Key Combos in Ducky Script

[factgasm]

In this thread Crackruckles pointed out that the command line editor can be run as administrator with the following:

1. Press the Win keyboard key or click on Vista Start button.
2. Type cmd into the Start Search textbox.
3. Press Ctrl+Shift+Enter keyboard shortcut. Ctrl-Shift-Enter is the general keyboard shortcut that triggers elevation to “Run as Administrator”.
4. Press Alt+C or press Continue to confirm the UAC elevation warning prompt.

The question is : Can Ducky Script handle three-key combos?

Sorry to start a whole new thread on this but I felt this was important enough to merit it (mods feel free to merge).

[overwraith]

Yes, I have done it before.

STRING cmd
CTRL-SHIFT ENTER

[factgasm]

Overwraith, you're a gentleman and a scholar. :)

Update: Sadly, having tried it, It doesn't run as hoped on either.

Here's a sample script I'm working with in Windows7/8.

DELAY 3000
DEFAULT_DELAY 500
GUI r
STRING cmd
CONTROL-SHIFT ENTER
ALT Y
EXIT

Can anyone see why the CONTROL-SHIFT ENTER combo wouldn't work?

Personally I suspect that DuckyScript hasn't been set up to handle key-triples yet, though I would be happy to be proven wrong.

Edited December 4, 2013 by factgasm

[3mrgnc3]

Have you tried CTRL-SHIFT ENTER instead of CONTROL-SHIFT ENTER?

Also what keyboard are you encoding for?

Have you had any error output whilst compiling the binary?

;)

Edited December 3, 2013 by 3mrgnc3

[factgasm]

I have tried both CTRL and CONTROL in the script. Neither produces compile error messages and both produce the same result at run time: The scripts run, the command line window pops-up (not as Administrator :() and the duck types the characters 'y' and 'e' at the prompt.

I'm using a UK keyboard but I have not set any parameters in my 'java -jar' line as presumably CTRL, SHIFT and ENTER are common on Western keyboards.

Edited December 4, 2013 by factgasm

[3mrgnc3]

Personally I suspect that DuckyScript hasn't been set up to handle key-triples yet, though I would be happy to be proven wrong.

Sadly I suspect that you may be correct there mate. :(

[factgasm]

Looks like a new firmware release might be needed.

DARREN!!

[no42]

Nothing to do with firmware. Should be the encoder, which one are you using?

[factgasm]

Good question.

There are several sources for the encoder. Unfortunately I can't remember which website I got the one I'm using from (possibly Github) and there's no identifying feature other than to tell you is a file called encoder.jar 52.6kb in size. You'll have to forgive me here, I'm new to this and fumbling my way through.

The good news is that I have sidestepped the problems I mentioned earlier by using powershell, but the three-key-combo problem still remains.

Edited December 10, 2013 by factgasm

[no42]

Can you try again with this one?

DuckEncoder_2.6.2.zip

[factgasm]

Gave it a try and er . . .. nope, that didn't work either.

Edited December 10, 2013 by factgasm

[smokintbird]

@factgasm

you mentioned you are working on a script to work on windows 7 and 8...have you tried using the key combination on the target machine without the ducky?

The CTRL-SHIFT ENTER combination works great on WinXP, but I cannot make that key combination produce an admin level prompt on Vista, 7, or 8.

maybe I'm missing something...but for Vista, 7, and 8 I have to use something like https://forums.hak5.org/index.php?/topic/30100-payload-faster-uac-bypass/

I am using the command "net session >nul 2>&1" and then "echo %errorlevel%" to check for admin privileges...if the errorlevel is "0" it is admin and anything else is not.

Someone correct me if I'm missing something.

Smokintbird

[MB60893]

Hmm. I noticed that you were trying to run the CMD terminal from the run dialog box. This won't work with a key combo. You would have to add some sort of powershell script to make it work correctly.

For Windows Vista or 7 (not sure about 8) Try just pressing the windows key, then type "cmd.exe", then press ctrl + shift + enter. The UAC dialog will come up, then press alt y for yes. And hey presto, one cmd!

If you are trying to do this for windows XP or newer, consider launching notepad and typing this into a file, then saving as a .bat script:

Credits to Matt for the great script and explanations (http://stackoverflow.com/questions/7044985/how-can-i-auto-elevate-my-batch-file-so-that-it-requests-from-uac-admin-rights/12264592#12264592)

:::::::::::::::::::::::::::::::::::::::::
:: Automatically check & get admin rights
:::::::::::::::::::::::::::::::::::::::::
@echo off
CLS
ECHO.
ECHO =============================
ECHO Running Admin shell
ECHO =============================

:checkPrivileges
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges )

:getPrivileges
if '%1'=='ELEV' (shift & goto gotPrivileges)
ECHO.
ECHO **************************************
ECHO Invoking UAC for Privilege Escalation
ECHO **************************************

setlocal DisableDelayedExpansion
set "batchPath=%~0"
setlocal EnableDelayedExpansion
ECHO Set UAC = CreateObject^("Shell.Application"^) > "%temp%\OEgetPrivileges.vbs"
ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs"
"%temp%\OEgetPrivileges.vbs"
exit /B

:gotPrivileges
::::::::::::::::::::::::::::
:START
::::::::::::::::::::::::::::
setlocal & pushd .

REM Run shell as admin (example) - put here code as you like
cmd /k

Give that a go and let me know the outcome!

Cheers,

Edited December 17, 2013 by MB60893