Jump to content

Stealing files with the USB Rubber Ducky: I found a bug in the script


Sh4d0wm4n

Recommended Posts

Hello everyone, 
I'm talking about this recent payload:
https://www.hak5.org/blog/hak5/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained

The bug is in the e.cmd file, where the folder name is created, depending on date and time:

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%

Thanks to the fact that I always do my hacking homeworks in the night, I discovered that the time is not always 11 characters long, in fact it could be like this:
2:34:54 instead of 02:34:54.

So, if you are executing the script in the night, you'll have a folder name containing an empty character, like NAME_10122017_   23454, and this is causing issues later when the scrip has to copy the files to this folder.
The responsible script part is this: %time:~-11,2%, where it always goes back 11 characters to get the first two numbers, but it finds just one.

I did not have the time to modify it to make it work every"time" ;), but it should be easy to do. I just wanted all of you to know about it ;)

Cheers
 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...