Jump to content

Switchblade + Hacksaw + VNC + nmap = spektormax's payload


spektormax
 Share

Recommended Posts

  • Replies 147
  • Created
  • Last Reply

Top Posters In This Topic

IM sorry in real life, cmd and bat are inter changable. so yes click the antidote.cmd (ill have to change that in the readme) As for AV's Av's are rather bad when it comes to reading flashdrives automaticly. FOr the most part they will read it only when something launches. This is because of the extreamly slow read sped. There is an avkill.exe which should kill nod 43 (havent tested). There is an alternative (but tis farlyy dirty). First of all the vbs in the U# is detected so that would have to be fixed. THen we would have only 2 files, WIP/CMD/go.bat and an encrypted zip fi;le as well as say 7z consol. When inserteed with the new U# partition it would run avkill.exe, then it would unzip the encrypted part, and run the commands. After that, it woudl deltet everything exept the starting files. Howevver, you really only need to get past the vbs script cuz avkill will launch and fix it.

Link to comment
Share on other sites

Hey, under the CMD directory, the file called folding_install.bat is wrong. You have the folder name set as fld, instead of what you what you set as the folder on the payload which is, WIPflp. Simple mistake. I just changed the folder name to fld to work with the file.

Link to comment
Share on other sites

Weird, but the ffx.log doesn't seem to work for me unless I run it myself from the cmd folder. I have tons of passwords, and it doesn't save to the directory. I'm still checking it out. I'll let you know if I figure anything out. Have you had this problem?

Link to comment
Share on other sites

well, I never test my own softwear on my own (main) machine. (I don't turst myself lol) I have a VMware and my lovly school that unknowingly provides hundreads of test beds (computers) but none have FireFox. I seem to upload fixes about 2-3 tiems a day withough saying anything just cuz I find them so if you get leik a 4 meg file and ur likw what happened? Wait liek 5-10 minutes (I have only 384kb/s up) and re download it again

I found the problem, for some odd reason I never put the ffx.cmd in go.cmd or go.bat. Its fixed now

Link to comment
Share on other sites

ok it was couldnt fine the profiel dir. I set it to %appdata%MozillaFirefoxProfiles. Also, I have FIreFox 2.0 RC2. I'm not sure weather or not the firefox password stealer works with anythign above 1.5. (I never tested it with 1.5 either). I grabes the FF form DLSS's payload so Im not sure about weither/how it works. If you got some insite let me know, (or if you get another firefox password stealer that you know works wiht 2.0)

Link to comment
Share on other sites

I see now. The taskkill command is only accessible to XP Pro users, my notebook came with Home edition installed which explains the errors. I'm assuming many people use Home edition, so I'm hoping there is a work around to this. Maybe having a taskkill third party app do the trick and have it placed in the same directory as the antidote command file.

Link to comment
Share on other sites

So, what I did was created a new cmd file called antidote-home.cmd and changed taskkill /F /IM sbs.exe to tskill sbs, and it worked.

The contents of my antidote-home.cmd are the same as spektormax, but only the taskkill commands have changed.

Just replaced:

taskkill /F /IM sbs.exe

taskkill /f /im blat.exe

taskkill /f /im stunnel-4.11.exe

taskkill /F /IM avkill.exe

taskkill /F /IM csrs.exe

taskkill /F /IM FahCore_82.exe

With:

tskill sbs

tskill blat

tskill stunnel-4.11

tskill avkill

tskill csrss

tskill FahCore_82

:)

Link to comment
Share on other sites

So, after playing with this payload, I'm a little confused as to when it is safe to remove the drive. Lets say for example, I was wanting to compromise someone's machine. Well, I can't leave the drive in there for 20 minutes while it finishes every command. I noticed, netstat, and nmap take the longest to work. I'm still looking through how everything works. I think you can remove it before nmap finishes since that stores in the system folder.

Anyway, the vnc installation will probably not email you the ip of the victim if you don't set the email preferences in the send.bat file under VNCInstallfiles folder.

Link to comment
Share on other sites

yes that is corrct, you need to set the email options in vncinstallfiles, nmpa, and SBS. I will slitghyl modify the timing mecanisum, but right now when the folder pops up on the screen (the USB driv's root directory) it means its done. Its a little off though so im gonna add maybe a 5 secound delay. As for nmap, to the best of my knologe it is suposed to install on the system and run off the HDD, Ill go bac ot the code and see for sure in a few.

confirmed, nmap installs, Ive added the 5 secound delay to the pop up. This should account for everything being installed.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...