all the executables on the CD partition so antivirus programs cant delete the files, The problem i encounterd is that usb drives gets drive letter asigned randomly, So theres no way of knowing the drive letter your usb drive will get assigned to. And if you change the drive letter in computer managment, It will only affect your local machine.

And this makes it kinda hard to map the dump to the usb drive.

So what im wondering is if anyone knows any other way other then drive letters to identify the right disk and dumping on it ?

(I know you can just keep a rar archive with the executables on your usb drive incase antivirus programs deletes it, But this would eliminate the need for it)

Link to comment
Share on other sites

It is possible to put information on the CD partition of a U3 drive by manipulating the ISO that gets burnt to it, but the partition itself is very small (around 6mb) so the payload would have to be relatively thin.

As mapping drives go, it is not all that difficult. I have seen tutorials on assigning a "permanent" drive letter to a USB drive, but I think that just goes as far as your Home computer and not others. It shouldn't be too hard to have an executable on the CD partition that looks for a drive with a TAG file in it, and then returns that drive letter to the payload script. Maybe it could be done in VBS, but that's over my head.

Link to comment
Share on other sites

I know you can add the files to the iso and then flash it, I also think you can vary the size of the cd partition if that helps the payload.

Your idea intregues me, Shouldnt it be possible to use command lines to search for a specific file in only the root directory of each disk, And dump the first letter as a variable in the go.cmd ?

Or possibly add some "unix" executables too the drive, I think there are tools for that kind of stuff in some of them executables.

Link to comment
Share on other sites

I know you can add the files to the iso and then flash it, I also think you can vary the size of the cd partition if that helps the payload.

Your idea intregues me, Shouldnt it be possible to use command lines to search for a specific file in only the root directory of each disk, And dump the first letter as a variable in the go.cmd ?

Or possibly add some "unix" executables too the drive, I think there are tools for that kind of stuff in some of them executables.

I have been given the impression (and I cant recall where.. Im thinking DD in linux) that the size of the ISO partition is limited by the drives actual capacity and can be simply resized when flashing. While I havent tested this to validate if that is the case what would be the problem?

Link to comment
Share on other sites

I had this idea a long time ago and fiddled with it before getting too aggravated with antivirus deleting my payloads.

I know you can set a drive letter for your external drives through Administrative Tools > Computer Management > Storage, and I'm fairly certain it retains the drive letter you set to it, as my external TB drive is ALWAYS W:, no matter what computer I plug it into.

I suppose you could do this to the USB partition and set it to a drive letter that almost never gets used.

There'd be a chance, slim but still a chance, that the computer you plug into would already be using that drive letter, I.E. W:\, and it'd get reassigned but that's a small chance.

You could then edit your payload to use your custom drive letter, i.e. W:\?

Link to comment
Share on other sites

Ahh, sorry to burst your bubble, but this has already been done (some time ago) see GonZor's Payload.

Now as far as finding what the drive letter is of the USB drive thats very easy, and can be done using batch files (like in gonzor's payload), vbs or in C

Ruff Example in C/C++ ( Note: This can be done in a 5 line batch script, but C looks badass )

/**********************************************
  Name: SbExec
  Copyright: Fuck That Shit
  Author: SableFoXx
  Description: Runs a payload, reguardless of what drive letter it is on.
                     the payload directory should be the first line of "sbexec.inf"
                    and should be placed in the same directory as the sbexec.exe
***********************************************/
#include <stdio.h>
#include <stdlib.h>

#define INF_PATH "sbexec.inf"
#define PL_PATH "X:\\Windows\\System32\\cmd.exe"
#define FN_MAX 256 /* longest filename is 255 on ntfs */

int main(void)
{
    int plexec( char path [] );
    int inf_read( char path[] );
    
    char path[FN_MAX] = PL_PATH;
    printf("\nSbExec v1.0\n");
    
    FILE *pl;
    if ( ( pl = fopen( INF_PATH, "r" ) ) != NULL )
        inf_read(path);
    else
        plexec(path);
    getchar();
    return 0;
}

int plexec( char path[] )
{
    int cnt;
    FILE *pl;
    char letter = 'Z';
    
    for( cnt = 0; cnt <= 25; cnt++ )
    {
        path[0] = letter;
        printf("\nLooking for %s ... ", path);
        if ( ( pl = fopen( path, "r" ) ) != NULL )
        {
            fclose(pl);
            printf("File Exists!\n\n * Executing \"%s\"\n\n", path);
            system(path);
            return 0; /* Executed Payload */
        }
        printf("File Does Not Exist");
        letter = (char)( (int)letter - 1 ); /* Next Letter Down */
    }
    return 1; /* Payload Not Found */
}

int inf_read( char path[] )
{
    int i; 
    int plexec( char path[] );
    
    printf("\nReading %s ... ", INF_PATH);
    FILE *inf;
    if ( ( inf = fopen( INF_PATH, "r" ) ) == NULL )
        {
             printf("Failed to Open File!\n");
             return 1; /* Failbus */
        }
    while( fgets( path, FN_MAX, inf ) != NULL )
        {
        
        
        
        }
    printf("File Points to \"%s\"", path);
    plexec(path);
    fclose(inf);
    return 0;
}

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...