hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

New payload - Replace Cursor (#437)

Browse Source 
* New payload - Replace Cursor

* Added Cursor - follow the white rabbit

* Update Readme
This commit is contained in:
cribb-it 2021-12-21 23:31:08 +00:00 committed by GitHub
parent 8a7606aa0a
commit e1700bdc91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani Normal file
View File

Binary file not shown.

BIN
payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

20
payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt Normal file
View File

@ -0,0 +1,20 @@
# Title: Replace Cursor
# Description: Replaces the standard arrow with a little bash bunny.
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: HID & STORAGE
# Extensions: Run
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED ATTACK
RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ps.ps1')"
LED FINNISH

15
payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 Normal file
View File

@ -0,0 +1,15 @@
# Copies the bunny ani file to the users profile.
$p=(gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\b.ani'
$f= $Env:USERPROFILE+'\b.ani'
if (Test-Path $p)
{
cp $p $f
}
else
{
cp ($p -replace "1", "2") $f
}
# Set the registory value of Arrow to the new cursor
sp 'HKCU:Control Panel\Cursors' Arrow '%USERPROFILE%\b.ani';
# Tell the system to update the displayed cursor
(Add-Type -Name c -Pass -M '[DllImport("user32.dll")] public static extern bool SystemParametersInfo(int A,int b,int c,int d);')::SystemParametersInfo(87,0,0,3)

47
payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md Normal file
View File

@ -0,0 +1,47 @@
# Replace Cursor
- Author: Cribbit
- Version: 1.0
- Target: Windows 10 (Powershell 5.1+)
- Category: Pranks
- Attackmode: HID & Storage
- Extensions: Run
- Props: The Hak5 Team (Wallpaper changer & Eject USB sound)
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Replaces the standard arrow with a little bash bunny icon.
## Notes
I have included a both a static and animated cursor.
## Information about SystemParametersInfo
### Microsoft Doc:
https://docs.microsoft.com/en-gb/windows/win32/api/winuser/nf-winuser-systemparametersinfoa
### Flags
```
SPI_SETCURSORS = 0x0057;
```
Convert uint to int = 87;
```
SPIF_UPDATEINIFILE = 0x01;
SPIF_SENDCHANGE = 0x02;
```
Bitwise "OR" these two together (0x01 -bor 0x02) = 3;
## Colours
| Status | Colour | Description |
| ------ | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISH | Green blink followed by SOLID | Script is finished |

BIN
payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB