bashbunny-payloads/payloads/library/execution/FollinaBunny/README.md

31 lines
1.4 KiB
Markdown
Raw Permalink Normal View History

Created FollinaBunny a PoC payload that leverages CVE-2022-30190 (#530) * New Payload Added new PrintNightmare Payload (Quick and dirty) * Fixed my potty mouth I'm a child sometimes * Renamed Payload * PrintNightmare: Use SWITCH_POSITION in payload path * Fixing a typo * Added Delays Added some delays due to the fact that it was inconsistently reliable, occasionally it'd half type out the command. The delays have resolved the consistency issue on my end. Feel free to tweak as required. * Amending Version Number I'm a fool * Updated Readme with proper credit * Housekeeping Moved some of the QUACK Powershell commands into the juicybit.txt file for speed and ease of use. * Update README.md * More improvement Added exit to the juicybits rather than using alt and /noprofile to the run as * Update README.md * Pineapple-Connect-Windows New Payload For Connecting Client To Pineapple AP / Any AP Pineapple-Connect-Windows new Bashbunny payload for connecting target machine quickly and efficiently to your Pineapple AP or an AP of your choosing (and control!) * Changed from RUN WIN to QUACK STRING Changed from RUN WIN to QUACK STRING as I was having issues with the formatting, presume it needs wrapping in quotes or something but it just kept breaking. QUACK STRING works fine so meh * Added command to cover traks at the end of the script added a line of powershell to clean out the run registry key to hide any evidence of the script running * Added FollinaBunny Added a new payload which leverages CVE-2022-30190 to execute code based on a malicious website hosted on the bunny itself. Co-authored-by: Marc <foxtrot@malloc.me> Co-authored-by: Marc <foxtrot@realloc.me>
2022-06-01 17:05:20 +00:00
# FollinaBunny
- Author: PanicAcid
- Version: 1.0
- Target: Windows (Powershell 5.1+)
- Category: Execution
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
- Props: Cribbit and 0xBacco
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Executes code leveraging CVE-2022-30190 aka Follina using a malicious html file hosted on the Bunny itself. Whilst this exploit can be called via a malicious word document, a simple wget via PowerShell will also execute the malicious code.. Tweak and well you get the picture.
This WILL flag on Defender if you're up to date, however the PoC here isn't that you can just run this code, it's that you can self serve this malicious html file via the BashBunny and you can tweak it to your hearts content.
Based on Cribbit's Moo payload https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/prank/Win_PoSH_AnsiSebsCow
Example payload taken from https://greynolds.me.uk/ - https://greynolds.me.uk/poc.html
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |