Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/incident_response/Defend_yourself_from_CVE-2023-23397/payload.txt
2968 views
1
REM ########################################################

2
REM #                                                      |

3
REM # Title        : Defend Yourself From CVE-2023-23397   |

4
REM # Author       : Aleff                                 |

5
REM # Version      : 1.0                                   |

6
REM # Category     : Incident-Response                     |

7
REM # Target       : Windows 10/11                         |

8
REM #                                                      |

9
REM ########################################################

10


11
REM PlugAndPlay <3

12


13
REM Requirements:

14
REM     - ExecutionPolicy Bypass

15
REM     - PayloadStudio 1.3.1

16


17
REM Impacted Products:

18
REM     - All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

19


20
REM Mitigation:

21
REM     - Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.

22
REM       Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

23


24
EXTENSION PASSIVE_WINDOWS_DETECT

25
    REM VERSION 1.1

26
    REM AUTHOR: Korben

27


28
    REM_BLOCK DOCUMENTATION

29
        Windows fully passive OS Detection and passive Detect Ready

30
        Includes its own passive detect ready.

31
        Does not require additional extensions.

32


33
        USAGE:

34
            Extension runs inline (here)

35
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

36
            boot delay

37
            $_OS will be set to WINDOWS or NOT_WINDOWS

38
            See end of payload for usage within payload

39
    END_REM

40


41
    REM CONFIGURATION:

42
    DEFINE #MAX_WAIT 150

43
    DEFINE #CHECK_INTERVAL 20

44
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

45
    DEFINE #NOT_WINDOWS 7

46


47
    $_OS = #NOT_WINDOWS

48


49
    VAR $MAX_TRIES = #MAX_WAIT

50
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

51
        DELAY #CHECK_INTERVAL

52
        $MAX_TRIES = ($MAX_TRIES - 1)

53
    END_WHILE

54
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

55
        $_OS = WINDOWS

56
    END_IF

57


58
    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION

59
        IF ($_OS == WINDOWS) THEN

60
            STRING HELLO WINDOWS!

61
        ELSE

62
            STRING HELLO WORLD!

63
        END_IF

64
    END_REM

65
END_EXTENSION

66


67
GUI x

68
DELAY 500

69
STRING a

70
DELAY 500

71
LEFTARROW

72
DELAY 500

73
ENTER

74


75
REM Import NetSecurity module

76
STRINGLN Import-Module NetSecurity

77


78
REM Create a new firewall rule for blocking outgoing connections on port 445

79
STRINGLN

80
    $rule = New-NetFirewallRule -DisplayName "CVE-2023-23397" `

81
        -Direction Outbound `

82
        -Action Block `

83
        -Protocol TCP `

84
        -RemotePort 445

85
END_STRINGLN

86


87
REM Enable firewall rule

88
STRINGLN Enable-NetFirewallRule -Name $rule.Name

89
DELAY 500

90


91
REM See your new rule

92
STRINGLN Get-NetFirewallRule | Where-Object { $_.DisplayName -eq "CVE-2023-23397" }

93


94