hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adapted to the use of variables 

[+] Variables
[-] Image replaced with link
[-] Removed boring spaces
[+] README adapted to the new payload
pull/672/head
Aleff 2024-06-06 16:21:58 +02:00
parent e9149f08d6
commit fe7574381e
3 changed files with 25 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt
View File

@ -8,24 +8,28 @@
* REM # # * REM # #
* REM ############################################################################################# * REM #############################################################################################
ATTACKMODE HID
* REM VARIABLES
* REM 1) Set the script name editing $SCRIPT-NAME var, the default name is 'auto-check.sh' but you can change it here since is used the DuckyScript variable $SCRIPT-NAME.
SCRIPT-NAME='auto-check.sh'
* REM 2) Here you chould define the script path editing $PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit this DuckyScript variable with the correct path
PATH-TO-SCRIPT='~/'
* REM 3) Replacing `here` you must set your sudo password that permit to give the executable permissions to the file
SUDO-PSWD='here'
QUACK DELAY 3000 QUACK DELAY 3000
QUACK CTRL-ALT t QUACK CTRL-ALT t
QUACK DELAY 1000 QUACK DELAY 1000
QUACK STRING echo 'while true; do QUACK STRING echo 'while true; do
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING response=$(curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1) QUACK STRING response=$(curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1)
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING if [[ $response =~ ^[0-9a-zA-Z]+$ ]]; then QUACK STRING if [[ $response =~ ^[0-9a-zA-Z]+$ ]]; then
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING if [ $? -eq 0]; then QUACK STRING if [ $? -eq 0]; then
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
@ -33,92 +37,68 @@ QUACK DELAY 500
QUACK STRING # Attack detected, here you decide what to do in this moment QUACK STRING # Attack detected, here you decide what to do in this moment
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # 1. Send an email to sec-team QUACK STRING # 1. Send an email to sec-team
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # 2. Do some other ops QUACK STRING # 2. Do some other ops
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # ... QUACK STRING # ...
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # 3. What do you want to do? QUACK STRING # 3. What do you want to do?
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # Can you reboot the system or you need to do something else before? QUACK STRING # Can you reboot the system or you need to do something else before?
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # Do you want to close it? QUACK STRING # Do you want to close it?
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # ... QUACK STRING # ...
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # The only one way to close the backdoor is reboot the system, so don t change it (?)... QUACK STRING # The only one way to close the backdoor is reboot the system, so don t change it (?)...
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # |-> See the Conseguence section in README QUACK STRING # |-> See the Conseguence section in README
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING reboot QUACK STRING reboot
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING else QUACK STRING else
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING # You are safe :-) QUACK STRING # You are safe :-)
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING fi QUACK STRING fi
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING fi QUACK STRING fi
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING sleep 300 # wait time QUACK STRING sleep 300 # wait time
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING done' > $PATH-TO-SCRIPT$SCRIPT-NAME
* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
QUACK STRING done' > #PATH-TO-SCRIPT#SCRIPT-NAME
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
* REM To avoid some bad DELAY I decided to use only one command row * REM To avoid some bad DELAY I decided to use only one command row
* REM Old script QUACK REM Old script
* REM STRINGLN sudo chmod +x #SCRIPT-NAME * REM STRINGLN sudo chmod +x $SCRIPT-NAME
* REM DELAY 500 * REM DELAY 500
* REM STRINGLN #SUDO-PSWD * REM STRINGLN $SUDO-PSWD
* REM DELAY 3000 * REM DELAY 3000
* REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $ * REM STRINGLN sh $PATH-TO-SCRIPT$SCRIPT-NAME $
* REM STRINGLN exit * REM STRINGLN exit
* REM Optimized script QUACK REM Optimized script
QUACK STRING sudo chmod +x $SCRIPT-NAME; sh $PATH-TO-SCRIPT$SCRIPT-NAME $; exit
* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
QUACK STRING sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
QUACK STRING $SUDO-PSWD
* REM Here you must set your sudo password that permit to give the executable permissions to the file
QUACK STRING #SUDO-PSWD
QUACK ENTER QUACK ENTER

