Jump to content

[BugReport][Payload] Problem with runexe from sd card playload

mahorelee

By mahorelee
in Suggestions / Bug reports

 Share

Recommended Posts

mahorelee Newbie

mahorelee

Posted
  • Author
Posted (edited)

Yes the first one worked, Thank You! I have been tampering with it and I do have a question. What is the difference between

STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d
ENTER
STRING %myd%
ENTER
STRING START Payload.exe

and your code. Since you have to wait for the ducky to mount before you can run a payload anyways I don't see a difference. between running it straight from CMD rather than making a batch file. Also I don't see what invis.vbs does? I'd really love to learn!

Edited by mahorelee
Link to comment
Share on other sites
overwraith Newbie

overwraith

Posted
Posted

The "RunEXE from SD" payload is specifically designed to create a batch file that continually polls for the ducky drive. This payload works on Twin duck firmware, so it essentially brings back auto-run. Other payloads are designed for different firmware which uses the ducky's push button to launch the payload, which entails a little more work at exploitation time because you specifically have to wait for the drive to mount.

Here is some pseudocode that is a basic outline of what the script does:

While drive does not exist
pause 30 seconds

If drive does exist
start the executable on my drive

The difference between my two payloads that I posted is that on the second one, the code that polls for the drive can run on any current Windows OS, because the commands are simpler.

The difference between my code and the code that you have posted is that for your code you would have to wait for the ducky drive to mount before telling the ducky to run. My code runs right away, and does the waiting it's self.

"invis.vbs" is a VBS script file which allows you to run the batch file DuckyWait.bat silently. Modern Windows OS's make it almost impossible to run batch files silently, hence the slight subterfuge. invis.vbs makes it so that you do not have an open command prompt for quite as long as you would require to run the script otherwise. I just realized that the link I have in the code for the people I borrowed the invis.vbs script is wrong. I will have to change that. You can always find my script on the github page, and should re-download it every so often to have access to my changes. If you wish to learn more about invis.vbs you can probably just google it, and find the blog discussion I borrowed it from.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...