PasteJacker – Add PasteJacking To Web-Delivery Attacks

PasteJacker - Add PasteJacking To Web-Delivery Attacks

The important goal of the device is automating (PasteJacking/Clipboard poisoning/no matter you identify it) assault with gathering all of the recognized methods used on this assault in a single place and one automated job as after looking I discovered there is no device doing this job the best manner.

Now whereas this assault relies on what the consumer will paste, think about including this assault to Metasploit internet supply module.

See this straightforward situation to make issues clear:

  1. The goal opens an HTML web page served by the device and this web page has something that makes the desires to repeat from it to the terminal like some set up directions.
  2. Target copies a factor from the web page then it changed shortly with our line.
  3. The consumer pastes it within the terminal and earlier than he notices that the road modified, the road will get executed by itself within the background and the terminal will get cleared.
  4. All of that occurred in a second and the consumer sees the terminal is usable once more and possibly thinks it is a dangerous program and he will not set up it however you already received your meterpreter shell.

This device makes use of three strategies to trick consumer into copying our payload as a substitute of the command he copies:

  • Using javascript to hook the copy occasion and substitute copied knowledge.
    • Advantages :
      1. Anything the consumer copies within the web page shall be changed with our line.
      2. Command executed by itself as soon as goal paste it with out urgent enter.
    • Disadvantages :
      1. Requires Javascript to be enabled on the goal browser.
  • Using span model attribute to cover our traces by overwriting.
    • Advantages :
      1. Doesn’t require javascript to be enabled.
      2. Works on all browsers.
    • Disadvantages :
      1. Target should choose all of the textual content within the web page or the primary two phrases to make sure that he copies our hidden malicious traces.
  • Using span model once more however this time to make our textual content clear and non-markable.
    • Advantages :
      1. Doesn’t require javascript to be enabled.
    • Disadvantages :
      1. Target should choose all of the textual content within the web page to make sure that he copies our hidden malicious traces.
      2. Not engaged on opera and chrome.

What’s the payload consumer copies ?
PasteJacker offers you the choice to do certainly one of this issues:

  1. Generate a msfvenom backdoor on our machine and the liner goal gonna copy will obtain the backdoor on the its machine, via wget or certutil relies on the OS, then executes it on the background with out printing something to the terminal.
  2. Serve a liner that will get you a reverse netcat connection on the goal machine working within the background in fact.
  3. Serve your customized liner like Metasploit internet-supply payload with including some touches to cover any potential output.


Installing and necessities

  • Python three and setuptools module.
  • Linux or Unix-based system (Currently examined solely on Kali Linux rolling and Ubuntu 16.04).
  • Third-party necessities like msfvenom however solely in case you are gonna use the msfvenom possibility in fact.
  • Third-party library ncurses-dev for Ubuntu (Thanks for @mhaskar).
  • Root entry.


git clone
sudo python3 -m pip set up ./PasteJacker
sudo pastejacker

Updating the framework or the database

  • On Linux whereas exterior the listing
cd PasteJacker && git pull && cd ..
sudo python3 -m pip set up ./PasteJacker --upgrade



PasteJacker is created to assist in penetration testing and it isn’t accountable for any misuse or unlawful functions.
Copying a code from this device or utilizing it in one other device is accepted as you point out the place you get it from.

Pull requests are all the time welcomed ūüėÄ


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.