20
payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/README.md
View File

@ -4,7 +4,7 @@ Use this script to set up an automated integrity verification system for your Ci
**Category**: incident-response **Category**: incident-response
![](/assets/1.png) ![](https://i.ibb.co/GHV3y1g/1.png)
## Index ## Index
@ -31,9 +31,9 @@ In response to this, Cisco has released a basic method for users to assess their
An immediate solution to the problem is to reboot the system, which would close the backdoor. However, this doesn't mitigate the vulnerabilities in the long term, as the machine remains just as susceptible after the reboot and also why the attacker's super user is not removed. This means that rebooting the system is an immediate measure to block the threat but doesn't provide a lasting mitigation of the threat. An immediate solution to the problem is to reboot the system, which would close the backdoor. However, this doesn't mitigate the vulnerabilities in the long term, as the machine remains just as susceptible after the reboot and also why the attacker's super user is not removed. This means that rebooting the system is an immediate measure to block the threat but doesn't provide a lasting mitigation of the threat.
The payload.txt file contains DuckyScript code that enables you to create a Shell script that periodically performs the Cisco-suggested verification to determine if the machine has been attacked. The script defines three variables: the script name, the superuser (sudo) password, and the file path. The only variable that must be modified is the sudo password because it varies from user to user. The other two variables can be changed but aren't strictly necessary for the payload's functionality. They represent the desired script name and the default path (the current folder). The payload.txt file contains DuckyScript code that enables you to create a Shell script that periodically performs the Cisco-suggested verification to determine if the machine has been attacked. The script defines three variables: the script name, the superuser (sudo) password, and the file path. The only variable that must be modified is the sudo password `SUDO-PSWD` because it varies from user to user. The other two variables can be changed but aren't strictly necessary for the payload's functionality. They represent the desired script name and the default path (the current folder).
To minimize downtime, the Hak5 Detect Ready extension has been used. When the Shell is opened, the payload executes a series of commands that involve writing the contents of a file, allowing the creation of a script on the machine that will be automatically executed by the operating system. When the Shell is opened, the payload executes a series of commands that involve writing the contents of a file, allowing the creation of a script on the machine that will be automatically executed by the operating system.
Once the file is created, it's automatically saved at the end of the execution, and the payload proceeds to enable execution permissions using the permissions granted by the sudo+chmod command. Once the file is created, it's automatically saved at the end of the execution, and the payload proceeds to enable execution permissions using the permissions granted by the sudo+chmod command.
@ -43,11 +43,11 @@ To maintain code readability, I chose to keep a less efficient but more straight
``` ```
* REM Old script * REM Old script
* REM STRINGLN sudo chmod +x #SCRIPT-NAME * REM STRINGLN sudo chmod +x $SCRIPT-NAME
* REM DELAY 500 * REM DELAY 500
* REM STRINGLN #SUDO-PSWD * REM STRINGLN $SUDO-PSWD
* REM DELAY 3000 * REM DELAY 3000
* REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $ * REM STRINGLN sh $PATH-TO-SCRIPT$SCRIPT-NAME $
* REM STRINGLN exit * REM STRINGLN exit
``` ```
@ -57,15 +57,11 @@ In order to optimize this code, I prefer the following version, which eliminates
``` ```
* REM Optimized script * REM Optimized script
QUACK STRING sudo chmod +x $SCRIPT-NAME; sh $PATH-TO-SCRIPT$SCRIPT-NAME $; exit
* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
QUACK STRING sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit
QUACK ENTER QUACK ENTER
QUACK DELAY 500 QUACK DELAY 500
* REM Here you must set your sudo password that permit to give the executable permissions to the file QUACK STRING $SUDO-PSWD
QUACK STRING #SUDO-PSWD
QUACK ENTER QUACK ENTER
``` ```

BIN
payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/assets/1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 32 KiB