payload Rewriting of "wallpaper-changer-of-doom"

jcardonne · August 3, 2019

Hello, having received my new toy recently (bashbunny) :

I tried to use some scripts like "wallpaper-changer-of-doom" except it didn't work at home. Here is the script:

https://github.com/jcardonne/Bashbunny-payloads/blob/master/wallpaper-prank

If some of you have any suggestions, I'm interested:)

Affectionately,
jcardonne

jcardonne · August 5, 2019

On 8/3/2019 at 8:42 PM, kdodge said:

in "wallpaper-prank" file, did you replace the phrase "(bracket)URL(bracket)" with your own url? try getting the command to work from a powershell shell first.

Yes, I used my website to host my image, you have to replace with the url of your site.

PoSHMagiC0de · August 5, 2019

Hmm, I sent Darren awhile back when he did a vlog on the wallpaper changer a p/Invoke version of it that would instantaneously change the wallpaper. His version changed the same regkey but then looked through a command a bunch of times to get it to apply now. The version I am going to post in pieces will do it the minute it is ran.

First, the unmanaged function that is part of windows API is:

public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni)

This changes parameters in Windows and adds the changes to the appropriate files. The action parameter is what you are doing. 20 is changing wallpaper. Parameter after that I forget but for setting wallpaper it is always 0. Then the lvparam will be a string to the file you want to be the wallpaper followed by parameter to save to ini file and/or send changes to system (1 -bor 2). They are binary or'ed because we want both set.

So, below is how I did it all in Powershell.

#First, here is the signature for the unmanaged command.
$sig = "[DllImport(`"user32.dll`", SetLastError = true, CharSet = CharSet.Auto)]public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni);"

# Next, we add it as a type, give it a name (if you want to use it straight out) and a namespace to separate it from the rest of our Posh session.
$SetWallpaper = add-type -MemberDefinition $sig -Name SetWallpaper -Namespace Win32Functions -PassThru

# Now, if you want to save what your old wallpaper was then the bottom will do it.
$oldwallpaper = (Get-ItemProperty -Path "HKCU:\\Control Panel\Desktop" -Name Wallpaper).Wallpaper

#Place path for new wallpaper in variable or skip this and use it right out where the variable is used at.
$newpaper = "c:\somewhere\something.bmp"
$SetWallpaper::SystemParametersInfo(20, 0, $newpaper, (0x01 -bor 0x02))

# If you were going to 1 line this then there is some prep work.  First, base64 the sig.  This makes it easier to use.
$enc = [System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes($sig)))

# Now your command can be this on 1 line.
powershell -C "$sig='W0RsbEltcG9ydCgidXNlcjMyLmRsbCIsIFNldExhc3RFcnJvciA9IHRydWUsIENoYXJTZXQgPSBDaGFyU2V0LkF1dG8pXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTeXN0ZW1QYXJhbWV0ZXJzSW5mbyhpbnQgdUFjdGlvbiwgaW50IHVQYXJhbSwgc3RyaW5nIGxwdlBhcmFtLCBpbnQgZnVXaW5JbmkpOw==';$SW=add-type -MemberDefinition ([System.Text.Encoding]::ASCII.GetString(([System.Convert]::FromBase64String($sig)))) -Name ShowWall -Namespace Win32 -passthru;$SW::SystemParametersInfo(20, 0, 'C:\somewhere\something.bmp', (0x01 -bor 0x02))"

That base64line is what was in $enc. You could also just put it inside the decide command instead of in a variable first.

Enjoy.

jcardonne · August 11, 2019

On 8/5/2019 at 8:12 PM, PoSHMagiC0de said:
Hmm, I sent Darren awhile back when he did a vlog on the wallpaper changer a p/Invoke version of it that would instantaneously change the wallpaper. His version changed the same regkey but then looked through a command a bunch of times to get it to apply now. The version I am going to post in pieces will do it the minute it is ran.

