Jump to content

Quiet-Riot U3 Payload


twsSentinel

Recommended Posts

Hello all,

Here's a recent U3 Switchblade project in the works.

The Quiet-Riot was designed with three things in mind:

1. Extremely easily customizable.

2. 100% silent/compatible on all Windows OS's (>= Win2k + 64bit)

3. U3 Program Installer

Why this payload was written:

I currently work and develop in Windows 2003 Server x64 environment.

I found all other payloads on here to not be 100% silent. (No console windows)

I also found the use of .bat files to be tiresome to debug and go through.

Also the lack of ease for turning on and off payload modules.

This is not to say the other payloads aren't great. I think they're excellent. I base the Quiet-Riot straight from them, but with improved features. I would have never written this if it weren't for them. Thank you fellow developers!

On to the payload:

[screen-Shots]

http://tws.serveftp.org/software/QuietRiot/QR_Tutorial_1.JPG

QR_Tutorial_1.JPG

http://tws.serveftp.org/software/QuietRiot/QR_Tutorial_2.JPG

QR_Tutorial_2.JPG

http://tws.serveftp.org/software/QuietRiot..._Tutorial_1.JPG

QRLoader_Tutorial_1.JPG

http://tws.serveftp.org/software/QuietRiot..._Tutorial_2.JPG

QRLoader_Tutorial_2.JPG

[Download]

QuietRiot.zip » The actual payload.

QRLoader.zip » The C++ Source for the main exe file.

Tools.zip » A collection of most of the tools listed at Hak5.org

Quiet-Riot U3 Installer(u3p).zip » A U3 QuietRiot Installer (INSTALLS BUT NOT FUNCTIONAL YET!)(For developer use)

These files are hosted on my server. My max upload speed is 128KB/s.

Feel free to upload these to rapid share or public share sites if you like.

[QuietRiot.zip]

http://tws.serveftp.org/software/QuietRiot/QuietRiot.zip 137KB

[QRLoader.zip]

http://tws.serveftp.org/software/QuietRiot/QRLoader.zip 3.14MB

[Tools.zip]

http://tws.serveftp.org/software/QuietRiot/Tools.zip 889KB

[u3Installer.zip]

http://tws.serveftp.org/software/QuietRiot/U3Installer.zip 220KB

***

I have not included a Anti-Virus Killer or KeyLogger in the Tools.zip.

I will be doing some research on AVKillers before updating QuietRiot with one.

As for the KeyLogger, since I do developing on a x64 system, most small keyloggers lock up the system. Will update the payload once more research is done as well.

If you need help installing or getting the payload to work, just post here.

If you have any suggestions/bugs/comments post here as well or message me.

Thanks Hak5 for making such a great site!!!

UPDATE

1.28.07

There are two small updates made to the payload script.

1. For the NetCat Bindshell module, if you turn on the "2Drive" option, I forgot to add a "xcopy /B". The '/B' signifies that its a binary file to copy.

2. In the "System Info" module, I had a pointless WScript.Disconnect ObjFile command. I just removed it since it did nothing. The ObjFile was just reset once the next module is loaded.

Newest Quiet-Riot Version

http://tws.serveftp.org/software/QuietRiot...iot(UPDATE).zip // This is only the vbscript payload file.

The QuietRiot.zip has already been updated as well.[/b]

Link to comment
Share on other sites

understandable concern...

especially since I'm new to the community here.

But I stand by my work. The QRLoader source code is provided and anyone who can understand VBScript can verify the payload script.

Other than that, I guess there's nothing more I can say.

Hopefully a developer will check the script for you all.

-Sent

The Tools.zip contains the most recent NirSoft apps too.

Link to comment
Share on other sites

understandable concern...

especially since I'm new to the community here.

But I stand by my work. The QRLoader source code is provided and anyone who can understand VBScript can verify the payload script.

Other than that, I guess there's nothing more I can say.

Hopefully a developer will check the script for you all.

-Sent

The Tools.zip contains the most recent NirSoft apps too.

Yea, I just get weary about being 1st to download, but very nice work twsSentinel, I like it.

Link to comment
Share on other sites

what happens if admins have disabled the script server? won't the vbs not run?

Well, most admins disable the WSH by removing the file association (.vbs). Sometimes they also delete or rename "wscript.exe" and "cscript.exe" on their systems. However, the QRLoader.exe is coded to execute wscript.exe while passing QuietRiot.vbs as arg.

I'm not too familiar with how the WSH runs thoroughly, but I'm almost positive it requires "vbscript.dll" to compile vbscript. So if you want to make the QuietRiot Payload even more powerful ... maybe try including "vbscript.dll" in the directory containing QRLoader.exe, QuietRiot.vbs, and WScript.exe.

This way even if the .vbs file-association has been removed, or WScript.exe has been deleted or renamed, the Quiet-Riot Payload has all the necessary dependencies to run.

Hope this helps ... I'll do some more research on WSH Security and make sure this work-around really works!

-Sent

Link to comment
Share on other sites

Thanks for the response.

The QRLoader is an exe file which executes wscript.exe (Windows Script Host 5.6) and tells the WSH to run QuietRiot.vbs (the payload).

It's not a required file, but very helpful. You can use it to configure your autorun.inf and other things like the U3 installer.

The QRLoader is also open source, so any c++ developers can easily write extra features in it. Something that I've been meaning to write a small article on.

Thank you for the suggestion/request ... That will be added into the payload in the next version. If I have some time later tonight .. I code it in quickly.

Link to comment
Share on other sites

Nothing will show when the QRLoader runs. That's the point of having it 100% silent. lol It automatically executes QuietRiot.vbs via WScript.exe

In order for it to work, however, the QRLoader.exe MUST be in the same folder as "QuietRiot.vbs" & "WScript.exe".

If you want it in a different folder, you'll have to edit the C++ code and recompile it. But it's only a minor adjustment.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...