Sh4d0wm4n Posted February 11, 2017 Share Posted February 11, 2017 Hello everyone, I'm talking about this recent payload:https://www.hak5.org/blog/hak5/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained The bug is in the e.cmd file, where the folder name is created, depending on date and time: REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% Thanks to the fact that I always do my hacking homeworks in the night, I discovered that the time is not always 11 characters long, in fact it could be like this: 2:34:54 instead of 02:34:54. So, if you are executing the script in the night, you'll have a folder name containing an empty character, like NAME_10122017_ 23454, and this is causing issues later when the scrip has to copy the files to this folder. The responsible script part is this: %time:~-11,2%, where it always goes back 11 characters to get the first two numbers, but it finds just one. I did not have the time to modify it to make it work every"time" ;), but it should be easy to do. I just wanted all of you to know about it ;) Cheers Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.