[Question] Is it possible to execute jar/scripts/exe files?

[Hypn0ticKi11er]

I have a quick question: Let's say I have a .jar file I want to execute on a computer with Ducky.

Is it possible? Is it possible to make it work on any OS (not just Windows 7 with Powershell)?

Thanks in advance

[no42]

The ducky could call the jar file, this could be downloaded from internet, or loaded from mass storage drive.

Your just dependant on having:

1. Java needs to be installed on the system
2. Java needs to be fully configured; e.g. class path, executable path

[overwraith]

As far as executing the jar file, there is probably no uniform way to navigate to each OS's command prompt that is the same for all of them. The number of scripts required to execute on different OS's can be minimized however by sticking to key sequences that are common to subsequent versions of the OS. For instance, one can probably make a script that works on Windows XP, and Vista, and Windows 7, but not Linux. Also, one can probably make one script that works on all or many flavors of Linux. I foresee 3 end scripts, one for Windows, one for Linux, and one for OS X. Twin duck can probably hold all the JRE files necessary. Portable apps may even have some form of portable JRE software. It may be worth it to look online for any kind of silent install procedure as well. I know that Python has a silent install.

[Hypn0ticKi11er]

Thanks for all the responses; they'll definitely guide me towards what I need =).

The process itself wouldn't need to be uniform on all OS's; I'm mostly just looking

for the easiest way to get the file on the computer and execute it.

By chance, is it possible to have the .jar on the microSD card itself and have the

ducky retreive it? I'm guessing no, but I thought I'd ask.

Edited January 27, 2013 by Hypn0ticKi11er

[overwraith]

Thanks for all the responses; they'll definitely guide me towards what I need =).

The process itself wouldn't need to be uniform on all OS's; I'm mostly just looking

for the easiest way to get the file on the computer and execute it.

By chance, is it possible to have the .jar on the microSD card itself and have the

ducky retreive it? I'm guessing no, but I thought I'd ask.

You need to flash your duck with specialized firmware that midnightsnake has made. I think Twin Duck will work. It is now possible to have composite HID/Mass storage devices.

[no42]

Twin Duck firmware:

1. Mass Storage support
2. HID injection

[Hypn0ticKi11er]

You need to flash your duck with specialized firmware that midnightsnake has made. I think Twin Duck will work. It is now possible to have composite HID/Mass storage devices.

Twin Duck firmware:

1. Mass Storage support
2. HID injection

So just to be clear: The twin duck firmware can make the Ducky actually work as both a Mass Storage Device and a Keyboard?

[Shark3y]

Yes. It's the bees knees.

[Hypn0ticKi11er]

Yes. It's the bees knees.

Wow, that's pretty awesome.

So you really wouldn't ned to use Download + Execute anymore to set up Meterpreter Shells or any other software.

Thanks for all the help!

[overwraith]

There is a problem I foresee you having though. The USB mass storage part does not show up for a while, so you may end up having to make a batch loop which waits for the USB mass storage to mount. The following code I made on the fly, so it probably wont work, but will show you more or less what to do to get this working.

:while1

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

if Exist %myd% (

goto break

)

goto while1

:break

REM Continue script. 

[Hypn0ticKi11er]

There is a problem I foresee you having though. The USB mass storage part does not show up for a while, so you may end up having to make a batch loop which waits for the USB mass storage to mount. The following code I made on the fly, so it probably wont work, but will show you more or less what to do to get this working.

:while1

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

if Exist %myd% (

goto break

)

goto while1

:break

REM Continue script. 

So what your Script does is wait for a drive to show up with the label "Ducky"? Seems like that's the case. So, I'd use this until it recognizes the "Ducky," then I'd have it execute the .jar file inside. Seems pretty udnerstandable once I get the hand of it.

Sorry for all the questions, I'm pretty new to this.

@overwraith

Although I'm new to Ducky, I CAN crypt an .exe file for you (as I saw a different thread of yours about it).

If you want me to, shoot me a message (the output would be FUD to all AV's as you were hoping for).

[overwraith]

yeah, the script should look for a drive labeled 'ducky', and loop until the drive exists. When it does exist, it will break out of the loop. The part that looks for the ducky drive:

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

was actually written by midnightsnake. The rest of it is my untested solution to the problem of waiting for the drive to exist. I have not actually tested it yet, so no guarantees.

Edited January 27, 2013 by overwraith

[no42]

%myd% is the variable storing the drive letter, just like %systemroot% is a variable for c:\windows\system32

so to call executable / jar files on the sdcard you need

%myd%/execute_me.exe
or
java -jar %myd%/my_jar_file_on_sdcard_root.jar

Edited January 27, 2013 by midnitesnake

[Hypn0ticKi11er]

%myd% is the variable storing the drive letter, just like %systemroot% is a variable for c:\windows\system32

so to call executable / jar files on the sdcard you need

%myd%/execute_me.exe
or
java -jar %myd%/my_jar_file_on_sdcard_root.jar

Thanks you guys so much =) Great community here!

Hopefully, my Ducky will arrive either on Tuesday or Wednesday and I can test all of this on it!

[overwraith]

I just tested my code snippet. It is so gratifying when a plan comes together. Tell the ducky to make a batch file, then run it. Added another '%' to make the for loop run in a batch file.

REM DuckyWait.bat

:while1

for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d

if Exist %myd% (

goto break

)

goto while1

:break

REM Continue script.

Edited January 28, 2013 by overwraith

[Hypn0ticKi11er]

I just tested my code snippet. It is so gratifying when a plan comes together. Tell the ducky to make a batch file, then run it. Added another '%' to make the for loop run in a batch file.

Thanks man, this is perfect!

I'll let you know how it works out when I get my Ducky =)

[Hypn0ticKi11er]

I did some reaserch and wondered if, instead of a batch file to detect whether the Ducky SD is mounted or not, we could just do something like this:

bool init_sd_card(void) { return (card.init(SPI_HALF_SPEED, sd_chip_select) && volume.init(&card) && root.openRoot(&volume)) ? true : false;}

That one is for the Teensy so I have no idea on whether it would work on the Ducky or not. Just thought it might work seeing as how similar they are.

Edited January 30, 2013 by Hypn0ticKi11er

[overwraith]

I did some reaserch and wondered if, instead of a batch file to detect whether the Ducky SD is mounted or not, we could just do something like this:

bool init_sd_card(void) { return (card.init(SPI_HALF_SPEED, sd_chip_select) && volume.init(&card) && root.openRoot(&volume)) ? true : false;}

That one is for the Teensy so I have no idea on whether it would work on the Ducky or not. Just thought it might work seeing as how similar they are.

That looks a lot like C language, ducky's are programmed with duckscript. I sometimes wish we could program the ducky with C. I think the only way to really do this is to have the ducky type out either a batch script or a VB script.

[Hypn0ticKi11er]

That looks a lot like C language, ducky's are programmed with duckscript. I sometimes wish we could program the ducky with C. I think the only way to really do this is to have the ducky type out either a batch script or a VB script.

Ah, got it. I'm using both the Ducky and Teency in a presentation and think the code I stated above will be VERY useful for the Teency part. For the Ducky part, I'll just use the batch you kindly wrote for me =)

[overwraith]

Threw together a payload which you can get at this other forum post:

http://forums.hak5.org/index.php?/topic/28697-question-is-it-possible-to-run-exes/

Will need slightly modified to run a jar, but is pretty straight forward.