First, the unmanaged function that is part of windows API is:

public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni)

This changes parameters in Windows and adds the changes to the appropriate files. The action parameter is what you are doing. 20 is changing wallpaper. Parameter after that I forget but for setting wallpaper it is always 0. Then the lvparam will be a string to the file you want to be the wallpaper followed by parameter to save to ini file and/or send changes to system (1 -bor 2). They are binary or'ed because we want both set.

So, below is how I did it all in Powershell.
#First, here is the signature for the unmanaged command.
$sig = "[DllImport(`"user32.dll`", SetLastError = true, CharSet = CharSet.Auto)]public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni);"

# Next, we add it as a type, give it a name (if you want to use it straight out) and a namespace to separate it from the rest of our Posh session.
$SetWallpaper = add-type -MemberDefinition $sig -Name SetWallpaper -Namespace Win32Functions -PassThru

# Now, if you want to save what your old wallpaper was then the bottom will do it.
$oldwallpaper = (Get-ItemProperty -Path "HKCU:\\Control Panel\Desktop" -Name Wallpaper).Wallpaper

#Place path for new wallpaper in variable or skip this and use it right out where the variable is used at.
$newpaper = "c:\somewhere\something.bmp"
$SetWallpaper::SystemParametersInfo(20, 0, $newpaper, (0x01 -bor 0x02))

# If you were going to 1 line this then there is some prep work.  First, base64 the sig.  This makes it easier to use.
$enc = [System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes($sig)))

# Now your command can be this on 1 line.
powershell -C "$sig='W0RsbEltcG9ydCgidXNlcjMyLmRsbCIsIFNldExhc3RFcnJvciA9IHRydWUsIENoYXJTZXQgPSBDaGFyU2V0LkF1dG8pXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTeXN0ZW1QYXJhbWV0ZXJzSW5mbyhpbnQgdUFjdGlvbiwgaW50IHVQYXJhbSwgc3RyaW5nIGxwdlBhcmFtLCBpbnQgZnVXaW5JbmkpOw==';$SW=add-type -MemberDefinition ([System.Text.Encoding]::ASCII.GetString(([System.Convert]::FromBase64String($sig)))) -Name ShowWall -Namespace Win32 -passthru;$SW::SystemParametersInfo(20, 0, 'C:\somewhere\something.bmp', (0x01 -bor 0x02))"
That base64line is what was in $enc. You could also just put it inside the decide command instead of in a variable first.

Enjoy.

Hey, thanks for your answer anyway. I am new so I have to take the time to understand little by little. I promise I will answer you in more detail when I understand.

In the meantime here is an update of the WallPaper Prank Remake, I added a little documentation and a little line to erase some of our passage!
https://github.com/jcardonne/Bashbunny-payloads/blob/master/wallpaper-prank

If anyone has any problems or suggestions, I'm interested!

Affectionately,
jcardonne

bordeauxwheadonb · December 17, 2022

On 8/5/2019 at 8:47 PM, jcardonne said:

Yes, I used my website to host my image, you have to replace with the url of your site.

Yes. You are right. This is the only one solution of this problem. You are brilliant.

I appreciate it.

bordeauxwheadonb · December 18, 2022

On 8/5/2019 at 8:47 PM, jcardonne said:

Yes, I used my website to host my image, you have to replace with the url of your site.

Can you tell me how to do fix with this link. Because I have same problem with rewriting changer. Waiting response.

Sign In

payload Rewriting of "wallpaper-changer-of-doom"

Recommended Posts

jcardonne

Link to comment

Share on other sites

jcardonne

Link to comment

Share on other sites

PoSHMagiC0de

Link to comment

Share on other sites

jcardonne

Link to comment

Share on other sites

bordeauxwheadonb

Link to comment

Share on other sites

bordeauxwheadonb

Link to comment

Share on other sites

Archived

Recently Browsing 0 members

Browse

Activity