diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani b/payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani new file mode 100644 index 00000000..606a1f86 Binary files /dev/null and b/payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani differ diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur b/payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur new file mode 100644 index 00000000..be16abcf Binary files /dev/null and b/payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur differ diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt b/payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt new file mode 100644 index 00000000..9a823043 --- /dev/null +++ b/payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt @@ -0,0 +1,20 @@ +# Title: Replace Cursor +# Description: Replaces the standard arrow with a little bash bunny. +# Author: Cribbit +# Version: 1.0 +# Category: Pranks +# Target: Windows (Powershell 5.1+) +# Attackmodes: HID & STORAGE +# Extensions: Run + +LED SETUP + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE + +LED ATTACK + +RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ps.ps1')" + +LED FINNISH \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 b/payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 new file mode 100644 index 00000000..25d4bff4 --- /dev/null +++ b/payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 @@ -0,0 +1,15 @@ +# Copies the bunny ani file to the users profile. +$p=(gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\b.ani' +$f= $Env:USERPROFILE+'\b.ani' +if (Test-Path $p) +{ + cp $p $f +} +else +{ + cp ($p -replace "1", "2") $f +} +# Set the registory value of Arrow to the new cursor +sp 'HKCU:Control Panel\Cursors' Arrow '%USERPROFILE%\b.ani'; +# Tell the system to update the displayed cursor +(Add-Type -Name c -Pass -M '[DllImport("user32.dll")] public static extern bool SystemParametersInfo(int A,int b,int c,int d);')::SystemParametersInfo(87,0,0,3) \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md b/payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md new file mode 100644 index 00000000..fc080180 --- /dev/null +++ b/payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md @@ -0,0 +1,47 @@ +# Replace Cursor +- Author: Cribbit +- Version: 1.0 +- Target: Windows 10 (Powershell 5.1+) +- Category: Pranks +- Attackmode: HID & Storage +- Extensions: Run +- Props: The Hak5 Team (Wallpaper changer & Eject USB sound) + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +Replaces the standard arrow with a little bash bunny icon. + +## Notes +I have included a both a static and animated cursor. + +## Information about SystemParametersInfo +### Microsoft Doc: + +https://docs.microsoft.com/en-gb/windows/win32/api/winuser/nf-winuser-systemparametersinfoa + +### Flags + +``` +SPI_SETCURSORS = 0x0057; +``` + +Convert uint to int = 87; + +``` +SPIF_UPDATEINIFILE = 0x01; +SPIF_SENDCHANGE = 0x02; +``` + +Bitwise "OR" these two together (0x01 -bor 0x02) = 3; + + +## Colours +| Status | Colour | Description | +| ------ | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur b/payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur new file mode 100644 index 00000000..b3661bf1 Binary files /dev/null and b/payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur differ